Web section so we get the complete query. Notice that many of the results point to .jpg, .gif
or png images.There are quite a few going to the Ad Indicator service provided by Google,
but the most interesting ones are those that point to GwebSearch service. Figure 10.7 shows
what the live capture might look like.
Figure 10.6 Show all Results Button
Figure 10.7 LiveHTTP Headers Capture
Figure 10.7 shows the format of the URL that is used to retrieve the queries. Here is an
example:
Hacking Google Services • Chapter 10 381
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 381
/>tkp=0&rsz=large&hl=en&gss=.com&sig=51248261809d756101be2fa94e0ce277&q=VW%20Beetle&k
ey=internal&v=1.0
Table 10.1 lists each of the GET parameters and describes what they do.
Table 10.1 GET Parameters
parameter value description
callback GwebSearch.RawCompletion the callback JavaScript
function the results
context 0 -
lstkp 0 -
rsz large the size of the query
hl en language preferences
gss .com -
sig 51248261809d756101be2fa94e0ce277 -
q VW%20Beetle the actual query/search
key internal the key (use the internal key)
v 1.0 version of the API
As an exercise, we can build a URL from these parameters, providing different values
that we think are suitable for the task. For example:
www.google.com/uds/GwebSearch?callback=our_callback&context=0&rsz=large&q=GHDB&key=
internal&v=1.0
Notice that we have changed the callback parameter from “GwebSearch.Raw

Completion” to “our_callback”, and we are executing a search for GHDB. Executing this
URL inside your browser will result in a JavaScript return call.This technique is also known
as JavaScript on Demand or JavaScript remoting, and the results of this are shown below.
our_callback('0',{"results":[{"GsearchResultClass":"GwebSearch","unescapedUrl":"htt
p://johnny.ihackstuff.com/index.php?module\u003Dprodreviews","url":"http://johnny.i
hackstuff.com/index.php%3Fmodule%3Dprodreviews","visibleUrl":"johnny.ihackstuff.com
","cacheUrl":" />uff.com","title":"johnny.ihackstuff.com -
Home","titleNoFormatting":"johnny.ihackstuff.com - Home","content":"Latest
Downloads. File Icon \u0026quot;No-Tech Hacking\u0026quot; Sample Chapter
\u0026middot; File Icon Yo Yo SKillz #1 \u0026middot; File Icon Aggressive
Network Self-Defense Sample Chapter
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />p","visibleUrl":"johnny.ihackstuff.com","cacheUrl":" />u003Dcache:MxfbWg9ik-MJ:johnny.ihackstuff.com","title":"Google Hacking
382 Chapter 10 • Hacking Google Services
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 382
Database","titleNoFormatting":"Google Hacking Database","content":"Welcome to the
Google Hacking Database (\u003Cb\u003EGHDB\u003C/b\u003E)! We call them
\u0026#39;googledorks\u0026#39;: Inept or foolish people as revealed by Google.
Whatever you call these fools,
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />.sourceforge.net","cacheUrl":" />J:ghh.sourceforge.net","title":"GHH - The \u0026quot;Google Hack\u0026quot;
Honeypot","titleNoFormatting":"GHH - The \u0026quot;Google Hack\u0026quot;
Honeypot","content":"\u003Cb\u003EGHDB\u003C/b\u003E Signature #734
(\u0026quot;File Upload Manager v1.3\u0026quot; \u0026quot;rename to\u0026quot;)
\u003Cb\u003E \u003C/b\u003E \u003Cb\u003EGHDB\u003C/b\u003E Signatures are
maintained by the johnny.ihackstuff.com community.
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />eUrl":"thebillygoatcurse.com","cacheUrl":" />:O30uZ81QVCcJ:thebillygoatcurse.com","title":"TheBillyGoatCurse.com \u00BB Blog
Archive \u00BB Convert
\u003Cb\u003EGHDB\u003C/b\u003E","titleNoFormatting":"TheBillyGoatCurse.com \u00BB

