Out-of-band resource load (classified by PortSwigger) is original name for this type of vulnerability which allows attackers to use vulnerable servers (in this case Google’s) to perform DoS / DDoS attack on a remote host. Basically, the attacker would send a big number of requests to vulnerable web application containing target host as payload, then the vulnerable web application will reflect every request to target address, defined by the attacker. PortSwigger rated this issue severity as high level.
During exploitation test, Sikic was able to gain over 700 Mbps traffic after 10,000 requests.
However, Google has a caching system which is there to prevent this type of issue. Sikic was able to bypass that security measure and let server think that every request is unique.
In his demonstration video, we can see that traffic goes around 300 Mbps, depending on the number of requests per second.
As a mitigation measure for this issue, there should be a better caching mechanism and a detecting system which would not allow an
We found that this is not the first time Sikic found a vulnerability in Google’s products. Few months before, he found and reported Cross-site Scripting in YouTube, and Big G
Timeline for the Out-of-band resource load is:
February 18 – Bug Reported
February 19 – More information sent
February 20 – Report Triaged
February 22 –
February 22 – Google update: Issue is already known to Google
(Security Affairs – Out-of-band resource load, DDoS)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.