Hacking Google with AI AI-Assisted Discovery-Document Fuzzin...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://brutecat.com/articles/hacking-google-with-ai
• Blog Title: Hacking Google with AI: AI-Assisted Discovery-Document Fuzzing of Google APIs
• Suggested Section: Pentesting Cloud > GCP Pentesting > GCP - Unauthenticated Enum & Access > GCP - API Keys Unauthenticated Enum, with possible cross-links to GCP - Basic Information / GCP - Services and a note referencing generic API/AI fuzzing methodology

🎯 Content Summary

Overview: The blog describes a large-scale methodology for finding broken access control, IDOR, and sensitive data exposure issues in Google APIs by combining leaked/embedded Google API keys, Google discovery documents, first-party authentication token generation, API key restriction handling, custom tooling, and AI-assisted fuzzing. The author reports that the system found about $500,000 in Google VRP bugs in less than 3 months. No CVEs are mentioned.

Google discovery ...

🔧 Technical Details

Discovery-document-driven API recon: When an API ecosystem exposes Swagger/OpenAPI-like discovery documents, use them as a machine-readable attack-surface map. Enumerate hosts, request /$discovery/rest, and parse resources, methods, paths, parameters, request schemas, and response schemas. If the platform supports hidden visibility labels, enumerate labels such as ?labels=GOOGLE_INTERNAL and compare response sizes/method sets. In Google APIs, a true nonexistent method generally returns an HTML 404, while a JSON 404 with Method not found. can mean the API key's project lacks a required visibility label.

API key harvesting and ownership filtering: Embedded client-side API keys from mobile apps, web apps, and binaries may expose additional APIs enabled on the same cloud project. At scale, collect keys from APKs/IPAs/browser traffic/binaries, preserve metadata about where each key was found, and intentionally call a disabled API...

🤖 Agent Actions

Updated src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md.

Added concise technical content covering:

• discovery-document-driven recon with /$discovery/rest
• visibility-label probing like labels=GOOGLE_INTERNAL
• project-number leakage for key ownership filtering
• replaying restricted keys with Referer, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert
• clients6.google.com / origin-whitelist gotchas
• schema-driven fuzzing methodology
• the unauthenticated direct-object-reference pattern using gaiaId

Also added a final ## References section with the blog URL and Google APIs Explorer.

Validation:

• Re-read the modified file successfully
• Confirmed one ## References section and correct banner placement
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://brutecat.com/articles/hacking-google-with-ai

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud > GCP Pentesting > GCP - Unauthenticated Enum & Access > GCP - API Keys Unauthenticated Enum, with possible cross-links to GCP - Basic Information / GCP - Services and a note referencing generic API/AI fuzzing methodology".

Repository Maintenance:

• MD Files Formatting: 586 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0