Connect with us

Hi, what are you looking for?

Cyber Security

Google Drive integration errors created SSRF flaws in multiple applications

Implementation flaws in Google Drive integrations created server-side request forgery (SSRF) vulnerabilities in a variety of applications, a security researcher has revealed.

This included Dropbox’s digital signature platform, HelloSign, but “by far the finest” SSRF was achieved via CRLF and request pipelining in another, unnamed application, recounts bug bounty hunter Harsh Jaiswal in a GitHub write-up.

HelloSign bounty

Jaiswal received a bounty award of $17,576 for a “pretty simple” but critical SSRF related to HelloSign’s Google Drive Docs export feature.

“By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse external JSON data which leads to an SSRF attack,” said Dropbox’s security team in a bug thread on HackerOne.

“We updated the parser to securely make a request which mitigates the vulnerability,” they added.

Controlling downloadUrl

Jaiswal said the implementation issues arose in integrations that fetched files from the Google Drive API on the server side.

To demonstrate the concept, he outlined a scenario in which an application retrieves and renders an image file from Google Drive in a way that could give attackers control of the HTTP request made to googleapis.com via the file_id.

“This means we can do a path traversal and add query parameters,” explaned the researcher.

Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable.

However, he found another route to SSRF.

Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl.

A payload containing a malicious JSON object with the downloadUrl set to an attacker-controlled URL could then, depending on application logic, trigger a blind SSRF.

CRLF, request pipelining

The SSRF via CRLF and request pipelining was found on a private bug bounty program and related to how slides were imported from Google Drive.

The path traversal part of Jaiswal’s exploit worked but not the query parameters, the researcher found.

However, CRLF – denoting special character elements ‘carriage return’ and ‘line feed’ – applied to the authToken property, allowing him to control part of the request headers.

Advertisement. Scroll to continue reading.

“Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining,” said Jaiswal.

More to find

The researcher said most of the reported SSRFs have now been rectified, but that more could be lurking, undiscovered, in other applications.

“If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug,” he told The Daily Swig. “I’m pretty sure there are more apps still affected by this finding.

Source: https://portswigger.net/daily-swig/google-drive-integration-errors-created-ssrf-flaws-in-multiple-applications

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO