InformationWeek published a very interesting report a couple of weeks ago, authored by Francis Brown of consulting firm Stach & Liu, which focused on hackers using search engines to seek out vulnerabilities in organizations’ IT environments.
Penetration testing using a search engine was very popular among hackers in the early- to mid-2000s. The practice abated later when Google stopped issuing new SOAP API keys on a regular basis. But today, it’s back with a vengeance. The explosion of data on Google has given hackers much more to work with. A jump in the number of new search engine interfaces that penetration testers use to identify vulnerable web applications has also taken place. LulzSec’s hacking rampage that impacted Sony, PBS and the CIA among others, illustrates the potential of Google hacking, in particular.
Yet what’s good for the goose is good for the gander. Corporate security teams use Google hacking tools and Google Dorks, which lists search terms that reveal vulnerabilities, to close these gaps. There’s no one hacking tool corporate teams can use to eliminate search engine exposures, and, as with much of security, a multi-tool approach will reduce this exposure more than any single tool.
It’s important that web developers have an understanding of the types of attacks that can occur so they can develop more robust defenses. Interestingly, poor programming practices can often lead to one of these types of attacks. Five of the most frequent attacks include:
Remote code execution – Here, an attacker runs an arbitrary, system level code on an exposed server to obtain the information he/she wants. Often, improper coding errors lead to this exposure. It can be difficult to discover during penetration testing, but it can be revealed during a source code review. This type of vulnerability can lead to a total compromise of the system.
SQL injection – This is an old approach, but still popular among many hackers. The technique allows hackers to secure important information from a Web server’s database. The impact of this attack can vary from basic information disclosure to remote code execution and total compromise of the system.
Format string vulnerabilities – This occurs from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C’s printf(). Format string vulnerability attacks fall into three general categories: denial of service, reading and writing.
Cross-site scripting – To achieve success, the “victim” must execute a malicious URL, which may be crafted to look legitimate at firm. When the person visits the URL, an attacker can effectively execute something malicious in the victim’s browser. For example, a malicious Java script will be run in the context of the website that possesses the XSS bug.
Username enumeration – This type of attack the backend validation script informs the hacker if a supplied user name is correct or not. Exploiting this vulnerability enables the hacker to experiment with different user names and determine valid ones with the help of these different error messages. This approach can help an attacker who attempts to use some trivial user names with easily guessable passwords.
The application code is always the first place to secure a web application. Continuously analyzing software quality during the development process is much more effective than reviewing all the code at the end of a project. Automated solutions, such as those created by CAST, offer fact-based transparency into application development, maintenance and sourcing.
Automated software analysis and measurement can prevent business disruptions and risks, while concurrently reducing hard IT costs. Certainly not the complete solution to avoid search engine-based vulnerabilities, but a valuable piece to the total solution.