Comments on: Google Search API Worms 2

By: GNUCITIZEN » Google AJAX Feed API Dangers

GNUCITIZEN » Google AJAX Feed API Dangers — Thu, 19 Apr 2007 12:34:08 +0000

[...] Recently Google has released their AJAX Feed API which helps developers to create web mashups by consuming RSS and Atom feeds from 3rd-party web sites. Just like Google’s AJAX Search API, the Feed API can be abused to create and spread web malware. For more information about Google AJAX Search API security aspects, you can read here, here and here. [...]

By: Kishor

Kishor — Fri, 06 Oct 2006 10:31:20 +0000

Oh, I see. It does not return a javascript object. I thought it returned something like
var b = {…} and then we use it as b.attribute
I should have looked at it carefully.

By: pdp

pdp — Fri, 06 Oct 2006 08:53:46 +0000

yes, but the problem is that this code will result in nothing. If only searchmash supports callbacks than a lot of things could happen.

By: Kishor

Kishor — Fri, 06 Oct 2006 08:39:01 +0000

Man I got what you are saying.
Fire this query
http://www.searchmash.com/resu.....CQods6p4PA

You will get a response with content type as javascript!

Use this URL to spread the worm!

When you search e.g for Wordpress, you will definitely get better and accurate results than google api. And thats what you want!

Coooool!

By: pdp

pdp — Thu, 05 Oct 2006 01:36:01 +0000

hi maluc,

Thanks for the comment. I am trying my best to put as many and interesting stuff as possible. I hope that the spirit of this blog will remain the same in the future. Thanks

By: maluc

maluc — Wed, 04 Oct 2006 08:23:46 +0000

ah, can’t wait.. i’ll be interested to see if the ajax-ness of it provides any extras capabilities. Although for alot of webapp vulnerabilities, google and yahoos APIs are sufficient for locating more vulnerable sites.

And for those not well versed in javascript worm writing and mitigation, those APIs are about as important for jscript worms as xmlhttp[request] is for xss/csrf .. it’s always been possible with a command and control server, but using google/yahoo means immense bandwidth and much harder to take down.

Anyways, first time to post but’ve been following for your blog since the backdooring series, keep up the good work ^^

By: pdp

pdp — Wed, 04 Oct 2006 04:28:39 +0000

hi maluc,

There is no API! However, if you carefully watch the request/responds while surfing though SearchMash you will be able to see that the entire application depends on JSON. This is cross domain pulling mechanism that can be automated quite easily with JavaScript.

However, I did’t make it clear that SearchMash does not support callback functionalities, my bad. This means that when pulling information with SCRIPT elements the script that will be evaluated is useless. There are a couple of workarounds to this problem and I will discuss them as soon as I get my notes fixed.

Thanks for the question. Very good one!

By: maluc

maluc — Wed, 04 Oct 2006 04:20:05 +0000

I’ve checked out the site, and looked online .. but i don’t see anywhere about SearchMash supplying an API for it. It’s stands to reason that it may have one in the future, since Google does.. but maybe i missed something?

can searchmash be used for javascript propogation as well? Because I don’t see it.