================================================================================
# Google Docs - XSPA/SSRF
================================================================================
# Author: Ashiyane Digital Security Team
# Vendor Homepage: http://docs.google.com/
# Date : 09 September 2016
# Vulnerability Type : Cross Site Port Attack (XSPA) [CWE-918]
# Intercept proxy used : BurpSuite
# Contact: hehsan979@gmail.com
================================================================================
# Description :
XSPA allows attackers to abuse available functionality in most web
applications to port scan intranet and external Internet facing
servers and etc , Here is some different attacks that can be launched 
because of XSPA :

1.fingerprint intranet web applications using standard application 
default files and behavior
2.Attacking internal/external web applications that are vulnerable to 
GET parameter based vulnerabilities
3.Port Scanning remote Internet facing servers, intranet devices and the 
local web server itself and
Banner grabbing is also possible in some cases.
4.identify web application frameworks
5.exploit vulnerable programs
6.run code on reachable machines
7.listening on internal networks and read local files using the file 
protocol and much more.

Using XSPA Vulnerability for port scanning it depends on this parameters :
the "Response Byte Size" or "Response Recivied Time" or some "Unique 
Error Messages" (such as "Connection refused" or "timeouts"
or "Service was not reachable") which means for identify port status 
(open/closed ports) An attacker should analyze
the returned of response of those parameters.

the terms of open/closed ports :
1.if the Response returned has Error Messages or page has any changes 
that means the port is closed else port is open.
Note : sometimes attackers got nothing of error and reaction of the page 
so in this situation,he check "Response Recivied Time".
for recognition via the "Response Recivied Time" you should know that , 
the closed ports always take a long time to returned response
and the open ports just take a little time because when the port is open 
the web server can connect to that port immediately and
easily and you can test this issue using a simple telnet command on any 
web server you want,so now :
2.each row on "Response Recivied Time" that has the number digit lower 
than others which means that port is open else is closed.
for example we have a vulnerable target 
(https://example.org/viewer?url=http://example.com:[Ports])
and we test this ports on that target : 80,443,21,25,110,995
and after our attacks done we got numbers something like below in 
Response Recivied column :

Ports    | Response Recivied
-------------------------
443    |    1320
21    |    400 >> Open Port
80    |    520 >> Open Port
25    |    1350
110    |    450 >> Open Port
995    |    1353

as we said "the closed ports take a long time to returned response" so 
we can separate results as the open ports and closed ports.
 >
The Open Ports :
Ports    | Response Recivied
-------------------------
21    |    400 >> Open Port
80    |    520 >> Open Port
110    |    450 >> Open Port

The Closed Ports :
Ports    | Response Recivied
-------------------------
443    |    1320
25    |    1350
995    |    1353

so now after we found SSRF on docs.google.com ,it's time to try to test 
XSPA for port scanning on docs.google.com.
in this part we used BurpSuite as Intercept proxy to attack and then we 
analyze "Response Recivied" column.

# Proof Of Content :

1.open BurpSuite.
2.in BurpSuite Take a cookie of url such as :
https://docs.google.com/viewerng/viewer?url=http://ashiyane.org
3.send url to the "Intruder" tab.
4.set the payload positon tab on port part such as :
https://docs.google.com/viewerng/viewer?url=http://ashiyane.org:$1$
5.create or add a payload of ports you want to scan in "payloads" tab.
6.start attack.
7.after attacks done check the results on the "Response Recivied" column 
according to the description part.

================================================================================
# Discovered By : Ehsan Hosseini , V For Vendetta , Und3rgr0und
================================================================================