Blog Archive \u00BB Convert GHDB","content":"The Google Hacking Database
(\u003Cb\u003EGHDB\u003C/b\u003E) has one problem\u2026 it only uses the Google
search index. The trouble is that advanced search syntax can differ between
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />26topic\u003D184.msg328;topicseen","url":" />option%3Dcom_smf%26Itemid%3D35%26topic%3D184.msg328%3Btopicseen","visibleUrl":"www.
ethicalhacker.net","cacheUrl":" />wJ:www.ethicalhacker.net","title":"The Ethical Hacker Network - Google Hacking
Database (\u003Cb\u003EGHDB\u003C/b\u003E)","titleNoFormatting":"The Ethical Hacker
Network - Google Hacking Database (GHDB)","content":"The Ethical Hacker Network -
Your educational authority on penetration testing and incident response., Google
Hacking Database
(\u003Cb\u003EGHDB\u003C/b\u003E)"},{"GsearchResultClass":"GwebSearch","unescapedUr
l":" />loads/GHDB.xml","visibleUrl":"snakeoillabs.com","cacheUrl":" />earch?q\u003Dcache:5nsf_DfjX4YJ:snakeoillabs.com","title":"\u003Cb\u003Eghdb\u003C/
b\u003E xml","titleNoFormatting":"ghdb xml","content":"PS: this vulnerability was
found early this year (search google for the full report), but was never added to
the \u003Cb\u003EGHDB\u003C/b\u003E for some reason.
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />/ghdb","visibleUrl":"www.gnucitizen.org","cacheUrl":" />\u003Dcache:dPVtU_3tmnMJ:www.gnucitizen.org","title":"\u003Cb\u003EGHDB\u003C/b\u00
3E | GNUCITIZEN","titleNoFormatting":"GHDB |
GNUCITIZEN","content":"\u003Cb\u003EGHDB\u003C/b\u003E (aka Google Hacking
Database) is HTML/JavaScript wrapper application that uses advance JavaScript
techniques to scrape information from Johnny\u0026#39;s Google
\u003Cb\u003E \u003C/b\u003E"},{"GsearchResultClass":"GwebSearch","unescapedUrl":
" />cheUrl":" />e":"Menu","titleNoFormatting":"Menu","content":"\u003Cb\u003E \u003C/b\u003E to
Hacking Google Services • Chapter 10 383
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 383
contact us for any reason, or maybe just leave a comment (good, bad or ugly, but
not offensive) in our guestbook. Best regards The team at
\u0026#39;\u003Cb\u003EGHDB\u003C/b\u003E\u0026#39;
\u003Cb\u003E \u003C/b\u003E"}],"adResults":[]}, 200, null, 200)
Hacking into the AJAX Search Engine

Now that we know how to query Google through their AJAX interface, let’s see how we
can access the data. We will begin with the following HTML, which can be pasted into a
blank html file and opened with a browser:
<html>
<head>
<title>Hacking AJAX API</title>
</head>
<body>
<script>
function our_callback(a, b, c, d, e) {
for (var i = 0; i < b.results.length; i++) {
var link = document.createElement('a');
link.href = b.results[i].url;
link.innerHTML = b.results[i].url;
document.body.appendChild(link);
var br = document.createElement('br');
document.body.appendChild(br);
}
}
</script>
<script type="text/javascript"
&q=GHDB&key=internal&v=1.0"></script>
</body>
</html>
This code will make submit a request for GHDB to Google’s GwebSearch service.
Notice that the callback parameter points back to our_callback, which is defined early in the
code.The function simply grabs that data and presents it inside the page DOM (Document
Object Model) in the form of links.
384 Chapter 10 • Hacking Google Services
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 384

Although this looks interesting, there is a lot more that we can do. Let’s have a look at
the following example which dynamically grabs all entries from a particular category from
the Google Hacking Database, performs test queries and lists the results within a single page:
<html>
<head>
<title>GHDB Lister</title>
</head>
<body>
<script>
function get_json(url, callback) {
var name = '__json_' + (new Date).getTime();
var s = document.createElement('script');
s.src = url.replace('{callback}', name);
window[name] = callback;
document.body.appendChild(s);
}
get_json(' />transformer=JSON&extraArg_callbackFunctionWrapper={callback}&applyToUrl=http%3A//jo
hnny.ihackstuff.com/ghdb.php%3Ffunction%3Dsummary%26cat%3D19',
function (data) {
console.log(data);
for (var i = 0; i < data.groups.entry.length; i++) {
var query = data.groups.entry[i].query[0].value;
var description =
data.groups.entry[i].description[0].value;
get_json(' />rge&q=' + escape(query) + '&key=internal&v=1.0',
function (a, b, c, d, e) {
if (!b) {
return;
}
&nbsp;&nbsp; for (var i = 0; i < b.results.length; i++)

