Google hacking

No, this is not about hacking google but using google as an information gathering tool. Other search engines can be used too but google is still one of the best.

First a Google Guide Quick Reference Sheet.

Try some of the following:

• allinurl: admin mdb (locates administrator databases with usernames&passwords)
• allinurl:auth_user_file.txt (DCForum's password file)
• "access denied for user" "using password"
• "Login to Webmin" inurl:10000 (gives you webmin authentication interfaces)
• intitle:index.of server.at (determine webserver version)
  

You get the picture. How can you defend against it?

• use these techniques to test you own site (check Google Hacking Database) so you won't make the same mistakes as these people
• keep any sensitive files off your Web server
• replace default error pages to restrict information
• set the right permission on webdirectories and files
• set a robots.txt file (more info here)
• if it was too late, have the references removed www.google.com/remove.html

References:

• OWASP Testing: Spidering and googling
• Google Hacking Database