$$$ Bypassing SSRF Restrictions on a Google Product: A Journey Through DNS Rebinding

As a security researcher, I often find myself navigating the intricate web of potential vulnerabilities, searching for that elusive flaw that could lead to something impactful. Recently, I stumbled upon an intriguing discovery while testing a Google product. What started as a seemingly innocuous blind SSRF vulnerability soon turned into a fascinating challenge, ultimately leading me down the path of DNS rebinding — a method that allowed me to probe the internal network in ways that conventional approaches couldn’t.

The Discovery

It all began with a simple ‘url’ parameter found in the following endpoint:

https://[redacted]/image/getremoteimageurl?url=

Naturally, I decided to test it by injecting a Burp Collaborator URL. To my excitement, I observed a hit, confirming the presence of a blind SSRF vulnerability. However, the challenge was far from over. Blind SSRF, by itself, often lacks the impact necessary to cause significant damage. The real question was — how could I leverage this to create something more potent?

The Struggle: Traditional Methods Fail

My first thought was to explore the possibility of internal port scanning by targeting localhost. I attempted the following URL:

http://127.0.0.1:port