Google Search API Worms
One of the main disadvantages of AJAX is the lack of cross domain request capabilities. In simple words, a web object from one site cannot access another one from a different site. The reason for this security feature is hidden deeply inside every modern browser security sandbox which is responsible for keeping your personal information private and safe.
First of all it is essential to understand how to use the API. The technique is quite simple actually. It involves the usage of a SCRIPT element which carries a request to Google the JSON way. For example:
Upon execution the code above returns the title of the first section from the result set and displays it in an alert box. The reader may expand on that technique.
Going back to my example, the entire logic is carried by the SCRIPT element. There are several important bits in the SCRIPT URL that need to be understood. The first one is the callback field. This is the name of the function that handles the request. The second important field is the key. Google has flexible system where keys are issued per URL. In this example the key is the generic one that can be found in all examples from Google. The last important bit is the actual query. This holds the terms that will be evaluated by Google. When loaded by the browser the SCRIPT element evaluates the content pointed by the URL in its src attribute. This results in a function call to the callback.
admin ext:aspx and
aspx ext:asxp produce different results and they all refer to *.aspx files. So by using query fuzzer which randomizes the search phrase more results can be extracted.
Knowing how to use Google AJAX Search API is only one side of the story. The other one and probably the most interesting one is how this can be used by web worms. Let’s have a look at a couple of examples.
Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.
Another worm might be able to craw random sites and run generic Cross-site Scripting and SQL Injection checks and send the results to their master who will use them to release more advanced worms.
Malicious minds can use Google technology and recently discovered vulnerabilities to create a BotNet that can be used for computational tasks, attacks, information gathering and pretty much everything else that the masters can come up with.
Unfortunately, I am just the messenger. Although I am not aware of any worms available that make use of this technique I won’t be surprised if I see some in the near future. Malicious content in Web Pages, Flash, QuickTime and PDF has suddenly become one of the most common threats we face today.
In my mind I picture a protection system similar to what we have with today’s AntiVirus agents; a signature scanner that goes through every page we visit. A Firefox extension that can do that can be quite handy.