Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

GHDB - Google Hacking Database

From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Mon, 21 May 2007 16:09:15 +0100
http://www.gnucitizen.org/projects/ghdb
http://www.gnucitizen.org/

GHDB (a.k.a. Google Hacking Database) is HTML/JavaScript wrapper
application that uses advance JavaScript techniques to scrape
information from Johnny's Google Hacking Database without the need for
hosted server side scripts.

    In attempt to show the real dangers of AJAX APIs I've created
completely harmless interface to Johnny's Google Hacking Database.
Keep in mind that no service side scripts are required from my side.
Also, keep in mind that all I am providing here is a single HTML page
with a few JavaScript files to glue the interface together.

    The danger that I am trying to show here is that by mashing up a
few services, attackers can create something which I would like to
call a super worm. Super Worms, in terms of Web Application Security,
are the successors of AJAX Worms! Original AJAX worms spread across a
single domain, mimicking retro viral code: the worm does not leave the
medium it infects. Super Worms can go further by exploiting other
domains/mediums as well such as other websites, local and remote
devices, etc.

    It took me 2 hours to put the application together. Most of the
time I spent on the style sheets and the GUI. The core application
functionalities were delivered within 5 minutes.

    Why this application is interesting you may ask? If I am not
hosing any server side scripts on my side, and Johnny's
johnny.ihackstuff.com does not provide any JSON export of the database
either, how the heck I still manage to fetch the data? Well, I am
using a screen scraper which is entirely based online. Online services
are very Web2.0 so expect to see more of them very soon. For Web based
malware, this means that they no longer need server side support. That
is quite scary.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: