Based in Melbourne, Australia.

Developer
Life

Hacking Google? - Protecting Yourself From Google Dorking

Hacking Google? - Protecting Yourself From Google Dorking

Anthony Galiamov
Commands, Learn

Contents

Overview

Google Dorking, also known as Google hacking, is a technique used to discover vulnerabilities and sensitive information stored on websites by using advanced search operators in the Google search engine. By using these operators, a hacker or researcher can uncover hidden content, find insecure configurations, or locate information that may not be intended for public access. Google Dorking can be a powerful tool for identifying and addressing security weaknesses, but it can also be used for malicious purposes. It is important for individuals and organizations to be aware of the potential risks and take steps to protect themselves from Google Dorking attacks.

Some examples of what Google Dorking can be used for include:

  1. Discovering sensitive documents: Google Dorking can be used to search for specific file types, such as PDFs or Word documents, that may contain sensitive information.
  2. Finding unsecured databases: Advanced search operators can be used to locate databases that are not properly secured, potentially exposing sensitive data.
  3. Identifying vulnerabilities in web applications: Google Dorking can be used to find web applications with known vulnerabilities, such as SQL injection flaws or cross-site scripting (XSS) vulnerabilities.
  4. Locating login pages: Hackers can use Google Dorking to find login pages on websites that may be vulnerable to brute force attacks.
  5. Uncovering hidden content: Advanced search operators can be used to discover hidden content on websites, such as directories or pages that are not linked from other parts of the site.

It is important to note that Google Dorking can be used for both legitimate and malicious purposes. While it can be a useful tool for identifying security weaknesses and improving website security, it can also be used by hackers to exploit vulnerabilities and gain unauthorized access to sensitive information.

At the end of the day: Google "Dorking" is the act of utilizing Google to discover helpless web applications and servers by utilizing local Google web crawler capacities.

Google Dork Operators

How about we take a gander at the most famous Google Dorks and what they do.

  • cache: Show the cached version of a website, e.g. cache:websitename.com

  • allintext: Searches for specific text contained on a web page, e.g. allintext:packing list

  • allinurl: Find various keywords in a URL, e.g. inurl:google faq

  • allintitle: Restricts results to those containing all terms specified in a title, e.g. allintitle:security tools

  • link: List of web pages that have links to the specified URL, e.g. link:microsoft.com

  • site: Full list of all indexed URLs for the specified domain/subdomain, e.g. site:websitename.com

  • filetype: Files with a specific file type on a website, e.g. site:domainname.com filetype:txt

  • * Wildcards are used to search pages that contain "anything" before or after your word.

  • | This is a logical operator, e.g. "security" | "tips" will show all the sites which contain either, or both words.

  • + Used to concatenate words, useful to detect pages that use more than one specific key.

  • - Minus operator avoids showing results that contain certain words, e.g. security -trails will show pages that use "security" in their text, but not those that have the word "trails".

Preventing Google Dorks

There are a great deal of approaches to abstain from falling under the control of a Google Dork. These measures proposed include:

  • Encoding/encrypting sensitive data such as usernames, passwords, payment details, messages, addresses, telephone numbers, and so forth.
  • Run inquiries against your own site to check whether you can locate any sensitive data. On the off chance that you discover sensitive information, you can remove it from search results by utilizing Google Search Console.
  • Protect sensitive content by utilizing a robots.txt document situated in your root-level site catalog. Utilizing robots.txt helps prevent Google from indexing our site, but it can also show an attacker where sensitive data might be located.

So where do we start? The accompanying arrangement will deny all creeping from any registry inside your site, which is truly valuable for private access sites that don't depend on freely indexable Internet content.

User-agent: *
Disallow: /

You can also block specific directories to be excepted from web crawling. If you have an /admin area and you need to protect it, just place this code inside:

This will also protect all the sub-directories inside.

User-agent: *  
Disallow: /admin/

Restrict access to specific files:

User-agent: *  
Disallow: /secret/file.html

Restrict access to dynamic URLs that contain ? symbol:

User-agent: *  
Disallow: /*?

Here are some useful links you can checkout for additional information.

Invalid State Error? - How to fix it in ISAM

Invalid State Error? - How to fix it in ISAM
HTTP Transformation - XSLT-buffer-size

HTTP Transformation - XSLT-buffer-size