Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a “no-code” application generator. One feature is that a web-hook can be executed in respond to supported events. The SSRF was simply using these feature to hit the metadata service.

The author did include a bit of research regarding changing the request type from the POST/DELETE/PATCH options used by the application to the expected GET request the metadata service used, but this step was not necessary as it would have responded regardless.

This was fixed by blocking access to the older Metadata service deployment which could be accessed without a security header, and by blocking the Metadata-Flavor header from being added as a custom header for the webhook. As the X-Google-Metadata-Request header could still be added, this was bypassed by the author.