Question about the Google Drive vulnerability #10
Description
I find it hard to understand which component reads your custom SSRF header introduced here https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md#private-programs-partial-read-ssrf. You are using request smuggling (pipelining) but both requests, the original one as well as the extra one you are injecting, will hit http://www.googleapis.com/.
I understand that you may be using your own server to serve the downloadUrl url, but I'm still not following how that server of yours can receive the SSRF header value.
Any chance you could clarify it please?