SlideShare a Scribd company logo

Google Hacking Project Uses AdWords and AdSense for Web Attacks

sunil kumar
sunil kumar

This document discusses using Google's advertising mechanisms (AdWords and AdSense) for hacking purposes. It describes two attacks using AdSense ("AdSense-Out" and "AdSense-In") and one using AdWords ("AdWords-Hokey-Pokey"). The AdSense-Out attack tricks MediaBot into visiting a malicious URL by including it in an AdSense request, potentially damaging websites. The AdSense-In attack uses SQL injections through AdSense requests to extract hidden information from a website by analyzing the contextual ads that are returned. The document provides technical details on how these attacks could be carried out.

TechnologyNews & Politics
1 of 9
Download to read offline
Google Hacking Project BadSense — Using Google’s advertising mechanisms as a hacking tool Ohad Lutzky, Tom Meiri, Guy Treger Under the supervision and guidance of Amichai Shulman Contents I Introductory Details 2 1 Introduction — Google and Hacking 2 1.1 Active attacks using Google . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Shortcomings of attacking with GoogleBot . . . . . . . . . . . . . . . . . . . . . . 2 2 Google’s Advertising Mechanisms 2 2.1 AdWords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 AdSense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Additional technical details 4 3.1 Forms of HTTP requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2 SQL Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4 Methodology and failed attempts 4 II Our attacks 6 5 AdSense-Out 6 6 AdSense-In 6 6.1 Receiving information from an AdSense attack . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1.1 Using SQL CAST to hide keywords in the URL . . . . . . . . . . . . . . . . . . . . 7 6.1.2 If at first you don’t succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7 AdWords-Hokey-Pokey 8 7.1 Cross-Site Request Forgery attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.2 Using AdWords for CSRF attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8 Concluding remarks 9 1
Part I Introductory Details 1 Introduction — Google and Hacking Google has been a well-known secondary utility in website attacks for quite a while, used as a probe for vulnerable sites or leaked information. This usage relies on constructing queries for specific strings which are known to appear on vulnerable sites (e.g. version numbers). Google’s enormous site database and advanced search modifier keywords (such as inurl or filetype) allow for particularily elaborate probing techniques. There are existing libraries of malicious queries[1]. 1.1 Active attacks using Google Our objective is to use Google as an active part of an attack. This gives us several advantages over attacking directly; an immediate benefit is a layer of anonymity, granted by any attack-by-proxy. Another benefit granted by this is abuse of the implicit trust of Google by webmasters; Google is unlikely to be blocked from entering a website, which allows an attacker to attack a website even if his IP address is blocked from accessing the website. Some sites may even allow Google’s bots to enter protected segments of the website, for indexing purposes. 1.1.1 Shortcomings of attacking with GoogleBot In our experimentation, we found that for low-ranked websites, Google’s primary indexing robot (Google- Bot) enters at a very low frequency, and inter-visit times may reach several weeks. The frequency remains low even when requesting a re-index with Google’s webmaster tools. This makes it difficult to utilize for active attacks. Also, the terms which are likely to show up on Google searches in passive attacks are limited to those resulting from entering legitimate (i.e. appearing as links on highly-ranked websites) URLs, decreasing the amount of information which can be gained. These properties make MediaBot (described in 2.2) better-suited for our attacks. 2 Google’s Advertising Mechanisms Google uses two primary mechanisms for its advertising business front-end, known as AdWords and AdSense. 2.1 AdWords AdWords allows customers to buy ads to be displayed (on sites with AdSense, described later). Bids can be placed either by CPM (cost per thousand impressions) or by CPC (cost per click)[2]. The bids are either on keywords which would trigger the ad’s appearance, or on URLs on which the ad should appear. An ad contains a title, two lines of text, a display URL and a link target (perhaps different from the display URL). Google has rather strict limitations on what kind of text is allowed, within the ad and at the link’s target website, but they are not immediately (or, it seems, strongly) enforced. 2.2 AdSense AdSense allows webmasters to place an ad “billboard” on their site, sharing Google’s revenue per click or impression. When a user enters a site which contains AdSense ads, the browser runs a script which requests a relevant ad for the page. At this point, Google immediately sends MediaBot to scan the 2
Site with AdSense ads Google & AdSense 7 Browser 2 6 4 8 1 3 5 Figure 1: Illustration of the AdSense process reported “current page” for relevant keywords, as part of the ad selection process. The AdWords database is scanned for an appropriate ad, and it is displayed within the website. The process is detailed below (and illustrated in Figure 1). 1. Browser requests page from website. 2. Website returns page HTML; include references to AdSense script, in a form similar to this: <script type="text/javascript"><!-- google_ad_client = ’pub-0123456789012345’; /* 125x125 created 1/2/03 for Israel Israeli */ google_ad_slow = ’9876543210’; google_ad_width = 125; google_ad_height = 125; //--> </script> <script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> 3. Browser request AdSense script from Google. 4. Google sends AdSense script to the browser, which runs it. 5. Script reports current page, requesting an appropriate ad from Google. 6. MediaBot sends the site a request for the reported page. 7. Site returns the requested page; Google scans it for Keywords. 8. Google picks an ad and sends it to the browser. 3
