 Hello everyone, welcome to my presentation named finding hidden gems via URL short on services. In this presentation I will talk about the security risks of URL short on services and how can we take an advantage of it. Let me introduce myself a bit. I'm Utkushen, I'm working in Invictus Security as application security manager. I'm writing various of security tools, you can check them on my github account. Also I'm writing blogs about security and you can visit my website to read them. Let's start with a highly debated topic, security by obscurity. Usually people are arguing against security by obscurity since it doesn't provide an actual security. It relies on hiding an information from an attacker. If the attacker somehow finds the information, it's a game over. However, in some cases security by obscurity can be useful. And sometimes you have no other option to trust obscurity. Let's check some examples. Let's say you have an admin panel on your website and you don't want attackers to find it. The best practices allowing users for the endpoint by checking their IP addresses. But in some cases this might not be possible due to different reasons such as cost, lack of engineers to do it etc. In this type of cases, best option would be hiding the URL with random strings so that an attacker won't be able to guess it. The same goes for the shareable URLs such as Google Docs as well. The shared links should be accessible by everyone but the attackers shouldn't find it easily. Therefore, they are generating the URLs with random strings. But of course, it's not impossible to find those hidden URLs. There are different methods to find them. When you visit or share a URL, it's locked into different places. For example, if you didn't make a restriction with robots.txt file, Google search engine may index your pages. Therefore, an attacker would be able to find it with a basic search. Also, Archive Ork's Wayback Machine saves everything on its database. You can query the Wayback Machine to find sensitive URLs. Another source is Alien Vault's OpenThread Exchange Service. Alien Vault also caches lots of different URLs for threat intelligence purposes. However, you can take an advantage of it by searching for sensitive URLs. You can get all URLs that allow you to search for mentioned sources. It is widely used by Bakpant Yonters and it works really well. The other method for finding sensitive URLs is brute-forcing them. However, it won't be very efficient if the website uses random and long string. İkanlarla Balik'in ileri eclisi mutlu existin. Kimin ile ilgili ileri ileri ileri hekim возможно olacak. Eğer genç tutmadan en iyi ziyaretlerinizi uygulayabilirsiniz. İkibinin iddia ve cihazı infantry altyazı da kodbuesini izin ver nuestros seçenleri. K spices'in üyelerinden daha çok düzgün olan difficult The list example is Google Docs which creates URLs with random and long strings When you calculate the brute force pool size you will see that it's impossible to guess. It's symmetrical online attack now the fun part starts People are widely using URL shortener services to share URLs so why they are using it because it Bu yüzden URL'i yürel kişiliği, long ve agli yürel kelimesi��elerine, yine yürel ve güzel bir yol. Yine yeni birçok halka ve LinkedIn geçebileceğine yeni güzel bir cihaz veriyor... Hadi ama altyazı yürel yürelsler zaten, ne kadar önemli bir onlar halka doğru recessiniz. Bu cezayı nasıl yapabilir? Yürel için da 되j74 aydıriatörlerinin bir download sonuna, restoration higil bir rivazlar da isimleri ve son olarak bir buneyden beri uzaklarimaan ile ilgili düzgün yapacağına geliştirrak Bu, ne이스 prizik şerefi? Bu, büyük ihtiyaç değil ilk bu nedir? İlk bu nedir? Uygun doktorlar higildeki bir buğday mümkün bir viraz bir bir viraz hatası ve bir bir viraz vetteyiz, bir bir viraz bir VR'e aldı ama, şimdi çok pequeyen viraz 7 karakterin longları var. Bu yüzden Google Docs URL'nin longları ve kompleksini bulmak için 7 karakterin longları var. Search Spacesi'nin longları var. Google Docs'in longları, alfabetici karakteri ve numarası var. Length 44. bir anda büyük bir hediye ve bir anda mükemmel bir kurban elkede yapabiliyor. Üstünde bitli cilt ayakları tatlë alfabitik harikotları ve kanadından Ama tabii ki, online tankı için çok fazla değil ve burada bir şey var. Ama tüm gönlünü bulmamız zorunda değil, değil mi? Eğer random 7-character c-trings veya pattern'a takip edilebiliriz, bence birçok balet yüreğiniz var. Mesela, 1. rektörü bitli ve 404 error'ı bekliyoruz. Error after than you increase the last character by one and send it again you got four or four error again and in the next request we got 300 redirection which means that the URL exists we can take a note of the redirected URL and continue to search if we make enough guesses we will be able to guess lots of valid URLs but of course to gather a notable amount of URLs we need the high firepower we might need lots of servers to make continuous guesses every day but isn't it so expensive how can we achieve that thanks god we are lucky about this and we don't need to spend tons of money on the servers because there is a volunteered group named URL team out there URL team has lots of tools uh allows you to brute force various of URL shortener services lots of different people are using this tool to brute force those services every day and they are saving the found URLs on their platform for example they brute force 18 billion google service URLs and they were able to find 3 billion working URLs which means that if you used google service to make your sensitive URL shorter most likely your sensitive URL is now saved to their database and the attacker can find it if they are looking for it URL team also provides a guidance for each shortener service for example what kind of URL pet they are using what HTTP methods they are using what is the character sets they are using also how much delay you need to put between every request uh how can you understand if there is a URL or not also those services will be able to ban you if you send lots of requests in short amount of time therefore uh we are using glaze here also they are providing status codes so that you can understand if you are banned or not uh those guides are really helpful it allows you to brute force them practically so that you won't waste your time and resources i coded a tool named URL hunter to parse url teams raw data and allows users to make smart searches on them the tool is written in go and you can find it on my github account so how can you