I don’t read those things. Google gives me everything,” a fat dark-skinned man tells a light-skinned lady in an advert. It’s no surprise today that ‘Mr. Google is a great fount of knowledge about almost anything. “What do you want to know? For example, tell me anything. Mr. Google Sir, what is the name of this lovely lady,” adds the man in the advert.
Have you ever wondered if the same Google can be manipulated to the detriment of your online safety?
Google hacking, sometimes, referred to as Google docking, is an information-gathering technique leveraged by adversaries through advanced Google searching techniques. Google hacking search queries can be used to identify security vulnerabilities in web applications. They gather information for arbitrary or individual targets, discover error messages disclosing sensitive information, discover files containing credentials and other sensitive data. For an average person, Google is essentially a search engine used to locate resourceful online material. For the hacker, it can be a great reconnaissance tool.
By virtue of its good crawling capabilities, Google can index a number of elements within your website, including usernames and passwords, email lists, sensitive documents, personally identifiable financial information, and website vulnerabilities. The unfortunate chance is that you may unknowingly be exposing too much information about your web technologies without any proper security measures in place.
A number of parameters can be used to search for specific files on a given domain, and the advanced search string crafted by an attacker could be searching for the vulnerable version of a web application, or a specific file-type such as .pwd or .sql. Take, for example, the following search query: intitle:”index of” filetype:sql that lists SQL files (filetype:sql) available that have been indexed by Google on websites where directory listing is enabled (intitle: “index of”).
You can have the following precautionary steps:
- Regularly test websites and web applications for vulnerabilities and misconfigurations before and after hosting them so as to alleviate the enumeration risk. Vulnerability scanners usually have popular Google hacking queries and can be pretty effective in detecting the threat.
- Encrypt your sensitive information which may include but not limited to usernames, passwords, credit cards, emails, addresses, IP addresses, phone numbers, etc.
- Have your website directory lists turned off because they may contain background files with passwords, along with configuration files?
- Hide sensitive content from search engine crawlers by using a robots.txt file located in your root-level website directory.
- Embrace document sanitization to ensure that only intended information can be publicly accessed online.