Callback-url-file-3a-2f-2f-2fhome-2f-2a-2f.aws-2fcredentials File

After user approves login, the authorization server would normally redirect to http://localhost:PORT/callback.
Instead, it redirects to:
file:///home/<user>/.aws/credentials

If you are scanning your codebase for "callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials" and found it in a log file but not in your source code—it means someone probed you.

Check your access logs. Check your SSRF filters. And for the love of Bezos, don’t let your servers read local files via callback URLs.

Have you seen similar file:// callback attempts in the wild? Share your war stories in the comments below.

It looks like you are working with a Local File Inclusion (LFI) Server-Side Request Forgery (SSRF) payload designed to exfiltrate AWS credentials. The URL encoded string file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials translates to file:///home/*/.aws/credentials

. This is a classic security research pattern used to demonstrate how an application might inadvertently leak sensitive configuration files.

Below is a draft post formatted for a technical audience (like on Security Blog ) that explains this vulnerability. callback-url-file-3A-2F-2F-2Fhome-2F-2A-2F.aws-2Fcredentials

Security Alert: Preventing AWS Credential Leakage via SSRF/LFI

I’ve been looking into how common "callback URL" parameters can be weaponized to exfiltrate sensitive cloud metadata. A common payload I'm seeing in logs looks like this: ?callbackUrl=file:///home/*/.aws/credentials 🔍 What is happening? Attackers use the

protocol to trick an application into reading local files instead of fetching a remote URL. If the application has enough permissions, it may return the contents of the AWS credentials file, exposing: Access Key IDs Secret Access Keys Session Tokens 🛡️ How to Protect Your Infrastructure Validate Protocol Schemes : Only allow for callback URLs. Explicitly block Use an Allowlist

: Don’t just "sanitize" input. Only permit callbacks to a strict list of pre-approved domains. : If you are on EC2, enforce Instance Metadata Service Version 2 (IMDSv2)

. It requires a session token, making it much harder for SSRF to steal credentials. Least Privilege

: Ensure your application's IAM role has the absolute minimum permissions required. Never run web servers as the 💡 Pro-Tip for Researchers After user approves login, the authorization server would

If you are testing this in a bug bounty program, always use a Canary Token or a benign file like /etc/hostname

first to prove the vulnerability without touching sensitive production secrets. #CyberSecurity #AWS #CloudSecurity #AppSec #BugBounty #SSRF If you'd like to tailor this further, let me know: Who is the target audience

? (e.g., developers, C-level executives, or security researchers) What is the

of the post? (e.g., educational, a security advisory, or a "look what I found" post) code snippets for a specific fix (like in Python/Node.js)?

Imagine you run a concierge service. You tell the concierge, "Anyone who brings a valid ticket can ask you to read any document."

An attacker hands you a ticket that says: "Read the file at /home/*/.aws/credentials." Have you seen similar file:// callback attempts in

If your concierge does it, they just handed over the keys to your castle.

The file:// callback is that malicious ticket.

Feature name:
Local File URI Callback for Credential Delivery

Callback URL format:
callback-url-file:///home/*/.aws/credentials

Purpose:
Securely deliver temporary AWS credentials (or other tokens) from a web auth flow directly into a local credentials file on disk, using a file-based callback instead of an HTTP local server.

First, let’s URL decode that string:

Full decoded value: file:///home/*/.aws/credentials

This is a file URI scheme targeting the default location of AWS credentials on Linux/macOS systems. The wildcard (*) suggests the attacker is hoping to access any user’s home directory.

© 2012- Thomas Drugeon
contact
Hosting: OVH, 2 rue Kellermann - 59100 Roubaix - France