3 Additional technical details 3.1 Forms of HTTP requests There are two primary forms of HTTP requests — GET and POST. GET requests are the simpler form of HTTP communication; all parameters, if any, are passed as part of the URL. This is the ordinary request sent when visiting a page with a browser. Parameters are encoded in the URL in the following form: http://url?< param1 >=< value >&< param2 >=< value >&. . . For example, http://www.google.com/search?q=differential+cryptanalysis%27&btnG=Search In the instance above, two parameters are passed as part of the URL: first, the parameter q is set to “differential cryptanalysis’”; spaces are encoded as +, and %27 is the hexadecimal encoding of ASCII character 0x27, which is a quote. The parameter btnG is set to “Search”. HTTP POST requests can have additional parameters passed in the request body. These requests are usually generated by web forms. They are also considered by the HTTP standard to be the request form for any kind of request that modifies the website, or performs any sort of active or potentially destructive server-side operation. For this reason, pre-fetching browsers do not follow any web forms which perform POST requests, and all browsers give a warning when re-submitting a POST request due to a click on the “Back” or “Refresh” buttons. While it is considered “best practice” to place all potentially destructive operations behind a POST request, many sites do not follow these practices, and for our demonstration we’ll assume the victim does not. 3.2 SQL Injections Some sites are naive when passing user data to SQL. For example, when authentication a user, the site might use code similar to this: query("SELECT COUNT(*) FROM users WHERE user=’" + $POST[’user’] + "’ AND pass=’" + $POST[’password’] + "’") Note that if the user’s name is “Robert’); DROP TABLE Students;--”[3], then the following query will be run: SELECT COUNT(*) FROM users WHERE user=’Robert’; DROP TABLE Students;--’ and PASS=... The query is truncated here, as -- is the comment-to-end-of-line character for some common SQL dialects. As some sites have SQL injections in their search pages (which are a legitimate case of a GET request), this allows an external user to craft a malicious GET request to attack them. 4 Methodology and failed attempts For the course of the project, we’ve set up several AdSense accounts, as well as several anonymous sites on free hosting services which included support for scripting using PHP. This allowed us to write pages with access logs, and analyze the various bot behaviours. Initially we attempted to attack the AdSense Site Authentication mechanism; this feature allows a webmaster to provide a username and password (and login URL) which would be used by MediaBot when crawling the site. The plan was to get MediaBot to log into one site using credentials for another. However, at the time we could not get this feature to work at all — MediaBot would not visit the 4
login page, and the only effect of activating Site Authentication was that MediaBot would not visit the portions of the site we told it were restricted. It seems that this feature does not work at all anymore[6]. It is possible that a vulnerability was indeed discovered, causing Google to disable the feature. An additional attack we tried used the “Allowed Sites” AdSense feature. After adding a site to our “Allowed Sites” list, we placed text that violates the terms-of-service for AdSense (such as “please click the ad”) on it. However, the control for this experiment failed as well, as we received no notice from Google when a site directly violated the terms of its own AdSense account in this method. 5
Browser MediaBot Request ad for victim.com/[malicious parameters] victim.com GET victim.com/[malicious parameters] Site damaged Figure 2: AdSense-Out Part II Our attacks We present two attacks based on AdSense, and one attack based on AdWords. The first AdSense attack is able to cause damage to a website, and is therefore called “AdSense-Out”. The second AdSense attack is able to retrieve information from a website, and is therefore called “AdSense-In”. For completeless, the third attack is known as “AdWords-Hokey-Pokey”. 5 AdSense-Out As mentioned in 2.2, the user’s browser asks Google for an ad to be displayed for the current page. The AdSense script uses JavaScript’s document.location to emit the current URL[4]. However, no verifica- tion of this URL is performed, and at the present day it is possible to craft an AdSense request requesting an ad for any URL, simply by modifying the GET parameter “url”. An analysis of the (compressed and obfuscated) AdSense code yielded a simple method to craft these requests: The google page url parameter can be set in the JavaScript preamble of the AdSense code to achieve the same effect. Testing shows that there is no a priori verification of which pages may be reported as the “current page”. There is no filtering of GET parameters, probably due to the fact that ads can be shown on internal parts of dynamic sites, such as online forums. While there is a limit on the length of the reported URL, MediaBot appears to follow HTTP redirects, which allows one to use online services[5] to get a short URL which would redirect MediaBot to a longer one. An attack is made possible, therefore, by sending MediaBot to a URL which, just by visiting it, would trigger an SQL injection attack, or pass otherwise malicious parameters, as shown in Figure 2. This has been tested by performing an SQL injection attack, defacing a specially-prepared site which is vulnerable to SQL injections. 6 AdSense-In In contrast with direct attacks on websites, attacks using an intermediate proxy have the disadvantage of receiving no data from the site, as the response is sent to the proxy. A direct attack might yield plentiful information: Success status of the attack is usually immediately discernable from the response. Furthermore, additional hidden information can be obtained using SQL’s UNION modifier. For example, consider a site which allows searching for products using a search string in the following implementation: query("SELECT name,description FROM products WHERE name=’" + $GET["name"] + "’") 6
Then an attacker might search for a product with the following name: ’ AND 1=0 UNION SELECT name, creditcard FROM customers -- This would cause no products to be displayed (as the 1=0 clause is always false), but instead all customers will be displayed as products, with the product description being their credit card number. 