ADVANCED GOOGLE HACKING OWASP AppSec June 2004 NYC -KARTIK TRIVEDI Consultant / Trainer - Foundstone LA Chapter Chair / Contributor [email protected] Copyright © 2004 - The OWASP Foundation Permission.
Download
Report
Transcript ADVANCED GOOGLE HACKING OWASP AppSec June 2004 NYC -KARTIK TRIVEDI Consultant / Trainer - Foundstone LA Chapter Chair / Contributor [email protected] Copyright © 2004 - The OWASP Foundation Permission.
ADVANCED GOOGLE HACKING
OWASP
AppSec
June 2004 NYC
-KARTIK TRIVEDI
Consultant / Trainer - Foundstone
LA Chapter Chair / Contributor
[email protected]
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
“Using public sources openly and without resorting
to illegal means, it is possible to gather at least
80 percent of all information required about the
enemy”
- Al Qaeda training manual
OWASP AppSec 2004
AGENDA
How Google works
Information disclosure with Google
Tools
Countermeasures
OWASP AppSec 2004
How Google Works
OWASP AppSec 2004
Information Disclosure with Google
OWASP AppSec 2004
Information Disclosure with Google
Advanced Search Operators
site: (.edu, .gov, foundstone.com, usc.edu)
filetype: (txt, xls, mdb, pdf, .log)
Daterange: (julian date format)
Intitle / allintitle
Inurl / allinurl
OWASP AppSec 2004
Information Disclosure with Google
OWASP AppSec 2004
Information Disclosure with Google
OWASP AppSec 2004
Information Disclosure with Google
OWASP AppSec 2004
Information Disclosure with Google
OWASP AppSec 2004
Information Disclosure
Private information
Remote Admin Interface
Configuration management
Error messages
Backup files
Public vulnerabilities
Technology Profile
OWASP AppSec 2004
Tools
Using Web interface
Athena
GooScan
Using Web Service API
SiteDigger
OWASP AppSec 2004
Automated Tools - GooScan
OWASP AppSec 2004
Tools - Athena
OWASP AppSec 2004
Tools - SiteDigger
OWASP AppSec 2004
Tools - SiteDigger
OWASP AppSec 2004
Tools - SiteDigger
Version 2 features (tentative release 15th July)
Proxy support / Google appliance support
XML signatures in OASIS WAS format
Adding signatures for OWASP top 10
Signature contribution option
Raw search tab
Configurable # of results
OWASP AppSec 2004
Countermeasures
Keep sensitive data off the web!!
Perform periodic Google Assessments
Update robots.txt
Use meta-tags: NOARCHIVE
http://www.google.com/remove.html.
OWASP AppSec 2004
SUMMARY
How Google works
Information disclosure with Google
Tools
Countermeasures
OWASP AppSec 2004
Thanks
….for listening
[email protected]
OWASP AppSec 2004