5 Generic Yahoo Pipes Hackers Cannot live Without

In this post you will find 5 generic Yahoo pipes that I use for all kinds of client-side security tests and research projects. This listing is based on my personal research that was also presented at OWASP Web Application Security Conference 2007 in Italy.

_id: Vg0edwYy3BGvHDSHl7okhQ; parameters: url, separator (default)

The CSV Proxy is a simple pipe that takes any comma separated file and converts it to JSON. The url parameter specifies the resource that we want to read. The optional separator parameter defines the delimiter in use (comma “,” by default). Keep in mind that we can specify any character as a delimiter. This includes normal alphabetic characters, numbers and meta characters. In general, we can use this pipe to read arbitrary content from the Web.

Attackers can use this pipe to consume arbitrary information from web resources. This pipe can be successfully used as part of an AJAX worm and other types of malicious JavaScript software. For example, the worm can take important decision on how to target new victims based the output delivered from CSV Proxy pipe.

_id: RBCyzKn_2xGwmFFDzKky6g; parameters: url

Feed Proxy is rather simple pipe that fetches a feed in RSS or ATOM format. The output can be delivered as JSON or again RSS/ATOM. The url parameter defines the feed that we want to fetch.

Attackers can use the Feed proxy to fetch any arbitrary feed from the Web. For example, attackers can fetch the latest XSS compromised sites list from XSSED.com and exploit the victim on every single one of them.

_id: MOA14Osy3BGrnbHwCB2yXQ; parameters: url, path (optional)

XML Proxy Yahoo pipe allows us to fetch XML documents. The output can be consumed as JSON. The url parameter defines the XML document we want to fetch, while the optional path parameter defines XPath like (replace / with .) path to the list of nodes we are interested in. We can use this proxy to read XML service definition files, sitemaps (sitemap.xml) and other types of XML content. Keep in mind that XHTML validated pages are also XML. None XHTML pages can be read as well by linking the pipe with W3C Tidy Proxy located at http://cgi.w3.org/cgi-bin/tidy. In general, this pipe can be used to to read arbitrary content from the Web.

Attackers can use this pipes as part of automated XSS and SQLI scanners. For example, they can fetch the latest version of the XSS Cheat sheet from http://ha.ckers.org/xssAttacks.xml and try each one of the vectors on the targeted website/application. This pipe can be successfully implemented into any AJAX worm and other types of malicious JavaScript software.

_id: ZD01dtY13BGaUwMNdrq02Q; parameters: query, site (optional)

Querying Yahoo Search has never been easier. This service is superior when compared to Google AJAX Search API. The output is delivered as JSON. The query parameter defines the terms that want to look for. The optional site parameter enables the pipe to search within a particular domain or resource.

Attackers can use/abuse this service to locate targets to attack. This pipe can be easily combined with j0hnny’s Google Hacking Database. It can be also used as part of an AJAX worm or other type of malicious JavaScript software. AJAX worms can use this pipe to find new targets to ensure further propagation.

_id: jgpIRDDm2xGpGBpFdbq02Q; parameters: url

The Google Proxy pipe can be used to fetch any content from the Web and deliver it as pure JSON. The pipe utilizes the XML Proxy pipe combined with Google’s XHTML interface for mobile phones. The XHTML interface converts every page and text-like file into valid XML which is then consumed by the XML proxy.

Attackers can use this pipe to read arbitrary content from the Web. The attacker’s requests will be considered sort of anonymous since they pass through a number of processing layers. If the machines that perform the requests are not synchronized with an accurate time source, an forensic analysis will be very difficult to conduct. The delays between each transformation will also result into additional layer of complexity involved.

Yahoo Pipes is a valuable service and I see a lot of security improvements that were introduced by the Pipe’s development team. In order to avoid the next rant, I must say that the Web is not going down, but it is getting quite hectic.