6.1 Receiving information from an AdSense attack The AdSense process, as detailed in 2.2, has two additional steps, which allow us to retrieve information. This channel is limited, as the only returned information is contextual ads. Our strategy will therefore be to modify the result page in such a way that the chosen ads will pass information to the attacker. The simplest solution is a binary one — we will “plant” an ad topic in the returned page in case of a successful attack. Alternatively, in case we already know the attack will succeed, we can plant the topic in the returned page if a binary SQL query of our choice returns “true”. For example, in order to perform a UNION attack, we need to know how many fields the original query has, otherwise an SQL error will be returned. In a direct attack, one might use a query similar to this: http://victim.com/search?q=’ AND 1=0 UNION SELECT null,null,null -- If the original query has 3 fields, one result (with empty fields) will be shown, and otherwise an SQL error will be displayed (complaining that the number of fields does not match). In an attack using AdSense, we can replace one of the fields (which hopefully expects a string data-type) to contain keywords of our choice. For example, one might use a query similar to this: http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null -- For this query, one might expect that a correct guess (3 fields) would cause a single entry with the text “car automobile mechanic clutch muffler exhaust” to appear in the response, causing the chosen ad to be car-related. An incorrect guess would not cause this entry to be shown. However, MediaBot extracts keywords from the URL itself, causing a car-related ad to be shown regardless of the success of the query. We will show how to overcome this in 6.1.1. We can use a more elaborate version of this technique to systematically extract all usernames from a system: http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null FROM customers WHERE lastname LIKE ’A%’ -- This query will return a car-related ad if the site has any customers whose last name begins with an A. These queries can be repeated and extended in order to retrieve any information from the site (which is attainable by SQL injection) by means of binary search. As these queries become quite long, the attacker will need to use a redirection service as described earlier to generate short URLs for the attacks. 6.1.1 Using SQL CAST to hide keywords in the URL In order to prevent the keywords from appearing in the URL of the request, we need to encode them in a way which will be decoded by the SQL server. One way to do this is with SQL’s CAST statement. For example, this query http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null -- Can be written as http://victim.com/search?q=’ AND 1=0 UNION SELECT CAST(0x63006100720020006100750074006f006d 006f00620069006c00650020006d0065006300680 7
061006e0069006300200063006c00750074006300 680020006d007500660066006c006500720020006 500780068006100750073007400 AS NVARCHAR(1000)),null,null -- The URL contains no trace of the keywords, as far as MediaBot can tell, but the query is completely equivalent. The long hexadecimal number is simply a little-endian word-per-character ASCII represen- tation of the string. 6.1.2 If at first you don’t succeed In some instances, AdSense does not immediately return a relevant ad for a fresh URL. A new URL should be generated in this case, as the old URL would return a cached result. Therefore one should use URLs such as: http://victim.com/search?trash=1234&q=’ AND 1=0 UNION SELECT CAST(0x63006100720020006100750074006f006d ... 500780068006100750073007400 AS NVARCHAR(1000)),null,null -- Replacing the trash value at every attempt in order to create a fresh URL. 7 AdWords-Hokey-Pokey AdWords-Hokey-Pokey is a method to create more efficient Cross-Site Request Forgery (CSRF) attacks. 7.1 Cross-Site Request Forgery attacks Many potentially destructive operations within sites can only be performed by a logged-in user, on his own account. Many browsers today have shared sessions between multiple instances of the browser, be they separate windows or tabs1 . An attacker can use this fact in order to conduct a CSRF attack: Assuming that the victim user is already logged into a certain victim site, and also visits the attacker’s site with the same browser, the attacker can cause the browser to unknowingly execute business transactions in the victim site. One disadvantage of this technique is that it requires guesswork — the attacker cannot usually know whether the victim user is already logged into the victim site. 7.2 Using AdWords for CSRF attacks As AdWords allows advertisers to select specific URLs to advertise on, we can attack by advertising a malicious URL, requesting that the ad be shown on a page which suggests that the users is logged into the victim site. For this to work, there has to be such a page which displays AdSense ads. Furthermore, the weakness of the victim site has to be exploitable via GET requests in order for the ad’s link to attack directly. An alternative is to link to a secondary site which performs the attack. However, this might not allow POST-based attacks, as modern browsers defend against cross-site JavaScript requests. The secondary site can still exploit a GET vulnerability using, for example, an iframe. This has the advantage of the attacker being able to quickly modify the site, as opposed to the AdWords ad, which would take several hours to update. However, this will cause the Referer field of the malicious GET request to reveal the attacking website, whereas a direct malicious ad-link will show Google as the attacker. 1Even multi-process browsers such as Google Chrome have this property 8
Two additional issues to consider with the direct ad-link attack pertain to the URL of the ad. The URL length is limited, in this instance, to 1024 characters, which may be insufficient. Also, while the display URL can be chosen at will, the actual link does show that the ad leads to the same site the user is currently on. Yet the link goes through a Google Syndication redirect page, and the actual target URL parameter is preceded by a long preamble, which is likely to prevent it from being shown in the status bar while hovering over the link; the user would have to right-click the ad link and examine it before noticing the suspicious link. 8 Concluding remarks We have shown that Google’s advertising mechanism can be used as an active attack tool. Additionally, we have shown a method to cause websites to leak sensitive information via contextual advertising services. It is imperative to take Google utilities into account when considering the security of a website. Further research is required to determine whether other Google utilities can be used for active attacks. Also, the question arises whether it is Google’s responsibility to protect against these attacks. References [1] Johnny.IHackStuff.com, http://johnny.ihackstuff.com [2] AdWords Help: “How do placement-targeted and keyword-targeted ads compete?”, http://adwords.google.com/support/bin/answer.py?hl=en&answer=18280 [3] xkcd, Exploits of a Mom, http://xkcd.com/327 [4] The AdSense script, http://pagead2.googlesyndication.com/pagead/show_ads.js [5] TinyURL http://tinyurl.com [6] AdSense Help Google Group: “AdSense Site Authentication on forums” http://groups.google.com/group/adsense-help-troubleshooting/browse_thread/thread/60c31bc21eaf3997 List of Figures 1 Illustration of the AdSense process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 AdSense-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9

