such as credit card numbers and social security numbers isn’t a great idea either, as an interloper could easily capture that information. It’s better instead to enter pieces of that information. Be creative, but don’t open yourself to exposure while trying to protect yourself! Q: Many passwords grant access to meaningless services. Why should I be worried about the password for a useless service leaking out to the Web? A: Studies have shown that the majority of people often opt for the easiest path to com- pleting a task. In the world of security, this means that many people share passwords (or password cues) across many different applications on many different servers. So, you can see that one compromised password can provide clues about passwords used on other systems. Most policies forbid this type of password sharing, but this restriction is often hard to enforce. Usernames, Passwords, and Secret Stuff, Oh My! • Chapter 9 371 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 371 452_Google_2e_09.qxd 10/5/07 1:08 PM Page 372 373 Hacking Google Services Solutions in this chapter: ■ AJAX Search API ■ Calendar ■ Blogger and Google’s Blog Search ■ Signaling Alerts ■ Google Co-op ■ Google Code Chapter 10 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 373 AJAX Search API AJAX Search API is one of the leading Google services on the AJAX front.This service is meant as a replacement of the older SOAP search service which support was discontinued some time ago. AJAX Search API is considered to be more powerful then the SOAP service and easier to work with.The primary goal of the service is to enable external websites to host Google supplied gadgets which provide searching facilities within or outside of the hosting website and also among video clips, maps, blogs, custom search engines, etc. The default interface of the service looks like as shown on Figure 10.1. Figure 10.1 Google AJAX Search API Dialog The search dialog in Figure 10.1 is divided into several sections. Each section represents a search category: Local, Web, Video, Blog, News and Book. Having all results on a single place in particular is very useful since we can perform interesting queries and get instant feedback across the entire Google platform.This is where the Search API shines best. Let’s try a query fir firefox, as shown in Figure 10.2. Simply visit http://www.google.com/uds/samples/apidocs/helloworld.html demonstra- tion application and type the query. 374 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 374 Figure 10.2 AJAX Search for “firefox” Notice that the AJAX API result set contains also Image search section with the most relevant results. In the following section we are going to have more detailed look at the AJAX API Search service. Embedding Google AJAX Search API The Google AJAX Search API was designed to be embedded within external pages.This makes the service rather useful, since we can construct custom interfaces for better accessing the Google infrastructure. In order to start using the AJAX Search API you need to have some understanding of JavaScript and AJAX programming and an API key which you can generate yourself. Assuming basic understanding of AJAX, we will concentrate on the inter- esting stuff around the service itself. In order to generate an API key, simply Visit the AJAX Search API Home page at http://code.google.com/apis/ajaxsearch.After clicking Start using the Google AJAX Search API, you will be presented with a page similar to the one shown in Figure 10.3. Hacking Google Services • Chapter 10 375 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 375 Figure 10.3 AJAX Search API Key Generation You need to provide a URL where the service will be accessed from. If you are planning to host the application from a simple page on your desktop, you can input just about any- thing you choose. In fact, this option seems to be largely irrelevant. For the purpose of this demonstration, we will use http://dummy as this URL. Most applications work with the internal Google key which is used across all API demo applications. After accepting Google’s term and conditions you will be provided a page that will pre- sent you with the actual Google API key which is specifically generated for the previously supplied URL.This page also gives you an example of how to use the AJAX Search box. This is the code was generated for us: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"/> <title>My Google AJAX Search API Application</title> <link href="http://www.google.com/uds/css/gsearch.css" type="text/css" rel="stylesheet"/> <script src="http://www.google.com/uds/api?file=uds.js&amp;v=1.0&amp;key=ABQIAAAAsFym1Ew5o48 376 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 376 zXESOPhV4ExSFOvRczLyAyj57qAvViVrKq19E6hSZhJSVQBi2HRSzsW1XyZzxdffdfQ" type="text/javascript"></script> <script language="Javascript" type="text/javascript"> //<![CDATA[ function OnLoad() { // Create a search control var searchControl = new GSearchControl(); // Add in a full set of searchers var localSearch = new GlocalSearch(); searchControl.addSearcher(localSearch); searchControl.addSearcher(new GwebSearch()); searchControl.addSearcher(new GvideoSearch()); searchControl.addSearcher(new GblogSearch()); // Set the Local Search center point localSearch.setCenterPoint("New York, NY"); // Tell the searcher to draw itself and tell it where to attach searchControl.draw(document.getElementById("searchcontrol")); // Execute an inital search searchControl.execute("Google"); } GSearch.setOnLoadCallback(OnLoad); //]]> </script> </head> <body> <div id="searchcontrol">Loading </div> </body> </html> Copy the code and paste it inside a new file named test.html, for example. Now open the file in your browser.You should be able to see a page similar to the one shown in Figure 10.4. Hacking Google Services • Chapter 10 377 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 377 Figure 