Member-only story
$$$ Bypassing SSRF Restrictions on a Google Product: A Journey Through DNS Rebinding
As a security researcher, I often find myself navigating the intricate web of potential vulnerabilities, searching for that elusive flaw that could lead to something impactful. Recently, I stumbled upon an intriguing discovery while testing a Google product. What started as a seemingly innocuous blind SSRF vulnerability soon turned into a fascinating challenge, ultimately leading me down the path of DNS rebinding — a method that allowed me to probe the internal network in ways that conventional approaches couldn’t.
The Discovery
It all began with a simple ‘url’ parameter found in the following endpoint:
https://[redacted]/image/getremoteimageurl?url=
Naturally, I decided to test it by injecting a Burp Collaborator URL. To my excitement, I observed a hit, confirming the presence of a blind SSRF vulnerability. However, the challenge was far from over. Blind SSRF, by itself, often lacks the impact necessary to cause significant damage. The real question was — how could I leverage this to create something more potent?
The Struggle: Traditional Methods Fail
My first thought was to explore the possibility of internal port scanning by targeting localhost. I attempted the following URL:
http://127.0.0.1:port