benefit from this tool you have three uh you have different search options the first one is single keyword in here URL hunter will search the given keywords on the database and will show you do matched ones for example when you search for example.com it will both match with example.com slash blah blah and another.com slash referer equals to example.com the other search method is using multiple keywords in here URL hunter searches given keyword with and logic therefore both keywords must be present in the URL for example if you search for both example.com and admin keywords it will match with example.com slash secret slash admin panel but it won't match with example.com slash something else the other search method is using reg access it's good to catch specific patterns such as credit card data map coordinates or something else it's totally up to you now let's watch url hunters demo video you won't be sore so url hunter what url hunter doing there is downloading the archives from the url hunters i mean url teams repository and of course those archive files are big since they are containing millions or billions URLs in it and after then it's basically unzipping them and now it searches for the given keywords in it for example in this example we are searching for docs.google.com and it should contain spreadsheets in it also it searches for trello.com keyword so now we are checking the output and as you can see url hunter matches with the given keywords on the located databases sorry about that the screen recording software is gone mad okay also there is another project name there is another project is came out after i released the url hunter tool many of you probably already know the gray hat warfare s3 bucket search tool which allows you to search on publicly exposed exposed buckets it's a great project and i'm a huge funnel fit and now they support exposed URLs via shortoner services as well also it has an advantage over url hunter url hunter downloads the archive files in order to make a search on them therefore it takes time however gray hat warfare downloads the archives on their own server and allows you to search on them quickly therefore huge kudos to them so let's talk about what kind of sensitive data we can find there what we should expect to find as a summary i can easily say that it's a gold mine for bug bounty hunters also intelligence researchers can also get huge benefits from it let's explain them with examples the first one is finding sensitive google docs and drive files lots of companies are keeping their internal documents and files on those services to share their documents or files they are usually get a publicly shareable link since they think that nobody would be able to find them however it's possible to find the files with specific queries the most common url prefix is docs.google.com slash a slash company name and the extension i really don't know why this works why there is a company domain in the url probably they are using a paid google service or something but i really couldn't find it but it makes it easy to find sensitive documents belongs to a specific company the other most common sensitive URLs are publicly exposed trello boards some employees keeping their company works inside their personal trello boards and shares them publicly those boards can be useful for bug bounty purposes you can find sensitive data there and report it right away you can find those kind of URLs with the following search logic it should include both trello.com and company name the other obvious sensitive data is admin panels or hidden pets if you can find a login panel you can try default credentials or even conduct brute force attacks also you can search for pets of software that has no vulnerabilities the search query would be similar with the previous ones it should both contain company.com and admin or private or something else another useful data could be URLs that contain password reset tokens some websites allows you to use the password reset link for multiple times as a search query you need to determine that what kind of strings are included in the URLs and you need to search for them for example the search query should include both company.com and reset token some websites are sending session tokens with get requests if you know a website does that you can search for them in order to login on behalf of other users for example an example search query could be includes company.com and php session id which refers to a session token another important thing is map coordinates platforms such as google maps are carrying the coordinate information in the URL section let's say an intelligence agency is expecting a terror attack on a specific location they can search for those coordinates on the export URLs if there is a match they can contact with the short on service to find which ip address is used to shorten that URL there is also another possibility with the map coordinates some of you may remember there was a there is a platform named Strava which is used for tracking your running and cycling statistics a few years ago Strava published the coordinates of places in which Strava gets its signals it was looking harmless initially however osince researchers are realized that there are tons of Strava users in out of nowhere in the middle east it was a clear indicator that those places are hidden ce bases so let's say you are collecting coordinates that are exposed via url services and you realize that a coordinate in which is located in desert is appeared lots of times it might be a good indicator that there is something going on that location right so just keep that in mind so as a conclusion we can clearly say that relying on obscurity when hiding URLs is a bad idea it can be exposed with lots of different methods as we explained in the previous slides you need to set proper access restrictions on them such as ip white distinct and maybe authentication etc finding sensitive data via url short on services can also be a good bug bounty method right our bug hunters may find private company data and get paid with it for example you can find some private company data in google drive or you can find some devops processes and credentials on trello boards etc and companies probably will reward you for that so and that was all from my site thank you so much for listening i hope it was an insightful presentation for you all and i hope you very safe days for everyone and if you have any questions and i'm willing to answer them right now thank you