You are on page 1of 34

Google Hacking and Web

Application Worms

OWASP 2005
Matt Fisher, Sr. Engineer
SPI Dynamics

2005 The OWASP
Happy Anniversary !

Search Engine Hacking Almost Ten Years Old

First solid documentation: SimpleNomad, 1996,

Web Hacking: Pick a site, find the vulnerability

Google Hacking : Pick a vulnerability, find the site.

Don’t Be A Target of Opportunity

OWASP AppSec DC 2005

Just the beginning …

 Non-Public Systems
 Intranets, access-restricted extranets, web services

 Not all internet systems crawled

 Have to request a crawl
 Extranets, customer portals

 Google: very limited crawl

 Robots.txt, forms, javascript
 Linked content only !

 Exposure has to be hard-linked

 No tampering

OWASP AppSec DC 2005

The Perfect Drug

Warning ! Search engine hacking can be highly addictive

Focus on what to look for, not on the search engine.

A Few of my Favorite Things

Source code galore: Need a code sample ? Grab a code sample !

File traversals : full system read access

Command Execution : Executing shell commands through a

browser, basically port 80 telnet.

File Uploads: Don’t like the content ? Make your own !

OWASP AppSec DC 2005

Basic Google Hacking - Using File

OWASP AppSec DC 2005

Works for many other file types

OWASP AppSec DC 2005

Curioser and Curioser

OWASP AppSec DC 2005

Googling for a Recent Exploit – Using

Cross – Site Framing

Site frames content

Content can be external
Frame source specified on client

OWASP AppSec DC 2005


Restricts search
terms to URL itself
Want the
source to be
external; not
Want the source to on the same
be specified in the site qualifier

OWASP AppSec DC 2005

Client-Sided Frame Source

OWASP AppSec DC 2005


OWASP AppSec DC 2005

Directory Traversals !

OWASP AppSec DC 2005


OWASP AppSec DC 2005

Source Code
Database queries. They’re source code.
Hooray Source Code !

OWASP AppSec DC 2005

The Fun Never Stops

If you can read

source code, what
do source code do
you read ?

Depends on what
you’re interested in !

How about some

database connection
strings !

OWASP AppSec DC 2005

The Proverbial Post-It On the Monitor

Yes, those are real live database connection strings

Yes, they contain real live usernames and passwords
No, Special Agent, I didn’t try them out.

OWASP AppSec DC 2005

Web App Hacking’s Cool. Google Hacking’s Cool.

Thought We
Crazy ….

OWASP AppSec DC 2005

Then Santy Climbed Down the Chimney

December 20th 2004


common freeware PHP

Used GOOGLE to ID new


Multiple improved variants

already out

OWASP AppSec DC 2005

Code Review of the Vuln App

URLDecode the input before removing special characters

OWASP AppSec DC 2005

MagicQuotes in PHP

Escapes single quotes

Turns ‘ into \’

Functional : prevents O’Malley and O’Brian

from O’Crashing your query.

MagicQuotes are magically functional, but not

a security feature, and were never meant to

OWASP AppSec DC 2005

Rasmus Lerdof says …

“You always have to escape quotes before you can

insert a string into a database. If you don't, you
get an ugly SQL error and your application
doesn't work. After explaining this simple fact
to people for the 50th time one day I finally
got fed up and had PHP do the escaping on
the fly. This way the applications would work and
the worst that would happen is that someone
would see an extra \ on the screen when they
output the data directly instead of sticking it into
the database.”
Source:, Interview - PHP's Creator, Rasmus Lerdorf,

OWASP AppSec DC 2005

Attack of the Worms: How it works

URLEncoded characters
PHP Fwrite command
PHP Fopen command

OWASP AppSec DC 2005

Decoding the attack

MagicQuotes recognizes plain and encoded single quotes

Decode once and compare

%27%2E is not a single quote

OWASP AppSec DC 2005

Back to the Code

Application decoded again

in the code

Turned the remaining %27%2E into ‘.

Making the injection work.

OWASP AppSec DC 2005

Basic Google

Viewtopic.php with random numbers as a

parameter ( 1414414=5858583)
Numbers NOT evasion – ensure different
websites in each result
Unimaginative and easily signatured ….

OWASP AppSec DC 2005

Google shutdown the query …

And gave me spyware advice …?

OWASP AppSec DC 2005

Google Evasion

Viewtopic by itself could be anything. Add phpBB’s footer and it’s more accurate

Viewtopic.php is not the same as viewtopic and php

Hmm …. Does Google recognize Blank Spaces ?

Bonus :Spot the Google bug.

OWASP AppSec DC 2005

Or Just “Switch”

There’s more than one engine to search the web

4 Variants in JUST DAYS.

OWASP AppSec DC 2005

New Version of phpBoard released

Remedial Action suggested to immediate users of the software was to remove the

Prevents the second decode: ‘ remains as %27

Still not rock solid input validation

OWASP AppSec DC 2005

Why Web Application Risks Occur

The Web Application

Security Professionals Don’t Know The
Security Gap Application
Developers and
QA Professionals
Don’t Know
“As a Network Security Security
Professional, I don’t “As an Application
know how my Developer, I can
company’s web build great features
applications are and functions while
supposed to work so I meeting deadlines,
deploy a protective but I don’t know
solution…but don’t how to build
know if it’s protecting security into my
what it’s supposed to.” web applications.”

OWASP AppSec DC 2005

The Old Paradigm
Development builds
Functional defects
are found and fixed

QA performs functional App is declared

testing ready for UAT

Security applies
Customer performs any missing
patches or tweaks
acceptance testing configuration

Security tests server

Deployment begins
patches and configuration

Program goes live

OWASP AppSec DC 2005

Security Cannot Fix Application Issues
Development builds

QA performs functional App is declared Application either

testing ready for UAT goes back to
square one, or
goes live with
Customer performs vulnerabilities
acceptance testing

Security discovers
Deployment begins
application vulnerabilities

Program goes live

OWASP AppSec DC 2005

Security Testing To The Application Lifecycle

Audit Development
Auditors, Dev, Developers
Compliance, and
Business Subject
Matter Experts

Production QA
Security QA and
Operations Developers
and Auditors

OWASP AppSec DC 2005

My Contact Info

Matt Fisher

OWASP AppSec DC 2005