Execution flaws in Google Drive integrations created server-side request forgery (SSRF) vulnerabilities in a mixture of applications, a security researcher has disclosed. This included Dropbox’s digital signature platform, HelloSign, but “by far the finest” SSRF was completed via CRLF and request pipelining in another, unnamed application, narrates bug bounty hunter Harsh Jaiswal in a GitHub write-up.
HelloSign bounty
Jaiswal received a bounty award of $17,576 for a “pretty simple” but critical SSRF related to HelloSign’s Google Drive Docs export feature.
“By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse external JSON data which leads to an SSRF attack,” said Dropbox’s security team in a bug thread on HackerOne. “We updated the parser to securely make a request which mitigates the vulnerability,” they added.
Controlling download URL
Jaiswal said the implementation issues arose in integrations that fetched files from the Google Drive API on the server-side. To demonstrate the concept, he outlined a scenario in which an application retrieves and renders an image file from Google Drive in a way that could give attackers control of the HTTP request made to googleapis.com via the file_id. Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable.
However, he found another route to SSRF. Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl. A payload containing a malicious JSON object with the downloadUrl set to an attacker-controlled URL could then, depending on application logic, trigger a blind SSRF.
CRLF, request pipelining
The SSRF via CRLF and request pipelining were found on a private bug bounty program and related to how slides were imported from Google Drive. The path traversal part of Jaiswal’s exploit worked but not the query parameters, the researcher found.
However, CRLF – denoting special character elements ‘carriage return’ and ‘line feed’ – applied to the authToken property, allowing him to control part of the request headers. “Using this I was able to craft a new request to http://www.googleapis.com with my steady query params using request pipelining,” said Jaiswal.
More to find
The researcher said most of the reported SSRFs have now been rectified, but that more could be lurking, undiscovered, in other applications. If there’s a custom execution of [Google Drive] and no sanitization is done it could cause this bug.