Post on 03-Dec-2014
description
Abusing Google Apps & Data
API Google is my C2.
#whoami
Information Security EnthusiastFounder of OWASP Xenotix XSS Exploit FrameworkStrong supporter of Free and Open Information
Security Education. Runs a DEFCON chapter at Kerala.Another Leaner.
www.opensecurity.in
disclaimer
All third party images are the property of their respective owners.
Just pointing out how some innocent services can be abused.
I am not responsible for anything.
Agenda
IntroAbusing AppScript for e-mail bombingData URI + Google Forms + TinyURL = Phishing VariantGoogle Spreadsheet + DATA API = A Botnet
Communication ChannelxBOT : A prototype BotConclude
Google Data API
Email Bombing: the old ways
Methods of e-bombingOpen Relay servers
PHP/ASP/JSP Mail Functions
Misconfigured Mail Sending features in Web Apps
Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
Google AppScript
Google Apps Script is a JavaScript cloud scripting language.
AppScript : Class MailApp
Little Mutation
DEMOhttp://www.youtube.com/watch?v=mTHIcdkdKXY
Data URI
data:text/html,<body>hi</body>
data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
Data URI allows you to include data in-line in web pages via URL
Data URI Phishing was described by “Henning Klevjer” in his Paper
DATA URI + Google Forms + Tiny URL = Beauty
Combining all these stuff gives a beautiful Phishing Attack.
A Perfect addition to Social Engineering.
Basic Idea
FBServer
http://tinyurl.com/fb
data:text/html,<body>hi</body>
Injected with our JavaScript
credentials
Google Spreadsheet
JavaScript to do the work
DEMOhttp://www.youtube.com/watch?v=htoiNO50fBc
Channelizing Google SpreadSheet
Google SpreadSheet can store data online.You can export the contents of the spreadsheet as
json, rss and tsvRead and Write remotelySSL Hmmm!What else you want?
Selecting the right URL format
JSON RSS TSV Source0
100000
200000
300000
400000
500000
600000
Data Length
Data Length
JSON RSS TSV Source0
1
2
3
4
5
6
7
8
9
Execution Time
Execution Time
TSV
RSS
What is xBOT?
xBOT is a PoC bot.Uses Google Spreadsheet and Forms to
implement it’s Communication Channel.Uses Google DATA API to extract the commands.Use a third party server for file hosting.
xBOT Architecture
Google FormGoogle
Spreadsheet
xbot.py
xBOT VictimFile Hosting
File Upload
SendResponse
Get CommandsEvery 4 Sec
File URL
Send Commands
Command and Control
DEMOhttp://www.youtube.com/watch?v=TBP7ynUalOY
Conclusion
Nasty things can be built over Innocent stuffs.These are some possible ways an attacker could
use.Interesting Fact: There is no captcha for Google
Forms.That’s all
Thank You
@ajinabraham
ajin.abraham@owasp.org