Those clever folks at Cult of the Dead Cow (cDc), previously most infamous for creating the Windows hacking tool "Back Orifice," have once again raised a rallying cry with their new tool, Goolag. Goolag allows security personnel and ruffians alike to make automated queries that test websites for hundreds of common security flaws.
Using a technique popularized by security researcher Johnny Long, the Google search engine is used to send specially crafted queries to websites, which often oblige by returning information that most security administrators would prefer remain hidden or fixed.
A typical example of such "Google hacking" would be to search for a particular PHP script used during development, but not removed from an operational system: inputting the phrase filetype:php inurl:"viewfile" -"index.php" -"idfil into Google unsurprisingly reveals a fair number of websites that fail to prevent such files from being viewed. This is but one of literally hundreds of security gaffes that Google can be used to uncover.
However, running hundreds of search queries one-by-one in order to "Google hack" a website can lead to carpal tunnel, which may be why cDc decided to automate the process by creating Goolag. The Goolag scanner is a standalone Windows application with a simple GUI. It uses a single XML-based configuration file for its settings. All the Google hacking queries (affectionately known as "dorks" within the industry) come with the distribution of the scanner and reside in a single file.
For those who have misgivings about installing software created by clever hackers, the cDc has published the full source code of Goolag; for the brave, simply download the executable and you can be Google hacking in mere minutes.
Running Goolag is simplicity itself, so resist the temptation to examine anything for which you don't have direct security responsibility. Then take the output of Goolag and get your Web developers busy fixing the flaws you will most likely find.
About the author:
Scott Sidel is an ISSO with Lockheed Martin.
This was first published in March 2008