BrightonSEO - How to use XPath with eCommerce Websites
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a SearchLove Boston 2018 - Tom Anthony - Hacking Google: what you can learn from ethical vulnerability research (20)
Mais de Distilled (20)
Mais recentes (20)
SearchLove Boston 2018 - Tom Anthony - Hacking Google: what you can learn from ethical vulnerability research
- 1. HACKING GOOGLE Learning from Ethical Vulnerability Research @TomAnthonySEO
- 2. 20 years ago…
- 3. I’d hacked into a corporate network…
- 4. 287 Years
- 5. Bug Bounty programs didn’t exist yet…
- 6. Turns out, SEO required same mindset…
- 7. Social Network Login Status Googlebot Experiments Google Manual Actions XML Sitemaps Manipulation
- 8. Turns out you can combine SEO + Vulnerability Research… • 1st page of results • 6 days old domain • 0 links
- 9. Allowing for SEO results like this, one day to the next…
- 10. Social Network Login Status
- 11. DETECT WHICH SOCIAL NETWORKS PEOPLE ARE LOGGED INTO http://www.tomanthony.co.uk/tools/detect-social-network-logins/
- 12. facebook.com/tomsprofile
- 13. facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile 302 redirect to: Page served (200): facebook.com/tomsprofile
- 14. facebook.com/login?continue=/tomsprofile facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile Page served (200): 302 redirect to:
- 15. facebook.com/login?continue=/tomsprofile facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile Page served (200): 302 redirect to: Already logged in, so just redirect to the intended page.
- 16. facebook.com/login?continue=/logo.png facebook.com/logo.png facebook.com/login?continue=/logo.png Page served (200): 302 redirect to:
- 17. facebook.com/login?continue=/logo.png facebook.com/logo.png facebook.com/login?continue=/logo.png Page served (200): 302 redirect to: Already logged in, so redirect and serve the image.
- 18. facebook.com/login?continue=/logo.png Image Webpage
- 19. onerror="alert('anonymous')" onsuccess="alert('loggedin')" /> <img src=“facebook.com/login?continue=/logo.png” onerroronsuccess alert('anonymous')alert('loggedin')
- 20. OTHERS HAVE EXTENDED IT https://robinlinus.github.io/socialmedia-leak/
- 21. PUMP IT INTO GA
- 22. CUSTOMISE SOCIAL BUTTONS
- 23. LOGGED IN TO A COMPETITOR?
- 24. Social Network preferences can be recorded*/used. TAKEAWAY * something something GDPR
- 25. Redirects can be abused to get unexpected behaviours OBSERVATION
- 26. Googlebot Experiments
- 27. GOOGLEBOT & COOKIES
- 28. GOOGLEBOT & COOKIES
- 29. GOOGLEBOT JAVASCRIPT - RANDOM IS NOT RANDOM! Math.random() = 0.19426893815398216
- 30. SCRIPTS THAT SHOULD BE RANDOM CAN DETECT GOOGLEBOT
- 31. GOOGLEBOT JAVASCRIPT - SECONDS ARE NOT SECONDS setTimeout(doSomething, 5000) Browsers will wait 5000 milliseconds (5 seconds). GoogleBot fast forwards (dates become wrong).
- 32. GoogleBot does accept cookies in certain scenarios. TAKEAWAY
- 33. GoogleBot uses heavily optimised Javascript. TAKEAWAY
- 34. There are undocumented functionalities in GoogleBot OBSERVATION
- 35. Google Manual Actions
- 36. The Snag
- 37. MANUAL ACTIONS TOOL
- 38. API ENDPOINT https://www.google.com/webmasters/tools/gwt/MANUAL_ACTION_PUBLIC? hl=en&siteUrl=http://www.tomanthony.co.uk/
- 39. POST DATA 7|0|13|https://www.google.com/webmasters/tools/gwt/| DE16AEA7C924CC47F26F7ADC4C584289| com.google.crawl.wmconsole.fe.feature.gwt.manualaction.shared. ManualActionService|getManualActions| com.google.crawl.wmconsole.fe.feature.gwt.base.shared.FeatureC ontext/1637625730|java.lang.String/2004016611|/webmasters/ tools|java.lang.Boolean/476441737| com.google.crawl.wmconsole.fe.feature.gwt.config.FeatureKey/ 4151209095|0|en|http://www.tomanthony.co.uk/| com.google.crawl.wmconsole.fe.base.PermissionLevel/2603202488| 1|2|3|4|2|5|6|5|7|8|0|0|9|5|10|11|12|12|13|5|12|
- 40. RESPONSE (NO PENALTY)
- 41. ELITE HACKING SKILLZ 7|0|13|https://www.google.com/webmasters/tools/gwt/| DE16AEA7C924CC47F26F7ADC4C584289| com.google.crawl.wmconsole.fe.feature.gwt.manualaction.shared. ManualActionService|getManualActions| com.google.crawl.wmconsole.fe.feature.gwt.base.shared.FeatureC ontext/1637625730|java.lang.String/2004016611|/webmasters/ tools|java.lang.Boolean/476441737| com.google.crawl.wmconsole.fe.feature.gwt.config.FeatureKey/ 4151209095|0|en|http://www.apple.com/| com.google.crawl.wmconsole.fe.base.PermissionLevel/2603202488| 1|2|3|4|2|5|6|5|7|8|0|0|9|5|10|11|12|12|13|5|12|
- 42. GOOGLE HAPPY TO SHARE
- 43. POSSIBLE TO SIMPLE CRAWL LIST OF MANUAL ACTIONS
- 44. SOME SITES HAD MORE PROBLEMS THAN OTHERS…
- 45. At this point, I’d confirmed there was a definite security issue, and reported it to Google.
