Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty

guest · Nov 19, 2021

Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty
Now-patched API vulnerability allowed attacker to access sensitive resources
November 19, 2021
https://portswigger.net/daily-swig/...ernal-google-cloud-project-nabs-10-000-bounty

A URL parsing bug left an internal Google Cloud project open to server-side request forgery (SSRF) attacks, security researcher David Schütz has found.

Now fixed, the bug, which Schütz has documented in a comprehensive video and blog post, could have allowed an attacker to access sensitive resources and possibly run malicious code.
Click to expand...

Leaking access token
Schütz found the bug while doing research on Discovery Documents, data structures that provide specifications for Google API services. While exploring the Discovery Documents, Schütz stumbled on an interesting service called Jobs API, whose name suggested it was an internal service.

“In this particular bug, the core issue was a URL parsing bug, which lead to the SSRF,” Schütz told The Daily Swig.
Last year, Schütz had found a similar bug in a Google JavaScript library that was used in many Google services.
Click to expand...

Schütz was rewarded a $4,133 bounty by the Google Vulnerability Rewards Program for the discovery.

After the bug was fixed, he had another shot at the proxy and saw that although the original exploit no longer worked, the URL parser could still be bypassed through another scheme. Reporting this new bug got him another $3,133 in double bounty.
He later got a further $3,133 by discovering and reporting that old versions of the proxy application were still up and running.
Click to expand...

URL whitelist bypass in https://cxl-services.appspot.com

Access Token for internal GCP project “cxl-services” (with scopes "https://www.googleapis.com/auth/dispatcher, https://www.googleapis.com/auth/jobs and https://www.googleapis.com/auth/cloud-platform") can be leaked using a URL whitelist bypass on https://cxl-services.appspot.com/proxy. This token could be used to elevate privileges in other internal projects, access some internal Compute instances and possibly take full control over cxl-services.appspot.com.
Click to expand...

Log in or Sign up

Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty

guest Guest

Log in or Sign up

Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty

guest Guest

Useful Searches