Tool-Induced SSRF & Local Resource

This is the highest-risk technique (275) because it turns the agent's most common tool — a fetch/navigate/HTTP primitive — into a server-side request forgery and local-file-read engine. ssh/id_rsa`, `/proc/self/environ`) or points the tool at internal-only addresses — most critically the cloud metadata endpoint `169.254.169.254`, which returns IAM credentials to anything that asks. The agent runs from a network position and with filesystem access that an external attacker lacks, so SSRF through the agent reaches resources the perimeter is supposed to protect.

• Block and alert on non-HTTP(S) schemes (file://, gopher://, etc.) reaching fetch/navigate tools
• Deny and alarm on any agent request to 169.254.169.254 / link-local metadata addresses
• Flag agent requests to loopback, RFC1918, and other internal/non-routable destinations
• Alert on access to sensitive paths (/etc/passwd, /etc/shadow, ~/.ssh, /proc/self/environ, log files) via any tool

Tool-induced SSRF is a top-tier entry and escalation primitive: it is reached via T1 prompt injection or T11-AT-001 browser hijacking (the navigation primitive is the same), and it directly produces the inputs for T11-AT-008 (metadata IAM creds, SSH keys, env secrets) and T11-AT-011 (exfiltration of the files it reads). Stolen metadata credentials feed T11-AT-010 lateral movement across the cloud account, and internal-endpoint access (T11-AP-016E/T11-AP-016G) seeds further pivoting.