SSRF in Internal Google Service (and two fix bypasses) (10401 USD)

We discussed this vulnerability as part of our weekly podcast on 30 November 2021

URL validation vulnerabilities leading to server side request forgery (SSRF) on an internal Google endpoint. The original whitelist bypass was to use a \@ in the domain:

https://[your_domain]\@jobs.googleapis.com

In this case the validation will think the request will go to jobs.googleapis.com but the actual request library will send it to [your_domain]. This got the author a $4333.70 bounty.

The first fix to this was bypassed by including any content between the \ and @ such as:

https://[your_domain]\anything@jobs.googleapis.com/

Would be parsed the same way, so blocking only the \@ was not sufficient. This bypass alone was rewarded an addition $3,333.70.

Finally, once that bypass was fixed on the default deployments, the author was still able to call into previous versions of the application by specifying them directly in the domain leading to another bypass and another $3,333.70 bounty.