SiteDigger unearths Web information leaks

Without search engines, the Web wouldn’t be the premier information resource and significant economic force it is today. But there’s a dark side: Black hats easily exploit Google, MSN, Yahoo, and others to find confidential information that organizations might find embarrassing if it were widely circulated. Moreover, these same hacking techniques can expose security holes in organizations’ information networks, such as log-ins to terminal services, lists of user names and passwords, and other sensitive data.

Foundstone’s security consultants found those Web security problems, and hundreds of others, in performing vulnerability assessments for clients. To automate this discovery process, Foundstone developed SiteDigger. Compared with the original version that I’ve used since its May 2004 release, SiteDigger 2.0 produces fewer false positives, provides better reporting, and recognizes more security signatures, including both Foundstone’s and those from a public Google hacking database.

I installed SiteDigger 2.0 in a few minutes, and the clear-cut GUI allowed me to get right to work. The only special requirement is a free Google API Web services license, which is also the only notable drawback of this tool because Google limits your key to 1,000 search queries per day.

Updating and using signatures is easier in this version. From a simple dialog, I automatically refreshed the 174 verified signatures Foundstone offers and also downloaded about 800 others from GHDB (Google Hacking Database) at johnny.ihackstuff.com. When performing a scan, you may select all signatures, pick certain groups (privacy, backup files, public vulnerabilities, configuration mistakes, remote administrator interface error messages, and technology profiles), or run scans against individual signatures within any of those groups. It couldn’t be easier. Although you shouldn’t need much guidance using the application, Version 2.0 includes some step-by-step walk-throughs to help those with limited security knowledge.

After launching a scan against a Web server I purposely made insecure, SiteDigger finished its assessment in approximately 15 minutes and produced a readable HTML report. In particular, I appreciated the clarity of the information. The report lists the main security category, the problem URL, a summary of the issue, and a more detailed description. And whereas Version 1.0 returned only the first result for each signature query, Version 2.0 shows as many as 10 problems for each type of signature. With the exception of specifying the number of results displayed, however, SiteDigger still provides no options to customize reports.

That said, the results were of high quality. For example, SiteDigger 2.0 correctly identified configuration problems such as directories that could be listed, as well as accessible log files and a SQL injection flaw. So far, I haven’t discovered any false positives in this version’s reports — a noticeable improvement over the initial release.

As does Version 1.0, Version 2.0 allows you to write — using a simple XML syntax — signatures that are then easily added to the main signature file. With Version 2.0, however, users can submit these signatures directly from the program rather than having to e-mail them to Foundstone.

Foundstone SiteDigger is a simple, effective tool with a narrow focus. It doesn’t fully assess the security of your network, its hosts, or its applications, but it can identify security vulnerabilities exposed through Google and other search engines, helping IT staff easily and quickly identify where their sites are open to attack. You may be surprised to discover that your Web site is more vulnerable to exploitation than you thought.