Who says hackers are all bad? The infamous Cult of the Dead Cow, a Lubbock, Texas,-based hacker organization, known for its strong views on censorship and social justice issues, released a Google Web auditing scanner allowing users to search a specific Website or domain for exploitable flaws through the search engine.
The Goolag Scanner was intended as a tool for users to audit their own Web pages through Google. The scanner, a standalone Windows GUI-based application, is grounded in Google scanning technology, a form of vulnerability research developed by the hacker known as Johnny I Hack Stuff. The open source scanning program is freely available for users to download under the GNU Affero general public license.
"It's no big secret that the Web is the platform," said Oxblood Ruffin, a spokesperson for the hacker group, in a written statement. "This platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."
The tool works by sending the same queries to a Google site as a user would send from a browser. The tool ships as a Windows .Net program, which can be configured to power approximately 1,500 embedded Google queries for servers or an entire domain set. The program then runs scans on vulnerable Web pages, misconfigured Web servers with open backdoors, sensitive usernames and passwords and other potentially vulnerable or exposed information.
An advisory on the group's Web site said "the following program may screw a large Internet search engine and make the Web a safer place."
"Allegedly it would take all the terms from a database, search through Google, and give you results looking for different information about vulnerabilities," said Amichai Shulman, CTO of Imperva, an application data security and compliance vendor based in Foster City, Calif. "Basically, it allows one to do a global vulnerability scan without going to the sites themselves."
However, security experts contend that the popular search engine throws up some obstacles for users trying to take advantage of the open source tool. Shulman said that Google has made a concerted effort to detect and deny any automated searches. As a result, Shulman said that users would only be able to run a few queries at a time. Otherwise, they could risk being detected by Google as an automated tool and risk their IP address being shut down. Google did not immediately respond to queries from CRN.
Shulman said because users have to look for the specific URLs, none of the 1,500 terms might apply to an application owner's site. "If you were an application owner who could run such an automated tool with your domain in Google, it would have a lot of value."
Security experts say that the open source tool addresses the increasing number of malware attacks that use search engines to target Web 2.0 applications. "The ideal place for an application level worm to look for potential victims and their vulnerabilities would of course be a directory that lists all applications and their vulnerabilities," Shulman wrote in his report, "Web Application Worms: Myth or Reality."
"Since search engines return the result set as an HTML document, it is easy to write code that would extract the vulnerable URLs from the reply. In fact Google now exposes a Web Service interface that makes such a task even easier. Hence the attacker has a simple piece of code that uses HTTP requests to retrieve vulnerable URLs from the search engine. By making small changes to the code, Niddhog (worm) can use a different search engine or look for a different vulnerability."
The report also stated that "no protection mechanism at the site could set off an alarm."
"I think (Goolag scanner) should be a wakeup call for application owners and what they are doing with respect to search engines and their application security," said Shulman. "It just emphasizes an existing trend that application owners should pay attention to."