Google Docs XSPA / SSRF
Posted on 10 September 2016
================================================================================ # Google Docs - XSPA/SSRF ================================================================================ # Author: Ashiyane Digital Security Team # Vendor Homepage: http://docs.google.com/ # Date : 09 September 2016 # Vulnerability Type : Cross Site Port Attack (XSPA) [CWE-918] # Intercept proxy used : BurpSuite # Contact: hehsan979@gmail.com ================================================================================ # Description : XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers and etc , Here is some different attacks that can be launched because of XSPA : 1.fingerprint intranet web applications using standard application default files and behavior 2.Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities 3.Port Scanning remote Internet facing servers, intranet devices and the local web server itself and Banner grabbing is also possible in some cases. 4.identify web application frameworks 5.exploit vulnerable programs 6.run code on reachable machines 7.listening on internal networks and read local files using the file protocol and much more. Using XSPA Vulnerability for port scanning it depends on this parameters : the "Response Byte Size" or "Response Recivied Time" or some "Unique Error Messages" (such as "Connection refused" or "timeouts" or "Service was not reachable") which means for identify port status (open/closed ports) An attacker should analyze the returned of response of those parameters. the terms of open/closed ports : 1.if the Response returned has Error Messages or page has any changes that means the port is closed else port is open. Note : sometimes attackers got nothing of error and reaction of the page so in this situation,he check "Response Recivied Time". for recognition via the "Response Recivied Time" you should know that , the closed ports always take a long time to returned response and the open ports just take a little time because when the port is open the web server can connect to that port immediately and easily and you can test this issue using a simple telnet command on any web server you want,so now : 2.each row on "Response Recivied Time" that has the number digit lower than others which means that port is open else is closed. for example we have a vulnerable target (https://example.org/viewer?url=http://example.com:[Ports]) and we test this ports on that target : 80,443,21,25,110,995 and after our attacks done we got numbers something like below in Response Recivied column : Ports | Response Recivied ------------------------- 443 | 1320 21 | 400 >> Open Port 80 | 520 >> Open Port 25 | 1350 110 | 450 >> Open Port 995 | 1353 as we said "the closed ports take a long time to returned response" so we can separate results as the open ports and closed ports. > The Open Ports : Ports | Response Recivied ------------------------- 21 | 400 >> Open Port 80 | 520 >> Open Port 110 | 450 >> Open Port The Closed Ports : Ports | Response Recivied ------------------------- 443 | 1320 25 | 1350 995 | 1353 so now after we found SSRF on docs.google.com ,it's time to try to test XSPA for port scanning on docs.google.com. in this part we used BurpSuite as Intercept proxy to attack and then we analyze "Response Recivied" column. # Proof Of Content : 1.open BurpSuite. 2.in BurpSuite Take a cookie of url such as : https://docs.google.com/viewerng/viewer?url=http://ashiyane.org 3.send url to the "Intruder" tab. 4.set the payload positon tab on port part such as : https://docs.google.com/viewerng/viewer?url=http://ashiyane.org:$1$ 5.create or add a payload of ports you want to scan in "payloads" tab. 6.start attack. 7.after attacks done check the results on the "Response Recivied" column according to the description part. ================================================================================ # Discovered By : Ehsan Hosseini , V For Vendetta , Und3rgr0und ================================================================================