ADVANCED GOOGLE HACKING OWASP AppSec June 2004 NYC -KARTIK TRIVEDI Consultant / Trainer - Foundstone LA Chapter Chair / Contributor [email protected] Copyright © 2004 - The OWASP Foundation Permission.
Download ReportTranscript ADVANCED GOOGLE HACKING OWASP AppSec June 2004 NYC -KARTIK TRIVEDI Consultant / Trainer - Foundstone LA Chapter Chair / Contributor [email protected] Copyright © 2004 - The OWASP Foundation Permission.
ADVANCED GOOGLE HACKING OWASP AppSec June 2004 NYC -KARTIK TRIVEDI Consultant / Trainer - Foundstone LA Chapter Chair / Contributor [email protected] Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org “Using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy” - Al Qaeda training manual OWASP AppSec 2004 AGENDA How Google works Information disclosure with Google Tools Countermeasures OWASP AppSec 2004 How Google Works OWASP AppSec 2004 Information Disclosure with Google OWASP AppSec 2004 Information Disclosure with Google Advanced Search Operators site: (.edu, .gov, foundstone.com, usc.edu) filetype: (txt, xls, mdb, pdf, .log) Daterange: (julian date format) Intitle / allintitle Inurl / allinurl OWASP AppSec 2004 Information Disclosure with Google OWASP AppSec 2004 Information Disclosure with Google OWASP AppSec 2004 Information Disclosure with Google OWASP AppSec 2004 Information Disclosure with Google OWASP AppSec 2004 Information Disclosure Private information Remote Admin Interface Configuration management Error messages Backup files Public vulnerabilities Technology Profile OWASP AppSec 2004 Tools Using Web interface Athena GooScan Using Web Service API SiteDigger OWASP AppSec 2004 Automated Tools - GooScan OWASP AppSec 2004 Tools - Athena OWASP AppSec 2004 Tools - SiteDigger OWASP AppSec 2004 Tools - SiteDigger OWASP AppSec 2004 Tools - SiteDigger Version 2 features (tentative release 15th July) Proxy support / Google appliance support XML signatures in OASIS WAS format Adding signatures for OWASP top 10 Signature contribution option Raw search tab Configurable # of results OWASP AppSec 2004 Countermeasures Keep sensitive data off the web!! Perform periodic Google Assessments Update robots.txt Use meta-tags: NOARCHIVE http://www.google.com/remove.html. OWASP AppSec 2004 SUMMARY How Google works Information disclosure with Google Tools Countermeasures OWASP AppSec 2004 Thanks ….for listening [email protected] OWASP AppSec 2004