- 46. OMINOUS MATT CUTTS EMAILS… :D * Matt was actually great
- 47. GOOGLE RESPONSE ✓ Acknowledged report in only 11 minutes! ✓ Triaged in a couple of hours. ✓ Fixed and back online in 4 days. ✓ $5000 bounty.
- 48. A lot more sites have manual penalties than you may think! TAKEAWAY
- 49. Google Search Console also has security gaps OBSERVATION
- 50. So far not shown any direct manipulation of rankings…
- 51. Disclaimer: Distilled don’t condone blackhat. Blackhat is naughty & bad.
- 52. XML Sitemaps Manipulation
- 53. Redirects can be abused to get unexpected behaviours OBSERVATION
- 54. There are undocumented functionalities in GoogleBot OBSERVATION
- 55. Google Search Console also has security gaps OBSERVATION
- 56. Can we put all that together?
- 57. SUBMITTING AN XML SITEMAP ✓ Search Console ✓ robots.txt
- 58. SUBMITTING AN XML SITEMAP
- 59. SUBMITTING AN XML SITEMAP Not entirely true…
- 60. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL ✓ Typically crawled within seconds ✓ No auth - ping sitemaps for any domain ✓ Google follows redirects
- 61. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL ✓ Typically crawled within seconds ✓ No auth - ping sitemaps for any domain ✓ Google follows redirects Interesting…
- 62. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Sitemap must be correctly formatted ✓ The URLs must exist ✓ Site containing the URLs must be in GSC ✓ Site hosting the sitemap must be in GSC
- 63. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Sitemap must be correctly formatted ✓ The URLs must exist ✓ Site containing the URLs must be in GSC ✓ Site hosting the sitemap must be in GSC Interesting…
- 64. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Site hosting the sitemap must be in GSC
- 65. OBSERVATIONS ✓ Google follows redirects ✓ Site hosting sitemap must be in GSC
- 66. OBSERVATIONS ✓ Google follows redirects ✓ Site hosting sitemap must be in GSC ✓ Will Google follow a x-domain sitemap redirect? ✓ Will they ‘trust' it? QUESTIONS
- 67. Will Google follow a cross domain redirect for a sitemap? QUESTION ?
- 68. SIMPLE TEST 1. Hosted a sitemap.xml on blue.com 2. Setup a redirect script on green.com 3. Ping green.com?next=blue.com/sitemap.xml https://www.google.com/webmasters/sitemaps/ping? sitemap=http://green.com/next/blue.com/sitemap.xml
- 69. Will Google follow a cross domain redirect for a sitemap? YES
- 70. Will they ‘trust' it? (if submitted via ping url) QUESTION ?
- 71. Will they ‘trust' it? Let’s assume…
- 72. How could we EXPLOIT it? QUESTION ?
- 73. JONO IS OUR INNOCENT VICTIM jono.com
- 74. REDIRECT URLS STRIKE BACK! jono.com/logout?continue=/page.html
- 75. VICTIM & ATTACKER jono.com tom.com
- 76. OPEN REDIRECTS (CROSS DOMAIN) jono.com/logout?continue=tom.com/page.html
- 77. WHAT HAPPENS IF WE DO THIS? jono.com/logout?continue=tom.com/evil.xml
- 78. WHAT HAPPENS IF WE DO THIS? jono.com/logout?continue=tom.com/evil.xml URL on jono.com, but serves XML Sitemap from tom.com.
- 79. WHAT HAPPENS IF WE DO THIS??? https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml
- 80. WHAT HAPPENS IF WE DO THIS??? https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml Ping the URL to submit the sitemap. Will Google think the evil sitemap belongs to jono.com?
