Skip to main content

Posts

SSRF vulnerability in AppSheet - Google VRP

Hi, this bug is one of my older reports - a bug in a Google acquisition called AppSheet . AppSheet is a no-code app generator. With this service, you can create applications from your browser without having deep knowledge of App development. SSRF in webhook I looked into the AppSheet features and found a section called Workflows (today replaced by "AppSheet Bots"). AppSheet Workflow made it possible to automate app behaviour by defining specific rules. For example - send an email notification when a user creates a new row in a table. There is a variety of options for defining these rules. One of those options is to call a webhook on the rule trigger. That sounded promising, so I looked into this feature :). Workflow rule settings   I created a new workflow with the rule: call a webhook when data in a table are changed. One of the first things I tried was to call a metadata API. Well, I bumped into a first problem. There wasn't an option to create a GET request, which