David Nechuta

My bug bounty writeup - 31k$ from @GoogleVRP - SSRF in Google Cloud Monitoring, which led to project metadata exposure. nechudav.blogspot.com/2020/11/31k-ss… #BugBounty #bugbountytips #bugbountytip

@smaury92 Nice :), I think the backend service is written for .NET, so that's probably why they use Windows.

@david_nechuta Great to know who was the one who turned my report into a duplicate 😂 At least I still found a P1 in AppSheet in the MySQL client which allowed a rogue server to read local files through the LOAD DATA LOCAL INFILE directive. I was really surprised they're using Windows servers.

Just published writeup on one of the older bugs I found. SSRF in Google acquisition called AppSheet :) #BugBounty nechudav.blogspot.com/2021/12/ssrf-v…

The video about blind SSRF in Google Cloud for which @david_nechuta got $31k is out! Watch it to see how it's sometimes possible to exfiltrate data with blind SSRFs. You can also test your own skills with hands-on lab 😎 Enjoy! youtu.be/ashSoc59z1Y

@gregxsunday Great explanation, thanks for creating it

Obrovská gratulace David Nechuta k 2. místu a odměně $73,331 v druhém ročníku globální soutěže #GoogleVulnerabilityRewardProgram! Úspěchy Čechů v obrovské globální konkurenci jsou vždy ta nejlepší možná reklama pro české softwarové inženýrství. security.googleblog.com/2021/03/announ…

The GCP VRP Prize winners are out! ☁️🏆🎉 Congrats to the fab 6. We can't wait to see what you all have in store for us this year – the submission form is open. security.googleblog.com/2021/03/announ…

@omespino Wow, nice finding 👏

#writeup GOOGLE VRP N/A SSRF bypass with quadzero in Google Cloud Monitoring A short story about one of my last bugs, and how I managed to get a lame and limited bypass from @david_nechuta SSRF bug on cloud monitoring omespino.com/write-up-googl… #infosec #Bugbounty #NotApplicable

The SSRF GCloud Monitoring blog post has been updated. Added Google engineers solution for obtaining access token. They found a really cool way to get it by reducing number of requests required using regex and binary search. nechudav.blogspot.com/2020/11/31k-ss…

@wtm_offensi Thanks 🙂

Nice find by @david_nechuta . congrats!