Recommended

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Mihir Shah
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS ExploitationHacking Articles
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 

Recommended

UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2UC2013 Speed Geeking: Intro to OAuth2
UC2013 Speed Geeking: Intro to OAuth2Aaron Parecki
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Mihir Shah
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS ExploitationHacking Articles
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
OAuth2 and LinkedIn
OAuth2 and LinkedInOAuth2 and LinkedIn
OAuth2 and LinkedInKamyar Mohager
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
A simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleA simple PHP LinkedIn OAuth 2.0 example
A simple PHP LinkedIn OAuth 2.0 exampleMattia Reggiani
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankco[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankcoOutrankco Pte Ltd
 
Google search console
Google search consoleGoogle search console
Google search consolesajawal15
 
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEOLEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEOElsa Langer
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesisSean Roberts
 
Advanced xss
Advanced xssAdvanced xss
Advanced xssGajendra Saini
 
IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET Journal
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Webinar Advertising With Ad Words
Webinar Advertising With Ad WordsWebinar Advertising With Ad Words
Webinar Advertising With Ad WordsJuan Pittau
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integrationTBJ Investments, LLC
 
Seo for Engineers
Seo for EngineersSeo for Engineers
Seo for EngineersCort Tafoya
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-orgOuzza Brahim
 
Simple stock market analysis
Simple stock market analysisSimple stock market analysis
Simple stock market analysislynneblue
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
Benefits of Google Tag Manager
Benefits of Google Tag ManagerBenefits of Google Tag Manager
Benefits of Google Tag ManagerPhil Pearce
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously sunil kumar
 
Best ways to loose weight Naturaly
Best ways to loose weight NaturalyBest ways to loose weight Naturaly
Best ways to loose weight Naturalysunil kumar
 

More Related Content

Similar to Google Hacking Project Uses AdWords and AdSense for Web Attacks

A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...HakTrak Cybersecurity Squad
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankco[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankcoOutrankco Pte Ltd
 
Google search console
Google search consoleGoogle search console
Google search consolesajawal15
 
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEOLEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEOElsa Langer
 
IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET Journal
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Webinar Advertising With Ad Words
Webinar Advertising With Ad WordsWebinar Advertising With Ad Words
Webinar Advertising With Ad WordsJuan Pittau
 
Seo for Engineers
Seo for EngineersSeo for Engineers
Seo for EngineersCort Tafoya
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Simple stock market analysis
Simple stock market analysisSimple stock market analysis
Simple stock market analysislynneblue
 
Benefits of Google Tag Manager
Benefits of Google Tag ManagerBenefits of Google Tag Manager
Benefits of Google Tag ManagerPhil Pearce
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 

Similar to Google Hacking Project Uses AdWords and AdSense for Web Attacks (20)

A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainment
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankco[Part 1] understand google search console outrankco
[Part 1] understand google search console outrankco
 
Google search console
Google search consoleGoogle search console
Google search console
 
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEOLEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
LEARN HOW TO MAKE A BETTER WEBSITE WITH GOOGLE & SEO
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Security testing
Security testingSecurity testing
Security testing
 
Webinar Advertising With Ad Words
Webinar Advertising With Ad WordsWebinar Advertising With Ad Words
Webinar Advertising With Ad Words
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integration
 
