Into the Borg – SSRF inside Google production network
https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-production-network/ [opnsec.com]
2018-07-20 22:11
I used the private IP as the url for the Google Sites javascript external resource and waited for the moment of truth. The request took more than 30 seconds to complete and at that time I really thought the request was blocked and I almost closed the page since I never had any luck with SSRF on Google before. However, when Google Caja replied, I saw that the reply size wasn’t around 1 KB like for a typical error message but 1 MB instead! One million bytes of information coming from a 10.x.x.x IP from Google internal network, I can tell you I was excited at this point!
source: HN