French Bug bounty hunter
Category : Web Hacking
Time to read: 2 min read
Posted on March 31, 2022, 8:14 a.m.
In this article I will talk about a critical vulnerability on Evernote : it was a SSRF that allowed me to access GCP credentials from fetch GCP metadata webserver .
The first day hunting on evernote I didn't find anything juicy after 2 hours so I stopped.
The next day as soon as I open Evernote I saw a juicy requests :
If you decode the base64 value in the url :
you get :
and the content of f6cdd4bdfa4c1b86f441c7c29f072e511dd34501.css is shown inside the response, so I immediatly thought about SSRF !
I tried the value of http://169.254.169.254 in base64 but it wasn't working, after a little time of trial and errors I understood that there was a whitelist to url/filepath that ends with .css or .js, so I used to following payload url :
which is the base64 for :
the .js after the # will be send as hash so not interpreted by the server but the extensions is allowed since it ends with .js and I got the access token :
I found out then that it was also possible to access local files via the base64 encoded value of
I got a 5 000$ bounty from Evernote which his their critical bounty, here is the hackerone report
It was my first bug bounty write-up I hope it was interesting, I'll try to make more write-ups in the future !
Don't hesitate t o reach me on Twitter !