Seo for Engineers
Seo for EngineersSeo for Engineers
Seo for Engineers
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
 
Simple stock market analysis
Simple stock market analysisSimple stock market analysis
Simple stock market analysis
 
T04505103106
T04505103106T04505103106
T04505103106
 
Benefits of Google Tag Manager
Benefits of Google Tag ManagerBenefits of Google Tag Manager
Benefits of Google Tag Manager
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 

More from sunil kumar

Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously sunil kumar
 
Best ways to loose weight Naturaly
Best ways to loose weight NaturalyBest ways to loose weight Naturaly
Best ways to loose weight Naturalysunil kumar
 
how to invest in shares with only ₹ 5000
how to invest in shares with only ₹ 5000how to invest in shares with only ₹ 5000
how to invest in shares with only ₹ 5000sunil kumar
 
Comp tia network_n10-005
Comp tia network_n10-005Comp tia network_n10-005
Comp tia network_n10-005sunil kumar
 
Comp tia a_220-802_objectives
Comp tia a_220-802_objectivesComp tia a_220-802_objectives
Comp tia a_220-802_objectivessunil kumar
 
Comp tia a_220-801_objectives
Comp tia a_220-801_objectivesComp tia a_220-801_objectives
Comp tia a_220-801_objectivessunil kumar
 
Types of optical device
Types of optical deviceTypes of optical device
Types of optical devicesunil kumar
 
Classification of computers
Classification of computersClassification of computers
Classification of computerssunil kumar
 
Not bridge south bridge archexture
Not bridge south bridge archextureNot bridge south bridge archexture
Not bridge south bridge archexturesunil kumar
 
Dns introduction
Dns introduction Dns introduction
Dns introduction sunil kumar
 
4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazysunil kumar
 

More from sunil kumar (20)

Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously Best Ways to loose weight by Keto diet Deliciously
Best Ways to loose weight by Keto diet Deliciously
 
Best ways to loose weight Naturaly
Best ways to loose weight NaturalyBest ways to loose weight Naturaly
Best ways to loose weight Naturaly
 
Gam ks egnfk
Gam ks egnfkGam ks egnfk
Gam ks egnfk
 
how to invest in shares with only ₹ 5000
how to invest in shares with only ₹ 5000how to invest in shares with only ₹ 5000
how to invest in shares with only ₹ 5000
 
Ping
PingPing
Ping
 
Comp tia network_n10-005
Comp tia network_n10-005Comp tia network_n10-005
Comp tia network_n10-005
 
Comp tia a_220-802_objectives
Comp tia a_220-802_objectivesComp tia a_220-802_objectives
Comp tia a_220-802_objectives
 
Comp tia a_220-801_objectives
Comp tia a_220-801_objectivesComp tia a_220-801_objectives
Comp tia a_220-801_objectives
 
App b
App bApp b
App b
 
Smps
SmpsSmps
Smps
 
Types of optical device
Types of optical deviceTypes of optical device
Types of optical device
 
Memoryhierarchy
MemoryhierarchyMemoryhierarchy
Memoryhierarchy
 
Wi fi copy
Wi fi copyWi fi copy
Wi fi copy
 
Classification of computers
Classification of computersClassification of computers
Classification of computers
 
Osi model
Osi modelOsi model
Osi model
 
Not bridge south bridge archexture
Not bridge south bridge archextureNot bridge south bridge archexture
Not bridge south bridge archexture
 
Dns introduction
Dns introduction Dns introduction
Dns introduction
 
Ethernet copy
Ethernet copyEthernet copy
Ethernet copy
 
4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy4 owasp egypt_12_4_2014_ebrahim_hegazy
4 owasp egypt_12_4_2014_ebrahim_hegazy
 
