Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Google Appsheet is a no-code app generator. While looking around for functionality, they found a section called Workflows which made it possible to automate app behavior via rules. One of these options was a webhook.

Since these hooks required a URL, they placed an internal URL to try to steal the metadata information from the instance, which would include keys for the box. However, they ran into a problem: he needed to make a GET request when the application only supported POST/PUT requests.

In order to get around this problem, they make the request to a separate website that they control. In the response, they send a 301 redirect to change the URL to be internal and the request method to be a GET request. Amazingly enough, this worked for getting back the access token!

It turns out that the API would accept a POST or GET request, which made the shenanigans above not necessary. Try the stupid simple thing first!

The fix was to disable the legacy API for metadata information, which the author had used in their exploit originally. Additionally, the addition of the Metadata-Flavor was banned, since it was required for the request, making SSRF not exploitable. However, the webhook could add custom headers. They found that an alternative to the Metadata-Flavor could used to trigger the metadata request: X-Google-Metadata-Request.

Overall, good read with some neat SSRF tricks!