Google Search API Worms 2

I covered Google AJAX Search API functionalities a week ago. I also provided my view why this service is practically dangerous and how it can be used by AJAX/JavaScript based worms to propagate. It seams that the situations have become a lot more interesting since Google released a full blown AJAX Search Service called SearchMash.

I am not planning to go into details again why and how SearchMash can be used for malicious purposes. Anyone who is interested in this subject can preview my previous article here. The extensive comment log is also quite interesting.

I am planning to implement some of the SearchMash features into AttackAPI GoogleSearch module in the 0.9 release. I really like what the Google guys are doing but at the same time I can clearly see the dangerous side of their work.

Archived Comments

maluc

I've checked out the site, and looked online .. but i don't see anywhere about SearchMash supplying an API for it. It's stands to reason that it may have one in the future, since Google does.. but maybe i missed something? can searchmash be used for javascript propogation as well? Because I don't see it.

pdp

hi maluc, There is no API! However, if you carefully watch the request/responds while surfing though SearchMash you will be able to see that the entire application depends on JSON. This is cross domain pulling mechanism that can be automated quite easily with JavaScript. However, I did't make it clear that SearchMash does not support callback functionalities, my bad. This means that when pulling information with SCRIPT elements the script that will be evaluated is useless. There are a couple of workarounds to this problem and I will discuss them as soon as I get my notes fixed. Thanks for the question. Very good one!

maluc

ah, can't wait.. i'll be interested to see if the ajax-ness of it provides any extras capabilities. Although for alot of webapp vulnerabilities, google and yahoos APIs are sufficient for locating more vulnerable sites. And for those not well versed in javascript worm writing and mitigation, those APIs are about as important for jscript worms as xmlhttp[request] is for xss/csrf .. it's always been possible with a command and control server, but using google/yahoo means immense bandwidth and much harder to take down. Anyways, first time to post but've been following for your blog since the backdooring series, keep up the good work ^^

pdp

hi maluc, Thanks for the comment. I am trying my best to put as many and interesting stuff as possible. I hope that the spirit of this blog will remain the same in the future. Thanks.

Kishor

Man I got what you are saying. Fire this query http://www.searchmash.com/results/images:wordpress?n=3&ei=CJKWp-6F5IcCFQNICQods6p4PA You will get a response with content type as javascript! Use this URL to spread the worm! When you search e.g for Wordpress, you will definitely get better and accurate results than google api. And thats what you want! Coooool!

pdp

yes, but the problem is that this code will result in nothing. If only searchmash supports callbacks than a lot of things could happen.

Kishor

Oh, I see. It does not return a javascript object. I thought it returned something like var b = {...} and then we use it as b.attribute I should have looked at it carefully.