Vulnerability Scans via Search Engines (Request for Logs)
Last Updated: 2013-01-25 15:44:24 UTC
by Johannes Ullrich (Version: 1)
We had a reader this week submit the following web log to us:
GET /geography/slide.php?image_name=Free+gay+black+movies&slide_file= script%E2%84%91_id=0+union+select+0x3f736372aca074200372 HTTP/1.1
The request, as you can probably tell, is an attempt to detect SQL Injection and likely XSS vulnerabilities. As such, it isn't really all that special. What makes this more interesting is the fact that it came from Microsoft's Bing search engine. Not only the user agent matched, but also the source IP address.
User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.html) Client IP Address: 220.127.116.11
This technique of using search engines to proxy vulnerability scans has been mentioned in the past. For example, Google's translate service has been used to proxy requests. Also, "Google Hacking", which refers to specially crafted Google searches to find vulnerabilities are quite common.
What I am wondering is how wide spread this "Bing Reflection" attack is. If you got a couple minutes, check your web logs and see if you can find similar requests. Search for "bingbot" and some exploit strings like "union" or "script". So far, a qucik search of my logs for isc.sans.edu came up empty, but we are a bit "special" in that users legitimatly search for exploit strings to find diaries on our site.
From a defensive point of view, I am not too worried about these queries. A direct scan is certainly more "dangerous" even though it is easier to block and maybe to attribute. But as usual, the real defense against a vulnerability scan is to eliminate vulnerabilities. (plus add some of the offensive techniques we mentioned in the past).
Interested in Web Application Security? I will be teaching "Defending Web Applications" in Orlando from March 8th-15th
Johannes B. Ullrich, Ph.D.
SANS Technology Institute