- 81. PINGING SITEMAPS CROSS-DOMAIN ✓ Google follows the redirect, and crawls it. ✓ Google trusts it as canonical to the originating domain. https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml
- 82. WE CAN NOW SUBMIT TRUSTED SITEMAPS FOR OTHER SITES
- 83. We can now submit hreflang entries for other sites…
- 84. Lets try it in the wild…
- 85. DISCLAIMER I’m showing real results, but an alternative (similarly sized) UK retailer in the screenshots.
- 86. EXPERIMENT: HIJACK TESCO.COM INTERNATIONAL EQUITY
- 87. UK PRESENCE, BUT NO US PRESENCE
- 88. HIJACK UK EQUITY TO RANK IN US
- 89. HIJACK UK EQUITY TO RANK IN US
- 90. STEP 1: FIND A REDIRECT
- 91. STEP 1: FIND A REDIRECT
- 92. STEP 2: REGISTER A DOMAIN ($12) TESCOGLOBAL.COM
- 93. STEP 3: SETUP A NEW SITE ✓ Scrape contents for products/categories ✓ Mirror the URL structure
- 94. STEP 4: CREATE AN EVIL SITEMAP
- 95. STEP 5: PING OUR EVIL SITEMAP (HOSTED ON OUR FAKE SITE) https://www.google.com/webmasters/sitemaps/ping? sitemap=http://www.tesco.com/logout? continue=http://tescoglobal.com/sitemap_global.xml
- 96. RESULTS: CRAWL ACTIVITY APPEARS IN SEARCH CONSOLE
- 97. RESULTS: SEARCH VISIBILITY GROWS RAPIDLY
- 98. RESULTS: TRAFFIC APPEARING IN GA
- 99. RESULTS: BRITISH TERMS RANKING 1ST FOR MANY QUERIES
- 100. Still only submitted a sitemap, nothing else.
- 101. RESULTS: TRAFFIC KEEPS ON INCREASING…
- 102. RESULTS: SEARCH VISIBILITY GROWS MORE
- 103. RESULTS: I HIT FIRST PAGE FOR COMPETITIVE MONEY TERMS… • 1st page of results • 6 days old domain • 0 links
- 104. RESULTS: MILLIONS OF SEARCH IMPRESSIONS
- 105. ‘LINKS’ APPEAR IN GSC — SHOWING GOOGLE TRUSTS THE SITEMAP
- 106. EARLIER: CAN’T SUBMIT SITEMAPS IN GSC WHEN NOT PERMITTED SITEMAP NOT PERMITTED EXAMPLE:
- 107. NOW: CROSS SUBMITTED THE SITEMAP TO MY GSC, AND IT WAS ALLOWED SITEMAP NOT PERMITTED EXAMPLE: SITEMAP FOR "TESCO.COM" URLS WAS ALLOWED IN “TESCOGLOBAL.COM" GSC:
- 108. EVEN TRACKS INDEXATION… SITEMAP NOT PERMITTED EXAMPLE: SITEMAP FOR "TESCO.COM" URLS WAS ALLOWED IN “TESCOGLOBAL.COM" GSC:
- 109. SUMMARY ✓ Budget: $12 ✓ Setup time: ~4 hours ✓ Other activity: nothing ✓ Links: 0 ✓ Impressions: > 1.5 million ✓ Clicks: > 12,000
- 110. ALMOST UNDETECTABLE
- 111. DEFENCE ✓ No open redirects ✓ If you have them - block in robots.txt ✓ Have a sitemap, with hreflang & media entries ✓ Hide your sitemaps ✓ Check 302s in logs
- 112. FINDING OPEN REDIRECTS ✓ Look for redirect parameter (e.g continue= or next=) ✓ Check login & logout URLs ✓ Site searches, e.g site:www.foo.com inurl:=http ✓ Better with specific sections: site:www.foo.com/bar inurl:=http ✓ Check not blocked in robots.txt ✓ Check openbugbounty.org
- 113. GOOGLE OFFICIAL RESPONSE ✓ I reported it in September 2017 ✓ March 2018 - Google award a bug bounty ✓ March 2018 - Google confirm it is fixed. ✓ April 2018 - Google increase the bug bounty ($5000)
- 114. hreflang entries are ignored if your sitemaps are unverified TAKEAWAY
- 115. Ensure you do not have open redirects on your site! TAKEAWAY (robots.txt block them if you can’t remove them)
- 116. Not seen this attack in wild. Check your logs for 302s. TAKEAWAY
- 117. Be aware, there are these types of potential attacks out there TAKEAWAY (but don’t blame everything on them!)
- 118. Bring back the Hacker Mindset TAKEAWAY
- 119. Thank you! @TomAnthonySEO
