SecurityDude, CISSP-ISSAP is an IT consultant, Security & Privacy Advocate and blogger at large with over 20 years IT experience. SecurityDude shares tips, tricks, and info that the average networking professional will find interesting and indispensable.
In my post, “Bleeding Confidential Data“, I offered an example of Google Hacking that revealed documents marked “Confidential” or “For Internal Use Only”.
Cult of the Dead Cow released a tool for Windows called “Goolag Scanner“. This scanner incorporates a lot of the Google Hacking research performed by johnny.ihackstuff.com. It allows you to perform automated searches of your web site to find leakage and vulnerabilities. If you prefer not to install an application authored by a hacking group, you can use Johnny’s Google Hacking Database to search manually or write a script to automate the searches.
The most insidious part of Google Hacking is that there is no way to detect an active attack. Why? The attacker does not need to make a connection to your web site to glean information. They are merely searching the database of your web site that Google conveniently built for them.
I recommend you add Google Hacking to your regular web security testing regimen. If you don’t test it, someone who is not your friend may do the testing for you.
November 7, 2008 at 2:31 pm |
[...] Digging Dirt: Goolag Scanner [...]