Back in 2018, when I got my first research grant from google, I thought that submitting something affecting many google products would be cool, though that was unnecessary, It was just misconception from me how the grants work.
Diverting from the usual findings (XSS), wanting to find CSRF this time, and it all started with alex's powerful finding
the issue was a same origin policy bypass which will do perfectly the work of bypassing csrf protection by reading the csrf tokens, except for one thing, it is not as prevalent that the target allows uploading or hosting PDF files on target origin.
So I had to find a way, after going through a few write ups, researches and publications digging more in PDF stuff, I came up with the exploiting of content-sniffing algorithms of major browser like IE:
1) we can force the content type to be loaded as an application/pdf whatever was the real content-type only by appending " ;evil.pdf" to the end of the URL, for ex:
<embed src=victim.com/victim;.evil.pdf type=application/pdf>
2)adobe validating the PDF file by looking for the first appearance of "%PDF-1." then just keeps reading it as a valid PDF file as long as it meets the requirements structure of a PDF file.
what does that mean ? well it means: finding an endpoint where we can inject PDF content and special characters ( % <> " ), besides appending " ;.pdf " to that url returns the same response, leads to host a PDF file on target.com's origin, no matter where it is injected, what it's the real content type nor what comes before the "%PDF-1."
In *.google.com there are quite enough endpoints that meet these requirements, most of the these endpoints were CSV export/import functionality like the following:
besides to other few typical injection reflecting back on pages with content-Type of text/plain, application/octet-stream and many others.
Now that I have a way to run PDF on target origin,I used ediscovery.google.com as proof of concept, and sent the report to google vrp, honestly I wasn't expecting anything for the reward as the vulnerability was exploitable only in IE, until they surprised me with full reward like any practical CSRF then I started the mass exploiting and sent more of vulnerable endpoints.