Adeex
AdeexAdeex
Adeex
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 

Google Hacking Project Uses AdWords and AdSense for Web Attacks

  • 1. Google Hacking Project BadSense — Using Google’s advertising mechanisms as a hacking tool Ohad Lutzky, Tom Meiri, Guy Treger Under the supervision and guidance of Amichai Shulman Contents I Introductory Details 2 1 Introduction — Google and Hacking 2 1.1 Active attacks using Google . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Shortcomings of attacking with GoogleBot . . . . . . . . . . . . . . . . . . . . . . 2 2 Google’s Advertising Mechanisms 2 2.1 AdWords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 AdSense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Additional technical details 4 3.1 Forms of HTTP requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2 SQL Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4 Methodology and failed attempts 4 II Our attacks 6 5 AdSense-Out 6 6 AdSense-In 6 6.1 Receiving information from an AdSense attack . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1.1 Using SQL CAST to hide keywords in the URL . . . . . . . . . . . . . . . . . . . . 7 6.1.2 If at first you don’t succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7 AdWords-Hokey-Pokey 8 7.1 Cross-Site Request Forgery attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.2 Using AdWords for CSRF attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8 Concluding remarks 9 1
  • 2. Part I Introductory Details 1 Introduction — Google and Hacking Google has been a well-known secondary utility in website attacks for quite a while, used as a probe for vulnerable sites or leaked information. This usage relies on constructing queries for specific strings which are known to appear on vulnerable sites (e.g. version numbers). Google’s enormous site database and advanced search modifier keywords (such as inurl or filetype) allow for particularily elaborate probing techniques. There are existing libraries of malicious queries[1]. 1.1 Active attacks using Google Our objective is to use Google as an active part of an attack. This gives us several advantages over attacking directly; an immediate benefit is a layer of anonymity, granted by any attack-by-proxy. Another benefit granted by this is abuse of the implicit trust of Google by webmasters; Google is unlikely to be blocked from entering a website, which allows an attacker to attack a website even if his IP address is blocked from accessing the website. Some sites may even allow Google’s bots to enter protected segments of the website, for indexing purposes. 1.1.1 Shortcomings of attacking with GoogleBot In our experimentation, we found that for low-ranked websites, Google’s primary indexing robot (Google- Bot) enters at a very low frequency, and inter-visit times may reach several weeks. The frequency remains low even when requesting a re-index with Google’s webmaster tools. This makes it difficult to utilize for active attacks. Also, the terms which are likely to show up on Google searches in passive attacks are limited to those resulting from entering legitimate (i.e. appearing as links on highly-ranked websites) URLs, decreasing the amount of information which can be gained. These properties make MediaBot (described in 2.2) better-suited for our attacks. 2 Google’s Advertising Mechanisms Google uses two primary mechanisms for its advertising business front-end, known as AdWords and AdSense. 2.1 AdWords AdWords allows customers to buy ads to be displayed (on sites with AdSense, described later). Bids can be placed either by CPM (cost per thousand impressions) or by CPC (cost per click)[2]. The bids are either on keywords which would trigger the ad’s appearance, or on URLs on which the ad should appear. An ad contains a title, two lines of text, a display URL and a link target (perhaps different from the display URL). Google has rather strict limitations on what kind of text is allowed, within the ad and at the link’s target website, but they are not immediately (or, it seems, strongly) enforced. 2.2 AdSense AdSense allows webmasters to place an ad “billboard” on their site, sharing Google’s revenue per click or impression. When a user enters a site which contains AdSense ads, the browser runs a script which requests a relevant ad for the page. At this point, Google immediately sends MediaBot to scan the 2
  • 3. Site with AdSense ads Google & AdSense 7 Browser 2 6 4 8 1 3 5 Figure 1: Illustration of the AdSense process reported “current page” for relevant keywords, as part of the ad selection process. The AdWords database is scanned for an appropriate ad, and it is displayed within the website. The process is detailed below (and illustrated in Figure 1). 1. Browser requests page from website. 2. Website returns page HTML; include references to AdSense script, in a form similar to this: <script type="text/javascript"><!-- google_ad_client = ’pub-0123456789012345’; /* 125x125 created 1/2/03 for Israel Israeli */ google_ad_slow = ’9876543210’; google_ad_width = 125; google_ad_height = 125; //--> </script> <script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> 3. Browser request AdSense script from Google. 4. Google sends AdSense script to the browser, which runs it. 5. Script reports current page, requesting an appropriate ad from Google. 6. MediaBot sends the site a request for the reported page. 7. Site returns the requested page; Google scans it for Keywords. 8. Google picks an ad and sends it to the browser. 3
  • 4. 3 Additional technical details 3.1 Forms of HTTP requests There are two primary forms of HTTP requests — GET and POST. GET requests are the simpler form of HTTP communication; all parameters, if any, are passed as part of the URL. This is the ordinary request sent when visiting a page with a browser. Parameters are encoded in the URL in the following form: http://url?