David Schütz, a security researcher, recently discovered a URL parsing vulnerability that exposed an internal Google Cloud project to server-side request forgery (SSRF) attacks. Server-side request forgery (also known as SSRF) is a web security flaw that enables an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses.
How was the SSRF vulnerability discovered?
While researching Discovery Documents, data structures that give specifications for Google API services, Schütz discovered the vulnerability. While looking through the Discovery Documents, Schütz came upon an intriguing service named Jobs API, which had the appearance of being an internal service. The Jobs API led him to a Google App Engine application that acted as a proxy, allowing him to access the API through Google’s public product marketing pages. The proxy acted as an intermediate between the user and the API, which meant it had an access token that could be used to launch SSRF attacks.
Request URLs were run via a whitelist to restrict access to the internal Google resources. Schütz, however, was able to fool the URL parser and bypass the whitelist, allowing him to send requests to any server he wanted. This allowed him to send queries from the proxy app to a Google Cloud VPS server.
The request revealed the proxy app’s access token, which he could then utilize to send requests to other Google Cloud projects within the company. The root problem in this bug was a URL parsing bug, which resulted in the SSRF.
“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” said Schütz. “After disclosing the initial issue in the Google JS library, I have already seen this getting fixed in products from different companies as well. Even though, this issue still keeps popping up even at Google. This SSRF is a great example of it,” he added.
Accessing resources, running arbitrary code
Schütz was able to get a list of accessible internal projects, cloud storage buckets, virtual machines, and the proxy application’s management interface using the access token.
He was able to access logs containing sensitive user information (though he did not download any of the logs) as well as instances of the programme itself, which could be reverse-engineered to acquire its source code, through the latter. Because the administrative interface has complete access over the App Engine instance, an attacker can use it to impede service, harvest user information, or upload malicious programs.
Schütz constructed and uploaded a Python application on the proxy service that delivered a base64 message to demonstrate the impact of the bug. He uploaded the software as a non-default version of the proxy service to prevent disturbing the core service.
Fixing the SSRF Bug
The Google Vulnerability Rewards Program awarded Schütz a $4,133 bounty for the discovery. After the flaw was repaired, he went back to the proxy and discovered that, while the initial attack was no longer working, the URL parser could still be circumvented using a different method. He received another $3,133 in double reward for reporting this new issue. He earned an additional $3,133 after discovering and reporting that previous versions of the proxy application were still active.
Although the bug has now been fixed, it could have allowed an attacker to access sensitive resources and possibly run malicious code. Schütz has documented the bug in a comprehensive video and blog post.