Out-of-band resource load (classified by PortSwigger) is original name for this type of vulnerability which allows attackers to use vulnerable servers (in this case Google’s) to perform DoS / DDoS attack on a remote host. Basically, the attacker would send a big number of requests to vulnerable web application containing target host as payload, then the vulnerable web application will reflect every request to target address, defined by the attacker. PortSwigger rated this issue severity as high level.
During exploitation test, Sikic was able to gain over 700 Mbps traffic after 10,000 requests.
However, Google has a caching system which is there to prevent this type of issue. Sikic was able to bypass that security measure and let server think that every request is unique.
In his demonstration video, we can see that traffic goes around 300 Mbps, depending on the number of requests per second.
As a mitigation measure for this issue, there should be a better caching mechanism and a detecting system which would not allow an
We found that this is not the first time Sikic found a vulnerability in Google’s products. Few months before, he found and reported Cross-site Scripting in YouTube, and Big G
Timeline for the Out-of-band resource load is:
February 18 – Bug Reported
February 19 – More information sent
February 20 – Report Triaged
February 22 –
February 22 – Google update: Issue is already known to Google
(Security Affairs – Out-of-band resource load, DDoS)