< param1 >=< value >&< param2 >=< value >&. . . For example, http://www.google.com/search?q=differential+cryptanalysis%27&btnG=Search In the instance above, two parameters are passed as part of the URL: first, the parameter q is set to “differential cryptanalysis’”; spaces are encoded as +, and %27 is the hexadecimal encoding of ASCII character 0x27, which is a quote. The parameter btnG is set to “Search”. HTTP POST requests can have additional parameters passed in the request body. These requests are usually generated by web forms. They are also considered by the HTTP standard to be the request form for any kind of request that modifies the website, or performs any sort of active or potentially destructive server-side operation. For this reason, pre-fetching browsers do not follow any web forms which perform POST requests, and all browsers give a warning when re-submitting a POST request due to a click on the “Back” or “Refresh” buttons. While it is considered “best practice” to place all potentially destructive operations behind a POST request, many sites do not follow these practices, and for our demonstration we’ll assume the victim does not. 3.2 SQL Injections Some sites are naive when passing user data to SQL. For example, when authentication a user, the site might use code similar to this: query("SELECT COUNT(*) FROM users WHERE user=’" + $POST[’user’] + "’ AND pass=’" + $POST[’password’] + "’") Note that if the user’s name is “Robert’); DROP TABLE Students;--”[3], then the following query will be run: SELECT COUNT(*) FROM users WHERE user=’Robert’; DROP TABLE Students;--’ and PASS=... The query is truncated here, as -- is the comment-to-end-of-line character for some common SQL dialects. As some sites have SQL injections in their search pages (which are a legitimate case of a GET request), this allows an external user to craft a malicious GET request to attack them. 4 Methodology and failed attempts For the course of the project, we’ve set up several AdSense accounts, as well as several anonymous sites on free hosting services which included support for scripting using PHP. This allowed us to write pages with access logs, and analyze the various bot behaviours. Initially we attempted to attack the AdSense Site Authentication mechanism; this feature allows a webmaster to provide a username and password (and login URL) which would be used by MediaBot when crawling the site. The plan was to get MediaBot to log into one site using credentials for another. However, at the time we could not get this feature to work at all — MediaBot would not visit the 4
  • 5. login page, and the only effect of activating Site Authentication was that MediaBot would not visit the portions of the site we told it were restricted. It seems that this feature does not work at all anymore[6]. It is possible that a vulnerability was indeed discovered, causing Google to disable the feature. An additional attack we tried used the “Allowed Sites” AdSense feature. After adding a site to our “Allowed Sites” list, we placed text that violates the terms-of-service for AdSense (such as “please click the ad”) on it. However, the control for this experiment failed as well, as we received no notice from Google when a site directly violated the terms of its own AdSense account in this method. 5
  • 6. Browser MediaBot Request ad for victim.com/[malicious parameters] victim.com GET victim.com/[malicious parameters] Site damaged Figure 2: AdSense-Out Part II Our attacks We present two attacks based on AdSense, and one attack based on AdWords. The first AdSense attack is able to cause damage to a website, and is therefore called “AdSense-Out”. The second AdSense attack is able to retrieve information from a website, and is therefore called “AdSense-In”. For completeless, the third attack is known as “AdWords-Hokey-Pokey”. 5 AdSense-Out As mentioned in 2.2, the user’s browser asks Google for an ad to be displayed for the current page. The AdSense script uses JavaScript’s document.location to emit the current URL[4]. However, no verifica- tion of this URL is performed, and at the present day it is possible to craft an AdSense request requesting an ad for any URL, simply by modifying the GET parameter “url”. An analysis of the (compressed and obfuscated) AdSense code yielded a simple method to craft these requests: The google page url parameter can be set in the JavaScript preamble of the AdSense code to achieve the same effect. Testing shows that there is no a priori verification of which pages may be reported as the “current page”. There is no filtering of GET parameters, probably due to the fact that ads can be shown on internal parts of dynamic sites, such as online forums. While there is a limit on the length of the reported URL, MediaBot appears to follow HTTP redirects, which allows one to use online services[5] to get a short URL which would redirect MediaBot to a longer one. An attack is made possible, therefore, by sending MediaBot to a URL which, just by visiting it, would trigger an SQL injection attack, or pass otherwise malicious parameters, as shown in Figure 2. This has been tested by performing an SQL injection attack, defacing a specially-prepared site which is vulnerable to SQL injections. 6 AdSense-In In contrast with direct attacks on websites, attacks using an intermediate proxy have the disadvantage of receiving no data from the site, as the response is sent to the proxy. A direct attack might yield plentiful information: Success status of the attack is usually immediately discernable from the response. Furthermore, additional hidden information can be obtained using SQL’s UNION modifier. For example, consider a site which allows searching for products using a search string in the following implementation: query("SELECT name,description FROM products WHERE name=’" + $GET["name"] + "’") 6
  • 7. Then an attacker might search for a product with the following name: ’ AND 1=0 UNION SELECT name, creditcard FROM customers -- This would cause no products to be displayed (as the 1=0 clause is always false), but instead all customers will be displayed as products, with the product description being their credit card number. 6.1 Receiving information from an AdSense attack The AdSense process, as detailed in 2.2, has two additional steps, which allow us to retrieve information. This channel is limited, as the only returned information is contextual ads. Our strategy will therefore be to modify the result page in such a way that the chosen ads will pass information to the attacker. The simplest solution is a binary one — we will “plant” an ad topic in the returned page in case of a successful attack. Alternatively, in case we already know the attack will succeed, we can plant the topic in the returned page if a binary SQL query of our choice returns “true”. For example, in order to perform a UNION attack, we need to know how many fields the original query has, otherwise an SQL error will be returned. In a direct attack, one might use a query similar to this: http://victim.com/search?q=’ AND 1=0 UNION SELECT null,null,null -- If the original query has 3 fields, one result (with empty fields) will be shown, and otherwise an SQL error will be displayed (complaining that the number of fields does not match). In an attack using