SSRF in Internal Google Service (and two fix bypasses) ($10401 USD)
URL validation vulnerabilities leading to server side request forgery (SSRF) on an internal Google endpoint. The original whitelist bypass was to use a \@
in the domain:
https://[your_domain]\@jobs.googleapis.com
In this case the validation will think the request will go to jobs.googleapis.com
but the actual request library will send it to [your_domain]
. This got the author a $4333.70 bounty.
The first fix to this was bypassed by including any content between the \
and @
such as:
https://[your_domain]\anything@jobs.googleapis.com/
Would be parsed the same way, so blocking only the \@
was not sufficient. This bypass alone was rewarded an addition $3,333.70.
Finally, once that bypass was fixed on the default deployments, the author was still able to call into previous versions of the application by specifying them directly in the domain leading to another bypass and another $3,333.70 bounty.