Implementation vulnerabilities in Google Drive integrations created various server-side-request-forgery (SSRF) flaws in various applications, say cybersecurity experts. It also includes Dropbox's HelloSign, a digital signature platform, however, the latest SSRF was gained by CRLF and asks pipeline in other, anonymous applications, says Bug Bounty hunter Harsh Jaiswal. Jaiswal won a bounty reward of $17,576 for a basic but important SSRF associated with HelloSign's Google Drive Docs export feature.
If one uses an extra parameter in Google Drive API, it is possible for experts to compelled HelloSign for parsing external JSON data that leads to an SSRF attack. Dropbox has updated the parser securely making a request mitigating the flaw.
The implementation issues surfaced in integrations that retrieved files from Google Drive API in the servers. To explain the issue, Jaiswal laid out a situation where an app collects and renders an image file in Google Drive in a way that allows hackers to gain control of HTTP requests made to Google APIs via file ID. A user can make a path traversal, adding query parameters.
The Daily Swig reports "Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable. However, he found another route to SSRF. Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl." A payload consisting of a malicious JSON element download Url.
The SSRF through CRLF and pipeline was discovered on a private bug bounty competition and linked to Google Drive slides retrieval. Only the path traversal technique worked and not the query parameters. "Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining. If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug," reports the Daily Swig.
