Tom has long been fascinated with how the web works… and how he could break it. In this presentation, Tom will discuss some of the times that he has discovered security issues in Google, Facebook and Twitter. He will discuss compromising Search Console so that he could look up any penalty in the Manual Action tool, how he took control of tens of thousands of websites, and how he recently discovered a major bug that let him rank brand new sites on the first page with no links at all. Tom will outline how these exploits work, and in doing so share some details about the technical side of the web.
31. GOOGLEBOT JAVASCRIPT - SECONDS ARE NOT SECONDS
setTimeout(doSomething, 5000)
Browsers will wait 5000 milliseconds (5 seconds).
GoogleBot fast forwards (dates become wrong).
63. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL
✓ Typically crawled within seconds
✓ No auth - ping sitemaps for any domain
✓ Google follows redirects
64. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL
✓ Typically crawled within seconds
✓ No auth - ping sitemaps for any domain
✓ Google follows redirects
Interesting…
65. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP
✓ Sitemap must be correctly formatted
✓ The URLs must exist
✓ Site containing the URLs must be in GSC
✓ Site hosting the sitemap must be in GSC
66. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP
✓ Sitemap must be correctly formatted
✓ The URLs must exist
✓ Site containing the URLs must be in GSC
✓ Site hosting the sitemap must be in GSC
Interesting…
69. OBSERVATIONS
✓ Google follows redirects
✓ Site hosting sitemap must be in GSC
✓ Will Google follow a x-domain sitemap redirect?
✓ Will they ‘trust' it?
QUESTIONS
71. SIMPLE TEST
1. Hosted a sitemap.xml on blue.com
2. Setup a redirect script on green.com
3. Ping green.com?next=blue.com/sitemap.xml
https://www.google.com/webmasters/sitemaps/ping?
sitemap=http://green.com/next/blue.com/sitemap.xml
80. WHAT HAPPENS IF WE DO THIS?
jono.com/logout?continue=tom.com/evil.xml
81. WHAT HAPPENS IF WE DO THIS?
jono.com/logout?continue=tom.com/evil.xml
URL on jono.com, but serves XML Sitemap from tom.com.
82. WHAT HAPPENS IF WE DO THIS???
https://www.google.com/webmasters/sitemaps/ping?
sitemap=http://jono.com/logout?continue=tom.com/evil.xml
83. WHAT HAPPENS IF WE DO THIS???
https://www.google.com/webmasters/sitemaps/ping?
sitemap=http://jono.com/logout?continue=tom.com/evil.xml
Ping the URL to submit the sitemap.
Will Google think the evil sitemap belongs to jono.com?
84. PINGING SITEMAPS CROSS-DOMAIN
✓ Google follows the redirect, and crawls it.
✓ Google trusts it as canonical to the originating domain.
https://www.google.com/webmasters/sitemaps/ping?
sitemap=http://jono.com/logout?continue=tom.com/evil.xml
85. WE CAN NOW SUBMIT TRUSTED
SITEMAPS FOR OTHER SITES
86. We can now submit hreflang
entries for other sites…
109. EARLIER: CAN’T SUBMIT SITEMAPS IN GSC WHEN NOT PERMITTED
SITEMAP NOT PERMITTED EXAMPLE:
110. NOW: CROSS SUBMITTED THE SITEMAP TO MY GSC, AND IT WAS ALLOWED
SITEMAP NOT PERMITTED EXAMPLE:
SITEMAP FOR "TESCO.COM" URLS WAS ALLOWED IN “TESCOGLOBAL.COM" GSC:
114. DEFENCE
✓ No open redirects
✓ If you have them - block in robots.txt
✓ Have a sitemap, with hreflang & media entries
✓ Hide your sitemaps
✓ Check 302s in logs
115. FINDING OPEN REDIRECTS
✓ Look for redirect parameter (e.g continue= or next=)
✓ Check login & logout URLs
✓ Site searches, e.g site:www.foo.com inurl:=http
✓ Better with specific sections: site:www.foo.com/bar inurl:=http
✓ Check not blocked in robots.txt
✓ Check openbugbounty.org
116. GOOGLE OFFICIAL RESPONSE
✓ I reported it in September 2017
✓ March 2018 - Google award a bug bounty
✓ March 2018 - Google confirm it is fixed.
✓ April 2018 - Google increase the bug bounty ($5000)