Dissecting Google Search Results (for Haystack Project)

Programming, any language.

Moderators: opcode, Medicine Storm

Dissecting Google Search Results (for Haystack Project)

Postby dxh » Sun Nov 15, 2009 12:16 pm

Hey everyone,

I'm working on getting clickthrough obfuscation working for Haystack Project, but alas, that part is a bit harder than I figured it would be. As it turns out, simply going to the link with a Google cookie enabled isn't enough to register a clickthrough in your Google Search History. After grabbing the generated (read: optimized to the point of being nightmarish to read) html source code, it seems that they have a JavaScript function that rewrites the URL of a search result when clicked (left or right click, it happens on the onmousedown event). For example, before you click on a search result link, it looks like this:

Code: Select all
<a class="l" onmousedown="return rwt(this,'','','res','2','AFQjCNES_tkCImLOf7awY5kS_uhn9a3Ryg','&sig2=o9xmv5ZAf-z4w1bYl7nbUQ','0CAsQFjAB')" href="http://helderribeiro.net/?tag=gpl" realurl="http://helderribeiro.net/?tag=gpl">

After clicking on it (left or right), it looks like this.

Code: Select all
<a class="l" onmousedown="return rwt(this,'','','res','2','AFQjCNES_tkCImLOf7awY5kS_uhn9a3Ryg','&sig2=o9xmv5ZAf-z4w1bYl7nbUQ','0CAsQFjAB')" href="/url?sa=t&source=web&ct=res&cd=2&ved=0CAsQFjAB&url=http%3A%2F%2Fhelderribeiro.net%2F%3Ftag%3Dgpl&ei=PZP_St_PDYy8sgPR2N2eCg&usg=AFQjCNES_tkCImLOf7awY5kS_uhn9a3Ryg&sig2=o9xmv5ZAf-z4w1bYl7nbUQ" realurl="http://helderribeiro.net/?tag=gpl">

My goal is to fake-navigate (set the source of an invisible iframe) to the URL in the second code block, but I have no idea where the rwt() fucntion is defined, and thus can't .click() the search result <a> element with only the generated html, which doesn't mention rwt() or even a .js file that might include it, thus driving me bananas.

Any ideas, leet haxors? :geek:
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Fri Nov 27, 2009 12:30 am

If anyone wants to take a look at the whole result page's source, this is what Opera's DragonFly page inspector pulled up.

http://pastebin.com/f455a00ff

It seems that DragonFly found something useful that Firebug didn't seem to:

Code: Select all
<script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return false};window.rwt=function(a,e,f,j,k,g,l,m){try{if(a===window){a=window.event.srcElement;while(a){if(a.href)break;a=a.parentNode}}var b=encodeURIComponent||escape,c;c=a.href;var n=["/url?sa=t","\x26source\x3dweb",e?"&oi="+b(e):"",f?"&cad="+b(f):"","&ct=",b(j||"res"),"&cd=",b(k),"&ved=",b(m),"&url=",b(c).replace(/\+/g,"%2B"),"&ei=","PoIPS6elGZH-tQPviYTmAQ",g?"&usg="+g:"",l].join("");a.href=n;a.onmousedown=""}catch(o){}return true};
window.gbar={qs:function(){},tg:function(e){var o={id:'gbar'};for(i in e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};
</script>


Not exactly the most maintainable looking code to read, but its a start.
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Sun Nov 29, 2009 1:10 am

dxh wrote:
Code: Select all
<script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return false};window.rwt=function(a,e,f,j,k,g,l,m){try{if(a===window){a=window.event.srcElement;while(a){if(a.href)break;a=a.parentNode}}var b=encodeURIComponent||escape,c;c=a.href;var n=["/url?sa=t","\x26source\x3dweb",e?"&oi="+b(e):"",f?"&cad="+b(f):"","&ct=",b(j||"res"),"&cd=",b(k),"&ved=",b(m),"&url=",b(c).replace(/\+/g,"%2B"),"&ei=","PoIPS6elGZH-tQPviYTmAQ",g?"&usg="+g:"",l].join("");a.href=n;a.onmousedown=""}catch(o){}return true};
window.gbar={qs:function(){},tg:function(e){var o={id:'gbar'};for(i in e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};
</script>


Not exactly the most maintainable looking code to read, but its a start.


