SSRF & Google HOF(Hall of Fame)

Aman Pareek
3 min readAug 22, 2022

--

Update: I tried explaining the impact again and again to google with some reference reports and proved that the mentioned endpoint was indeed used in production environment.
And finally they replied with a reward of $1337.

This time I will talk about a very interesting SSRF(Server Side Request Forgery) on a Google asset and interesting because the way I found the endpoint. Read below to find out.

Note: I am assuming that you know what SSRF and Dependency Confusion attack are, so if you are not familiar with these terms kindly google and get familiar with them.

In February this year, I decided to hunt on google but Iwanted to do things in different manner because with cliched methods I will get what everyone else is getting. So I decided to hunt for Dependency confusion through GitHub accounts belonging to google for their open source projects, which was a bad idea, because it is highly unlikely that you are gonna find something of that sort. So I searched for package.json files for some GitHub account and came across this particular file which looked like this:

package_json_file

Nothing special in this, I know, and that’s why I, out of curiosity, decided to check other files. And there was a index.ts file which had reference to some other files like logger.ts and licenses.ts and there was a route defined in index.ts like this:

Now we need some domain where this was deployed and luckily in comments or in readme file there was an appspot.com URL where this project was deployed:

Why am I hiding the domain?
Since all this is open source just take it as a challenge or practice to find the repository and subsequently the-domain.

When I sent a POST request to /convert/licenses in response body there was a message that URL parameter is missing and the moment I saw this i was like SSRF. And then I sent a post request to same endpoint with url parameter in request body as JSON:

And the result was LFI due to SSRF because there was no check on URI schema used.

Why no bounty?

Even I was expecting some bounty for this but Google VRP had justification for this:

Timeline:

Reported 22/02/2022 13:31
Triaged 22/02/2022 14:12
Accepted 22/02/2022 15:47
HoF Awarded 08/03/2022 22:26
Bounty Mail 14/10/2022 00:27

--

--