Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SSRF allows for requests to be made within the internal network of an application. This allows for the stealing of important information or altering of information on the internal network.

The author knew they had an SSRF bug when the response was extremely fast. Sometimes, finding blind SSRF and KNOWING if you found SSRF are two different things.

Blind SSRF only has impact if you can make requests to alter state on the internal network. So, typically an attacker wants to return data.

One of the features of Google Cloud Monitoring was to validate the response in the request. By using this feature, a single character could be guessed per execution with the contains feature. Eventually, they could be used to get ALL data from an internal server.

Practically speaking, the author decided to target the Google Metadata Service in order to steal credentials to the host Google account. In practice, this service was behind a load balancer, making this difficult to do.

At the end of the day, Google gave the author a 31K payout! I found this to be interesting because of the way used in order to siphon out the data on a Blind SSRF.