Google hacking exposes a world of security flaws

Those clever folks at Cult of the Dead Cow (cDc), previously most infamous for creating the Windows hacking tool "Back Orifice," have once again raised a rallying cry with their new tool, Goolag. Goolag allows security personnel and ruffians alike to make automated queries that test websites for hundreds of common security flaws.

Using a technique popularized by security researcher Johnny Long, the Google search engine is used to send specially crafted queries to websites, which often oblige by returning information that most security administrators would prefer remain hidden or fixed.

For more information:
Learn how to prevent Google hacking in this excerpt from

    Requires Free Membership to View

Chapter 8 of "Steal this Computer Book 4.0," by Wallace Wang.

Scott Sidel explains how malicious hackers use Google Code Search and how it affects the open source and commercial software communities.

Discover how to use advanced operators and special searching techniques offered by Google to discover if corporate information has been exposed

A typical example of such "Google hacking" would be to search for a particular PHP script used during development, but not removed from an operational system: inputting the phrase filetype:php inurl:"viewfile" -"index.php" -"idfil into Google unsurprisingly reveals a fair number of websites that fail to prevent such files from being viewed. This is but one of literally hundreds of security gaffes that Google can be used to uncover.

However, running hundreds of search queries one-by-one in order to "Google hack" a website can lead to carpal tunnel, which may be why cDc decided to automate the process by creating Goolag. The Goolag scanner is a standalone Windows application with a simple GUI. It uses a single XML-based configuration file for its settings. All the Google hacking queries (affectionately known as "dorks" within the industry) come with the distribution of the scanner and reside in a single file.

For those who have misgivings about installing software created by clever hackers, the cDc has published the full source code of Goolag; for the brave, simply download the executable and you can be Google hacking in mere minutes.

Running Goolag is simplicity itself, so resist the temptation to examine anything for which you don't have direct security responsibility. Then take the output of Goolag and get your Web developers busy fixing the flaws you will most likely find.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.