FYI, if anyone can translate this ultra-optimized code into something readable and tell me what rwt()'s parameters are supposed to be, I will buy you coffee at the next meeting.
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby PHLAK » Sun Nov 29, 2009 1:49 pm

Just saw this post. I too have noticed the JS link swapping Google does on their search results pages and considered this pretty big vulnerability as a phishing tactic. As for getting the URL the way you're talking about I'll have to think about. Maybe we can go over it at the next meeting and (hopefully) come up with a solution. At the moment however, I do not have the time. I'll see if I can make some though, and let you know if I figure anything out.
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Tue Dec 01, 2009 9:40 pm

TrackMeNot was able to get clickthrough obfuscation working at one point, but Google changed the code and its broken, according to one of their developers. They seem to have similar aims with HayProj, although their algorithms and technical goals seem slightly different.
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Fri Dec 11, 2009 10:07 pm

dxh wrote:TrackMeNot was able to get clickthrough obfuscation working at one point, but Google changed the code and its broken, according to one of their developers. They seem to have similar aims with HayProj, although their algorithms and technical goals seem slightly different.


Speaking of which, their code is CC licensed, so I can post it here. Credits: http://mrl.nyu.edu/~dhowe/trackmenot/. It used to work, they're working on updating it soon:

Code: Select all
  /***************************************************************************
  Get the redirect link, so it appears we click on a link
  ***************************************************************************/
  function simulateClick (urls, engine)
  {
    if (!tmn.enabled || urls.length < 1) return false;
   
    // -----------------------------------------------
    if (false) { var urlStr = "";  // tmp: debugging
      for (var i = 0;i < urls.length; i++)
        urlStr += i+") "+urls[i]+"\n\n";
      cout("SIMULATE_CLICK.URLS:\n"+urlStr);
    }
    // -----------------------------------------------
   
    var queryIndex = tmn._roll(0,urls.length-1);
    if (urls[queryIndex] == undefined) {
      tmn._cerr("Undefined url at idx="+queryIndex+" list-length="+urls.length);
      return;
    }

    // Split into click-url and link-text
    var both = urls[queryIndex];
    var arr = both.split(tmn.delim);   
    var clickUrl = arr[0], query = arr[1];
    if (query == "") query = "???";

    var nextReq = tmn.cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
        .createInstance(tmn.ci.nsIXMLHttpRequest);
       
    try {
      nextReq.open("GET", clickUrl, true);
    } catch (e) {
      tmn._cerr("error opening click-through request for '"+clickUrl+"'");
      return;
    }
   
    tmn._log("[QUERY] engine="+engine+" | mode=click "
      +"| query='"+query+"' | url="+clickUrl);
 
    if (nextReq.channel instanceof tmn.ci.nsISupportsPriority) {
      nextReq.channel.priority = tmn.ci
          .nsISupportsPriority.PRIORITY_LOWEST;
    }
         
    if (tmn.enabled) nextReq.send(""); // double-check

    // CAN WE PERHAPS CALL tmn._scheduleSearch() HERE? -dch
    var requestTimer = tmn._getQueryWindow().setTimeout(function() {nextReq.abort();}, 5000);
    nextReq.onreadystatechange=function(aEvt) {
      if (nextReq.readyState==4) {
        clearTimeout(requestTimer);
        return true;
      }
    }
  }
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby PHLAK » Mon Dec 14, 2009 9:00 am

Just ordered a new laptop last night, so I'm finally going to be able to get back into coding on my free time and want to help... however, I kind of need some up-to-date code to work of of (nudge, nudge, wink, wink). :D
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Mon Dec 14, 2009 8:32 pm

PHLAK wrote:Just ordered a new laptop last night, so I'm finally going to be able to get back into coding on my free time and want to help... however, I kind of need some up-to-date code to work of of (nudge, nudge, wink, wink). :D


Its in the works; I think I have clickthroughs figured out, but it will invole getting the site integrated to use a greasemonkey script and also regex, which I'm not that great at yet, so it'll come slowly, but very soon.
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona

Re: Dissecting Google Search Results (for Haystack Project)

Postby PHLAK » Tue Dec 15, 2009 5:43 pm

The point of putting it up on Github is so others (aka, myself) can help.
Image
User avatar
PHLAK
Forum Admin
 
Posts: 749
Joined: Sat Dec 22, 2007 2:28 pm
Location: Phoenix, AZ

Re: Dissecting Google Search Results (for Haystack Project)

Postby dxh » Sat Jan 02, 2010 12:55 am

PHLAK wrote:The point of putting it up on Github is so others (aka, myself) can help.


Alright, I got over my don't-check-broken-code-in mentality and posted what I have so far in the alpha directory: http://hmm.ph/9pu

Basically, I can't get the button on the page to call a function in the GS script, despite defining the webSearch function as part of the window object where it should be accesible anywhere. The examples of this sort of thing I've seen in other scripts involve building the html button element and adding it on the page, which I might end up doing.

The clickthrough obfuscation part does work though. 8-)

Also, 150+ views for less than one page, holy kaw!
...
.dh
User avatar
dxh
28.8k Modem
 
Posts: 196
Joined: Sun Jan 06, 2008 11:12 am
Location: Hayden's Ferry, Arizona


Return to Code

Who is online

Users browsing this forum: No registered users and 2 guests

cron