10.4 Test AJAX Search Page Let’s take a look at what we have done so far.The generated HTML code reveals some of the basic characteristics of the API. First, the code loads the AJAX Search API default style sheet (CSS), followed by a JavaScript script reference: <script src="http://www.google.com/uds/api?file=uds.js&amp;v=1.0&amp;key=ABQIAAAAsFym1Ew5o48 zXESOPhV4ExSFOvRczLyAyj57qAvViVrKq19E6hSZhJSVQBi2HRSzsW1XyZzxdffdfQ" type="text/javascript"></script> This script loads a couple of JavaScript wrapper classes, which are used as a more conve- nient way to access the API. As we are going to learn from the following sections, we don’t really need them since we can access the API directly (i.e. raw accesses). Next, another script block is defined, which initializes the environment and configures the AJAX Search control box.This is done within the OnLoad function which is called after Google finishes with loading all dependencies required to render the graphical environment: function OnLoad() { // Create a search control var searchControl = new GSearchControl(); // Add in a full set of searchers 378 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 378 var localSearch = new GlocalSearch(); searchControl.addSearcher(localSearch); searchControl.addSearcher(new GwebSearch()); searchControl.addSearcher(new GvideoSearch()); searchControl.addSearcher(new GblogSearch()); // Set the Local Search center point localSearch.setCenterPoint("New York, NY"); // Tell the searcher to draw itself and tell it where to attach searchControl.draw(document.getElementById("searchcontrol")); // Execute an inital search searchControl.execute("Google"); } The second line in the OnLoad function initializes a Google Search control object.The search control object can reference as many search engines as we need. We can even define our own, but in this example we will set the default ones which are GwebSearch, GvideoSearch, GblogSearch and the GlobalSearch (i.e. Google Local Search).At the end of this block, the controller is rendered on the current page with the draw function, which takes as a parameter an element from the DOM tree which will hold the Search box. This search box can be customized in many different ways. For example, we can change the colors, re-order the search section and even supply custom search engines which we will discuss later in this chapter. For more basic information refer to the Google AJAX Search API documentation which can be found from the following URL http://code.google.com/apis/ajaxsearch. Deeper into the AJAX Search Now that we have seen how to embed the AJAX Search box, it is time to come up with something more interesting. As you probably noticed, the AJAX Search form is a good place to start with experimenting with the service but it does not provide the level of flexibility hackers usually work with. For that reason we need to dig deeper into the AJAX Search API and discover the more interesting characteristics of the service. For the next step we are going to make use of a HTTP request listener. We are going to use Firefox as our primary tool for development. There are a couple of prerequisites. Most of all you’ll need Firefox, which can be down- loaded from www.mozilla.com/firefox. We’ll also make use of a Firefox Extension known as “LiveHTTP Headers”, which can be downloaded from https://addons.mozilla.org/en- US/firefox/addon/3829.After installing the extension, restart Firefox. The LiveHTTPHeaders extension allows us to analyze and replay HTTP requests. In case you want to monitor traffic, you can simply open the extension window in your browser sidebar by selecting View | Sidebar | LiveHTTPHeaders. On the other hand, in case Hacking Google Services • Chapter 10 379 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 379 you need to use the request reply feature you may want to open it in a separate window, by selecting Tools | LiveHTTPHeaders, as shown in Figure 10.5. Figure 10.5 LiveHttpHeaders Main Window Traffic monitoring tools such as the LiveHTTPHeaders extension are essential to web application security testers.Theses tools reveal what is happing in the background and pro- vide features for disassembling and reassembling the generated requests, easily exposing fun- damental application vulnerabilities and insights of the tested application inner workings. Once the environment is ready, we are able to start with hacking into the AJAX search logic.The plan is to set the LiveHTTP Headers extension to listen for all the traffic, while we are making subsequent queries to the service.Then we are going to look at the generated output and figure out what request needs to be made in order to mimic the AJAX form behavior. We are going to use that in the next section of this chapter where are going to talk about writing custom search engines for good or malicious purposes. But first, let’s dig. From within Firefox, enable the LiveHTTPHeaders extension and visit a page that con- tains an AJAX Search dialog, such as www.google.com/uds/samples/apidocs/ helloworld.html. After submitting a query, LiveHTTPHeaders will reveal what happens behind the scenes. From within the results page, be sure to enable the show all results button located at the right of each section as shown on Figure 10.6. It is essential to do that for the 380 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 380 . as shown on Figure 10.6. It is essential to do that for the 380 Chapter 10 • Hacking Google Services 452 _Google_ 2e_10.qxd 10/5/07 1:12 PM Page 380 . 10.2. Simply visit http://www .google. com/uds/samples/apidocs/helloworld.html demonstra- tion application and type the query. 374 Chapter 10 • Hacking Google Services 452 _Google_ 2e_10.qxd 10/5/07 1:12. For example, we can change the colors, re-order the search section and even supply custom search engines which we will discuss later in this chapter. For more basic information refer to the Google