AdSense, we can replace one of the fields (which hopefully expects a string data-type) to contain keywords of our choice. For example, one might use a query similar to this: http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null -- For this query, one might expect that a correct guess (3 fields) would cause a single entry with the text “car automobile mechanic clutch muffler exhaust” to appear in the response, causing the chosen ad to be car-related. An incorrect guess would not cause this entry to be shown. However, MediaBot extracts keywords from the URL itself, causing a car-related ad to be shown regardless of the success of the query. We will show how to overcome this in 6.1.1. We can use a more elaborate version of this technique to systematically extract all usernames from a system: http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null FROM customers WHERE lastname LIKE ’A%’ -- This query will return a car-related ad if the site has any customers whose last name begins with an A. These queries can be repeated and extended in order to retrieve any information from the site (which is attainable by SQL injection) by means of binary search. As these queries become quite long, the attacker will need to use a redirection service as described earlier to generate short URLs for the attacks. 6.1.1 Using SQL CAST to hide keywords in the URL In order to prevent the keywords from appearing in the URL of the request, we need to encode them in a way which will be decoded by the SQL server. One way to do this is with SQL’s CAST statement. For example, this query http://victim.com/search?q=’ AND 1=0 UNION SELECT ’car automobile mechanic clutch muffler exhaust’,null,null -- Can be written as http://victim.com/search?q=’ AND 1=0 UNION SELECT CAST(0x63006100720020006100750074006f006d 006f00620069006c00650020006d0065006300680 7
  • 8. 061006e0069006300200063006c00750074006300 680020006d007500660066006c006500720020006 500780068006100750073007400 AS NVARCHAR(1000)),null,null -- The URL contains no trace of the keywords, as far as MediaBot can tell, but the query is completely equivalent. The long hexadecimal number is simply a little-endian word-per-character ASCII represen- tation of the string. 6.1.2 If at first you don’t succeed In some instances, AdSense does not immediately return a relevant ad for a fresh URL. A new URL should be generated in this case, as the old URL would return a cached result. Therefore one should use URLs such as: http://victim.com/search?trash=1234&q=’ AND 1=0 UNION SELECT CAST(0x63006100720020006100750074006f006d ... 500780068006100750073007400 AS NVARCHAR(1000)),null,null -- Replacing the trash value at every attempt in order to create a fresh URL. 7 AdWords-Hokey-Pokey AdWords-Hokey-Pokey is a method to create more efficient Cross-Site Request Forgery (CSRF) attacks. 7.1 Cross-Site Request Forgery attacks Many potentially destructive operations within sites can only be performed by a logged-in user, on his own account. Many browsers today have shared sessions between multiple instances of the browser, be they separate windows or tabs1 . An attacker can use this fact in order to conduct a CSRF attack: Assuming that the victim user is already logged into a certain victim site, and also visits the attacker’s site with the same browser, the attacker can cause the browser to unknowingly execute business transactions in the victim site. One disadvantage of this technique is that it requires guesswork — the attacker cannot usually know whether the victim user is already logged into the victim site. 7.2 Using AdWords for CSRF attacks As AdWords allows advertisers to select specific URLs to advertise on, we can attack by advertising a malicious URL, requesting that the ad be shown on a page which suggests that the users is logged into the victim site. For this to work, there has to be such a page which displays AdSense ads. Furthermore, the weakness of the victim site has to be exploitable via GET requests in order for the ad’s link to attack directly. An alternative is to link to a secondary site which performs the attack. However, this might not allow POST-based attacks, as modern browsers defend against cross-site JavaScript requests. The secondary site can still exploit a GET vulnerability using, for example, an iframe. This has the advantage of the attacker being able to quickly modify the site, as opposed to the AdWords ad, which would take several hours to update. However, this will cause the Referer field of the malicious GET request to reveal the attacking website, whereas a direct malicious ad-link will show Google as the attacker. 1Even multi-process browsers such as Google Chrome have this property 8
  • 9. Two additional issues to consider with the direct ad-link attack pertain to the URL of the ad. The URL length is limited, in this instance, to 1024 characters, which may be insufficient. Also, while the display URL can be chosen at will, the actual link does show that the ad leads to the same site the user is currently on. Yet the link goes through a Google Syndication redirect page, and the actual target URL parameter is preceded by a long preamble, which is likely to prevent it from being shown in the status bar while hovering over the link; the user would have to right-click the ad link and examine it before noticing the suspicious link. 8 Concluding remarks We have shown that Google’s advertising mechanism can be used as an active attack tool. Additionally, we have shown a method to cause websites to leak sensitive information via contextual advertising services. It is imperative to take Google utilities into account when considering the security of a website. Further research is required to determine whether other Google utilities can be used for active attacks. Also, the question arises whether it is Google’s responsibility to protect against these attacks. References [1] Johnny.IHackStuff.com, http://johnny.ihackstuff.com [2] AdWords Help: “How do placement-targeted and keyword-targeted ads compete?”, http://adwords.google.com/support/bin/answer.py?hl=en&answer=18280 [3] xkcd, Exploits of a Mom, http://xkcd.com/327 [4] The AdSense script, http://pagead2.googlesyndication.com/pagead/show_ads.js [5] TinyURL http://tinyurl.com [6] AdSense Help Google Group: “AdSense Site Authentication on forums” http://groups.google.com/group/adsense-help-troubleshooting/browse_thread/thread/60c31bc21eaf3997 List of Figures 1 Illustration of the AdSense process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 AdSense-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9