Google GCP

Google Identity

Applications can use google identity to manage login, check all endpoints to see if admin only endpoint are public

Hint: deleteAccount and signUp may be gold

Documentation: https://developers.google.com/resources/api-libraries/documentation/identitytoolkit/v3/python/latest/identitytoolkit_v3.relyingparty.html

Misconfigs in Google Identity

POST /identitytoolkit/v3/relyingparty/signupNewUser?key=GOOGLEKEY HTTP/2
Host: www.googleapis.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Client-Version: Firefox/JsCore/8.10.1/FirebaseCore-web
X-Firebase-Locale: pt
Content-Length: 81

{"returnSecureToken":true,"email":"[email protected]","password":"[email protected]"}

GET /v1/projects?key=GOOGLEKEY HTTP/2
Host: identitytoolkit.googleapis.com
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"
Content-Type: application/json
X-Client-Version: Chrome/JsCore/9.13.0/FirebaseCore-web
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.46
X-Firebase-Locale: en
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors

Google Storage

Check what permissions the bucket has:

https://github.com/RhinoSecurityLabs/GCPBucketBrute

If the site ends in appspot.com, bucket can be accessed in:

https://storage.googleapis.com/<site_url>

Hunting GCP Buckets

Firebase

Pyrebase

Add a .json to the end of a firebaseio url, it may leak the database.

Cloud enum

https://github.com/initstring/cloud_enum