Re: How does Google get confidential URL-strings?
- From: τ∂υƒιφ * <tas0584@xxxxxxxxx>
- Date: Thu, 4 Jun 2009 10:15:34 +0530
Hey Joe,
I see two possibilities. One, someone must be using Google desktop &
the search results got published. Once they get published it will also
get cached. Secondly, disgruntled or former employees as pointed out
by Jeffery. If there is Google toolbar then also this could be
possible.
cheers
TAS
--
http://www.niiconsulting.com/products/auditpro.html
2009/5/29 Joe <bitshield@xxxxxxxxx>
Hello guys
I was recently confronted with the problem, where using Google-Hacking
techniques I was able to find entries that point to my employer’s
website while having confidential username and password parameters in
the URL. Using this URL listed as Google’s search result everyone
could access personalized accounts on this website.
I see two kinds of problems here.
First, the web application should not put confidential parameters into
the URL. This is the GET/POST discussion which is clear to me.
Second, even if a web application puts these parameters into the URL I
wonder how his URL gets indexed by Google. Does anyone have a clue how
this can happen?
Interestingly Google lists only three user accounts while the website
has about 10’000 registered users. I was thinking about two
possibilities:
- The web applicaiton somehow leaks this URL to the Google search spider
- The affected users somehow publish their browser history on the web
(probably though malware?)
It would be interested if someone has Ideas on how the second problem
can be explained.
By the way, the Google query, that lead to the problematic entries
looked as follows: site:mydomain.com inurl:password inurl:user.
Any ideas?
Regards
Joe
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
- References:
- Prev by Date: Re: Is Infosec for me?
- Next by Date: RE: log analyser
- Previous by thread: Re: How does Google get confidential URL-strings?
- Next by thread: Re: How does Google get confidential URL-strings?
- Index(es):
Relevant Pages
|
