Web section so we get the complete query. Notice that many of the results point to .jpg, .gif or png images.There are quite a few going to the Ad Indicator service provided by Google, but the most interesting ones are those that point to GwebSearch service. Figure 10.7 shows what the live capture might look like. Figure 10.6 Show all Results Button Figure 10.7 LiveHTTP Headers Capture Figure 10.7 shows the format of the URL that is used to retrieve the queries. Here is an example: Hacking Google Services • Chapter 10 381 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 381 http://www.google.com/uds/GwebSearch?callback=GwebSearch.RawCompletion&context=0&ls tkp=0&rsz=large&hl=en&gss=.com&sig=51248261809d756101be2fa94e0ce277&q=VW%20Beetle&k ey=internal&v=1.0 Table 10.1 lists each of the GET parameters and describes what they do. Table 10.1 GET Parameters parameter value description callback GwebSearch.RawCompletion the callback JavaScript function the results context 0 - lstkp 0 - rsz large the size of the query hl en language preferences gss .com - sig 51248261809d756101be2fa94e0ce277 - q VW%20Beetle the actual query/search key internal the key (use the internal key) v 1.0 version of the API As an exercise, we can build a URL from these parameters, providing different values that we think are suitable for the task. For example: www.google.com/uds/GwebSearch?callback=our_callback&context=0&rsz=large&q=GHDB&key= internal&v=1.0 Notice that we have changed the callback parameter from “GwebSearch.Raw Completion” to “our_callback”, and we are executing a search for GHDB. Executing this URL inside your browser will result in a JavaScript return call.This technique is also known as JavaScript on Demand or JavaScript remoting, and the results of this are shown below. our_callback('0',{"results":[{"GsearchResultClass":"GwebSearch","unescapedUrl":"htt p://johnny.ihackstuff.com/index.php?module\u003Dprodreviews","url":"http://johnny.i hackstuff.com/index.php%3Fmodule%3Dprodreviews","visibleUrl":"johnny.ihackstuff.com ","cacheUrl":"http://www.google.com/search?q\u003Dcache:IS5G5YGJmHIJ:johnny.ihackst uff.com","title":"johnny.ihackstuff.com - Home","titleNoFormatting":"johnny.ihackstuff.com - Home","content":"Latest Downloads. File Icon \u0026quot;No-Tech Hacking\u0026quot; Sample Chapter \u0026middot; File Icon Yo Yo SKillz #1 \u0026middot; File Icon Aggressive Network Self-Defense Sample Chapter \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://johnny.ihackstuff.com/ghdb.php","url":"http://johnny.ihackstuff.com/ghdb.ph p","visibleUrl":"johnny.ihackstuff.com","cacheUrl":"http://www.google.com/search?q\ u003Dcache:MxfbWg9ik-MJ:johnny.ihackstuff.com","title":"Google Hacking 382 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 382 Database","titleNoFormatting":"Google Hacking Database","content":"Welcome to the Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E)! We call them \u0026#39;googledorks\u0026#39;: Inept or foolish people as revealed by Google. Whatever you call these fools, \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://ghh.sourceforge.net/","url":"http://ghh.sourceforge.net/","visibleUrl":"ghh .sourceforge.net","cacheUrl":"http://www.google.com/search?q\u003Dcache:WbkSIUl0UtM J:ghh.sourceforge.net","title":"GHH - The \u0026quot;Google Hack\u0026quot; Honeypot","titleNoFormatting":"GHH - The \u0026quot;Google Hack\u0026quot; Honeypot","content":"\u003Cb\u003EGHDB\u003C/b\u003E Signature #734 (\u0026quot;File Upload Manager v1.3\u0026quot; \u0026quot;rename to\u0026quot;) \u003Cb\u003E \u003C/b\u003E \u003Cb\u003EGHDB\u003C/b\u003E Signatures are maintained by the johnny.ihackstuff.com community. \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://thebillygoatcurse.com/11/","url":"http://thebillygoatcurse.com/11/","visibl eUrl":"thebillygoatcurse.com","cacheUrl":"http://www.google.com/search?q\u003Dcache :O30uZ81QVCcJ:thebillygoatcurse.com","title":"TheBillyGoatCurse.com \u00BB Blog Archive \u00BB Convert \u003Cb\u003EGHDB\u003C/b\u003E","titleNoFormatting":"TheBillyGoatCurse.com \u00BB Blog Archive \u00BB Convert GHDB","content":"The Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E) has one problem\u2026 it only uses the Google search index. The trouble is that advanced search syntax can differ between \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://www.ethicalhacker.net/index.php?option\u003Dcom_smf\u0026Itemid\u003D35\u00 26topic\u003D184.msg328;topicseen","url":"http://www.ethicalhacker.net/index.php%3F option%3Dcom_smf%26Itemid%3D35%26topic%3D184.msg328%3Btopicseen","visibleUrl":"www. ethicalhacker.net","cacheUrl":"http://www.google.com/search?q\u003Dcache:EsO7aMyCR6 wJ:www.ethicalhacker.net","title":"The Ethical Hacker Network - Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E)","titleNoFormatting":"The Ethical Hacker Network - Google Hacking Database (GHDB)","content":"The Ethical Hacker Network - Your educational authority on penetration testing and incident response., Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E)"},{"GsearchResultClass":"GwebSearch","unescapedUr