{
Hacking Google Services • Chapter 10 385
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 385
var link = document.createElement('a');
link.href = b.results[i].url;
link.innerHTML = b.results[i].url;
document.body.appendChild(link);
var br = document.createElement('br');
document.body.appendChild(br);
}
});
}
});
</script>
</body>
</html>
After running the example, you will be provided with a page similar to the one shown
on Figure 10.8.
Figure 10.8 Result Page
386 Chapter 10 • Hacking Google Services
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 386
Let’s examine the file. As you can see the page has only one script block.This block is
responsible for obtaining a list of queries from the GHDB via the Dapper
() screen scraping service. We scrape the URL
which corresponds to
GHDB entry 19 also known as “Advisories and Vulnerabilities”.The scraper obtains several
other interesting things that we are not interested for now.
Notes from the Underground…
Screen Scraping with Dapper
Using Dapper to screen scrape various security related databases and using the infor-

mation as part of a well planned client-side oriented attack vector was discussed for
the first time in OWASP, Italy 2007 by the author, Petko D. Petkov, also known as pdp
(architect). For more information on the topic you can visit
and />Once the list is retrieved, we enumerate each entry and build the custom Google
AJAX API queries:
get_json(' />&rsz=large&q=' + escape(query) + '&key=internal&v=1.0',
As you can see, instead of a static string, we actually supply a query that is taken
from the information obtained from GHDB. The subsequent request to Google AJAX
Search API will retrieve the sample results and the callback functions will render them
inside the page DOM.
It is important to understand the purpose of the function get_json. This function
is just a helper that saves us a lot of time writing the same procedures over and over
again. The get_json function simply generates a unique name for the callback param-
eter and assigns it at the global scope. Then, it supplies the name to the callback field
marked with the placeholder {callback} and calls the external script.
This technique was successfully implemented as part of the GHDB Proof of Concept
application hosted at (Figure 10.9).
Hacking Google Services • Chapter 10 387
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 387
Figure 10.9 GNUCITIZEN GHDB
The application scrapes all the information from Johnny Long’s Google Hacking
Database at , dynamically and presents it to the user in a nice
graphical form.You can browse through each vector by selecting a category and then
selecting the query that you are interested in. Notice that the application provides a live
feedback every time we select a query.The bottom part of the window contains the top
searches, obtained by Google’s AJAX Search API interface.
Notes from the Underground…
XSS and AJAX Worms
This technique can be implemented by XSS/AJAX worms to locate targets and exploit
them, thus ensuring future generations. XSS/AJAX worms usually propagate within

the domain of origin. This is due to inability of JavaScript to perform cross-site
requests. The technique presented in this chapter allows worms to bypass the
JavaScript restrictions and access other resources on-line. For more information on the
subject please check the following resources: />search-api-worms, and cit-
izen.org/blog/the-web-has-betrayed-us.
388 Chapter 10 • Hacking Google Services
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 388
Calendar
Google Calendar is powerful calendar management application which supports features like
calendar sharing, creation of invitations, search and calendar publishing.The service is also
integrated with Google Mail (GMail) and can be accessed via a Mobile device. All in all,
Google Calendar is very useful addition to our day-to-day work.
Calendar sharing in particular is a very useful feature since individual users can maintain
event lists and calendars to which others may be interested in as well. Usually in order to
share a calendar you have to explicitly do so from the calendar management interface as
shown in Figure 10.10.
Figure 10.10 Calendar Management Interface
Once the calendar is shared, everyone will be able to look at it or even subscribe to the
events that are inside.This can be done via the Calendar application or any RSS feed reader.
As a security expert, these shared calendars are especially interesting. Very often, even
when performing the most basic searches, it is entirely possible to stumble across sensitive
information that can be used for malicious purposes. For example, logging into Calendar
and searching for the term “password” returns many results as shown in Figure 10.11.
Hacking Google Services • Chapter 10 389
452_Google_2e_10.qxd 10/5/07 1:12 PM Page 389
Figure 10.11 Calendar Search for “password”
As you can see, there are several calendar entries that meet our search criteria. Among
them, there are a few that are quite interesting and worth our attention. Another interesting
query that brings a lot of juicy information is “passcode”, as shown in Figure 10.12.
Figure 10.12 Calendar Search for “passcode”

390 Chapter 10 • Hacking Google Services
452_Google_2e_10.qxd 10/5/07 1:13 PM Page 390