Google Hacking Tools Help Reveal Software Vulnerabilities

by

white hat vs spammersInformationWeek published a very interesting report a couple of weeks ago, authored by Francis Brown of consulting firm Stach & Liu, which focused on hackers using search engines to seek out vulnerabilities in organizations’ IT environments.

Penetration testing using a search engine was very popular among hackers in the early- to mid-2000s. The practice abated later when Google stopped issuing new SOAP API keys on a regular basis. But today, it’s back with a vengeance. The explosion of data on Google has given hackers much more to work with. A jump in the number of new search engine interfaces that penetration testers use to identify vulnerable web applications has also taken place. LulzSec’s hacking rampage that impacted Sony, PBS and the CIA among others, illustrates the potential of Google hacking, in particular.

Yet what’s good for the goose is good for the gander. Corporate security teams use Google hacking tools and Google Dorks, which lists search terms that reveal vulnerabilities, to close these gaps. There’s no one hacking tool corporate teams can use to eliminate search engine exposures, and, as with much of security, a multi-tool approach will reduce this exposure more than any single tool.

Attacks Take Multiple Forms

It’s important that web developers have an understanding of the types of attacks that can occur so they can develop more robust defenses. Interestingly, poor programming practices can often lead to one of these types of attacks. Five of the most frequent attacks include:

Remote code execution – Here, an attacker runs an arbitrary, system level code on an exposed server to obtain the information he/she wants. Often, improper coding errors lead to this exposure. It can be difficult to discover during penetration testing, but it can be revealed during a source code review. This type of vulnerability can lead to a total compromise of the system.

SQL injection – This is an old approach, but still popular among many hackers. The technique allows hackers to secure important information from a Web server’s database. The impact of this attack can vary from basic information disclosure to remote code execution and total compromise of the system.

Format string vulnerabilities – This occurs from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C’s printf(). Format string vulnerability attacks fall into three general categories: denial of service, reading and writing.

Cross-site scripting – To achieve success, the “victim” must execute a malicious URL, which may be crafted to look legitimate at firm. When the person visits the URL, an attacker can effectively execute something malicious in the victim’s browser. For example, a malicious Java script will be run in the context of the website that possesses the XSS bug.

Username enumeration – This type of attack the backend validation script informs the hacker if a supplied user name is correct or not. Exploiting this vulnerability enables the hacker to experiment with different user names and determine valid ones with the help of these different error messages. This approach can help an attacker who attempts to use some trivial user names with easily guessable passwords.

Security Begins with Application Code

The application code is always the first place to secure a web application. Continuously analyzing software quality during the development process is much more effective than reviewing all the code at the end of a project. Automated solutions, such as those created by CAST, offer fact-based transparency into application development, maintenance and sourcing.

Automated software analysis and measurement can prevent business disruptions and risks, while concurrently reducing hard IT costs. Certainly not the complete solution to avoid search engine-based vulnerabilities, but a valuable piece to the total solution.

Filed in: Technical Debt
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Tim Johnson
Tim Johnson President at UPRAISE Marketing and Public Relations
Tim has 30+ years of public relations and marketing experience. Today, his agency, UPRAISE Marketing and Public Relations serves a wide range of clients, earning outsized results.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|