l":"http://snakeoillabs.com/downloads/GHDB.xml","url":"http://snakeoillabs.com/down loads/GHDB.xml","visibleUrl":"snakeoillabs.com","cacheUrl":"http://www.google.com/s earch?q\u003Dcache:5nsf_DfjX4YJ:snakeoillabs.com","title":"\u003Cb\u003Eghdb\u003C/ b\u003E xml","titleNoFormatting":"ghdb xml","content":"PS: this vulnerability was found early this year (search google for the full report), but was never added to the \u003Cb\u003EGHDB\u003C/b\u003E for some reason. \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://www.gnucitizen.org/projects/ghdb","url":"http://www.gnucitizen.org/projects /ghdb","visibleUrl":"www.gnucitizen.org","cacheUrl":"http://www.google.com/search?q \u003Dcache:dPVtU_3tmnMJ:www.gnucitizen.org","title":"\u003Cb\u003EGHDB\u003C/b\u00 3E | GNUCITIZEN","titleNoFormatting":"GHDB | GNUCITIZEN","content":"\u003Cb\u003EGHDB\u003C/b\u003E (aka Google Hacking Database) is HTML/JavaScript wrapper application that uses advance JavaScript techniques to scrape information from Johnny\u0026#39;s Google \u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://www.ghdb.org/","url":"http://www.ghdb.org/","visibleUrl":"www.ghdb.org","ca cheUrl":"http://www.google.com/search?q\u003Dcache:Y6lwVyfCQw8J:www.ghdb.org","titl e":"Menu","titleNoFormatting":"Menu","content":"\u003Cb\u003E \u003C/b\u003E to Hacking Google Services • Chapter 10 383 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 383 contact us for any reason, or maybe just leave a comment (good, bad or ugly, but not offensive) in our guestbook. Best regards The team at \u0026#39;\u003Cb\u003EGHDB\u003C/b\u003E\u0026#39; \u003Cb\u003E \u003C/b\u003E"}],"adResults":[]}, 200, null, 200) Hacking into the AJAX Search Engine Now that we know how to query Google through their AJAX interface, let’s see how we can access the data. We will begin with the following HTML, which can be pasted into a blank html file and opened with a browser: <html> <head> <title>Hacking AJAX API</title> </head> <body> <script> function our_callback(a, b, c, d, e) { for (var i = 0; i < b.results.length; i++) { var link = document.createElement('a'); link.href = b.results[i].url; link.innerHTML = b.results[i].url; document.body.appendChild(link); var br = document.createElement('br'); document.body.appendChild(br); } } </script> <script type="text/javascript" &q=GHDB&key=internal&v=1.0"></script> </body> </html> This code will make submit a request for GHDB to Google’s GwebSearch service. Notice that the callback parameter points back to our_callback, which is defined early in the code.The function simply grabs that data and presents it inside the page DOM (Document Object Model) in the form of links. 384 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 384 Although this looks interesting, there is a lot more that we can do. Let’s have a look at the following example which dynamically grabs all entries from a particular category from the Google Hacking Database, performs test queries and lists the results within a single page: <html> <head> <title>GHDB Lister</title> </head> <body> <script> function get_json(url, callback) { var name = '__json_' + (new Date).getTime(); var s = document.createElement('script'); s.src = url.replace('{callback}', name); window[name] = callback; document.body.appendChild(s); } get_json('http://www.dapper.net/transform.php?dappName=GoogleHackingDatabaseReader& transformer=JSON&extraArg_callbackFunctionWrapper={callback}&applyToUrl=http%3A//jo hnny.ihackstuff.com/ghdb.php%3Ffunction%3Dsummary%26cat%3D19', function (data) { console.log(data); for (var i = 0; i < data.groups.entry.length; i++) { var query = data.groups.entry[i].query[0].value; var description = data.groups.entry[i].description[0].value; get_json('http://www.google.com/uds/GwebSearch?callback={callback}&context=0&rsz=la rge&q=' + escape(query) + '&key=internal&v=1.0', function (a, b, c, d, e) { if (!b) { return; } for (var i = 0; i < b.results.length; i++) { Hacking Google Services • Chapter 10 385 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 385 var link = document.createElement('a'); link.href = b.results[i].url; link.innerHTML = b.results[i].url; document.body.appendChild(link); var br = document.createElement('br'); document.body.appendChild(br); } }); } }); </script> </body> </html> After running the example, you will be provided with a page similar to the one shown on Figure 10.8. Figure 10.8 Result Page 386 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 386 Let’s examine the file. As you can see the page has only one script block.This block is responsible for obtaining a list of queries from the GHDB via the Dapper (http://dapper.net) screen scraping service. We scrape the URL http://johnny.ihackstuff.com/ghdb.php?function=summary&cat=19 which corresponds to GHDB entry 19 also known as “Advisories and Vulnerabilities”.The scraper obtains several other interesting things that we are not interested for now. Notes from the Underground… Screen Scraping with Dapper Using Dapper to screen scrape various security related databases and using the infor- mation as part of a well planned client-side oriented attack vector was discussed for the first time in