RSS Bilingual Reader

A few months ago, I disabled javascript on my browser while testing if there were any Google services left that still worked without JS in the modern web. Interestingly enough, the username recovery form still worked! This surprised me, as I used to think these account recovery forms required javascript since 2018 as they relied on botguard solutions generated from heavily obfuscated proof-of-work javascript code for anti-abuse. A deeper look into the endpoints The username recovery form seemed ...

Some time back, while playing around with Google API requests, I found out it was possible to leak all request parameters in any Google API endpoint. This was possible because for whatever reason, sending a request with a wrong parameter type returned debug information about that parameter: Request POST /youtubei/v1/browse HTTP/2 Host : youtubei.googleapis.com Content-Type : application/json Content-Length : 164 { "context" : { "client" : { "clientName" : "WEB&...

Some time ago, I was looking for a research target in Google and was digging through the Internal People API (Staging) discovery document until I noticed something interesting: "BlockedTarget" : { "id" : "BlockedTarget" , "description" : "The target of a user-to-user block, used to specify creation/deletion of blocks." , "type" : "object" , "properties" : { "profileId" : { "description" : "Re...

We've all been there - staring at Google's search box, overwhelmed by the maze of complexity hiding behind that minimalist interface, thinking it's impossible to break in. The key to decoding Google? Converting the attack surface from a black box to a white box. The first step is finding all the endpoints that exist, and all of their respective parameters, especially ones that are hidden and aren't used in the actual app and were left from some developer testing, since they likel...