OWASP, Italy 2007 by the author, Petko D. Petkov, also known as pdp (architect). For more information on the topic you can visit http://www.gnucitizen.org and http://www.gnucitizen.org/projects/6th-owasp-conference. Once the list is retrieved, we enumerate each entry and build the custom Google AJAX API queries: get_json('http://www.google.com/uds/GwebSearch?callback={callback}&context=0 &rsz=large&q=' + escape(query) + '&key=internal&v=1.0', As you can see, instead of a static string, we actually supply a query that is taken from the information obtained from GHDB. The subsequent request to Google AJAX Search API will retrieve the sample results and the callback functions will render them inside the page DOM. It is important to understand the purpose of the function get_json. This function is just a helper that saves us a lot of time writing the same procedures over and over again. The get_json function simply generates a unique name for the callback param- eter and assigns it at the global scope. Then, it supplies the name to the callback field marked with the placeholder {callback} and calls the external script. This technique was successfully implemented as part of the GHDB Proof of Concept application hosted at http://www.gnucitizen.org/ghdb (Figure 10.9). Hacking Google Services • Chapter 10 387 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 387 Figure 10.9 GNUCITIZEN GHDB The application scrapes all the information from Johnny Long’s Google Hacking Database at http://johnny.ihackstuff.com, dynamically and presents it to the user in a nice graphical form.You can browse through each vector by selecting a category and then selecting the query that you are interested in. Notice that the application provides a live feedback every time we select a query.The bottom part of the window contains the top searches, obtained by Google’s AJAX Search API interface. Notes from the Underground… XSS and AJAX Worms This technique can be implemented by XSS/AJAX worms to locate targets and exploit them, thus ensuring future generations. XSS/AJAX worms usually propagate within the domain of origin. This is due to inability of JavaScript to perform cross-site requests. The technique presented in this chapter allows worms to bypass the JavaScript restrictions and access other resources on-line. For more information on the subject please check the following resources: http://www.gnucitizen.org/blog/google- search-api-worms, http://www.gnucitizen.org/projects/ghdb and http://www.gnucit- izen.org/blog/the-web-has-betrayed-us. 388 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 388 Calendar Google Calendar is powerful calendar management application which supports features like calendar sharing, creation of invitations, search and calendar publishing.The service is also integrated with Google Mail (GMail) and can be accessed via a Mobile device. All in all, Google Calendar is very useful addition to our day-to-day work. Calendar sharing in particular is a very useful feature since individual users can maintain event lists and calendars to which others may be interested in as well. Usually in order to share a calendar you have to explicitly do so from the calendar management interface as shown in Figure 10.10. Figure 10.10 Calendar Management Interface Once the calendar is shared, everyone will be able to look at it or even subscribe to the events that are inside.This can be done via the Calendar application or any RSS feed reader. As a security expert, these shared calendars are especially interesting. Very often, even when performing the most basic searches, it is entirely possible to stumble across sensitive information that can be used for malicious purposes. For example, logging into Calendar and searching for the term “password” returns many results as shown in Figure 10.11. Hacking Google Services • Chapter 10 389 452_Google_2e_10.qxd 10/5/07 1:12 PM Page 389 Figure 10.11 Calendar Search for “password” As you can see, there are several calendar entries that meet our search criteria. Among them, there are a few that are quite interesting and worth our attention. Another interesting query that brings a lot of juicy information is “passcode”, as shown in Figure 10.12. Figure 10.12 Calendar Search for “passcode” 390 Chapter 10 • Hacking Google Services 452_Google_2e_10.qxd 10/5/07 1:13 PM Page 390 . http://www.gnucitizen.org/blog /google- search-api-worms, http://www.gnucitizen.org/projects/ghdb and http://www.gnucit- izen.org/blog/the-web-has-betrayed-us. 388 Chapter 10 • Hacking Google Services 452 _Google_ 2e_10.qxd. 382 Database","titleNoFormatting":" ;Google Hacking Database","content":"Welcome to the Google Hacking Database (u003Cbu003EGHDBu003C/bu003E)! We call them u0026 #39; googledorksu0026 #39; :. u003C/bu003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl": "http://johnny.ihackstuff.com/ghdb.php","url":"http://johnny.ihackstuff.com/ghdb.ph p","visibleUrl":"johnny.ihackstuff.com","cacheUrl":"http://www .google. com/search?q u003Dcache:MxfbWg9ik-MJ:johnny.ihackstuff.com","title":" ;Google Hacking 382 Chapter 10 • Hacking Google Services 452 _Google_ 2e_10.qxd