Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Vulnerability Scans via Search Engines (Request for Logs) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability Scans via Search Engines (Request for Logs)

We had a reader this week submit the following web log to us:

GET /geography/slide.php?image_name=Free+gay+black+movies&slide_file=
script%E2%84%91_id=0+union+select+0x3f736372aca074200372 HTTP/1.1

The request, as you can probably tell, is an attempt to detect SQL Injection and likely XSS vulnerabilities. As such, it isn't really all that special. What makes this more interesting is the fact that it came from Microsoft's Bing search engine. Not only the user agent matched, but also the source IP address.

User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.html)
Client IP Address: 157.55.52.58

This technique of using search engines to proxy vulnerability scans has been mentioned in the past. For example, Google's translate service has been used to proxy requests. Also, "Google Hacking", which refers to specially crafted Google searches to find vulnerabilities are quite common.

What I am wondering is how wide spread this "Bing Reflection" attack is. If you got a couple minutes, check your web logs and see if you can find similar requests. Search for "bingbot" and some exploit strings like "union" or "script". So far, a qucik search of my logs for isc.sans.edu came up empty, but we are a bit "special" in that users legitimatly search for exploit strings to find diaries on our site.

From a defensive point of view, I am not too worried about these queries. A direct scan is certainly more "dangerous" even though it is easier to block and maybe to attribute. But as usual, the real defense against a vulnerability scan is to eliminate vulnerabilities. (plus add some of the offensive techniques we mentioned in the past).

------

Interested in Web Application Security? I will be teaching "Defending Web Applications" in Orlando from March 8th-15th

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3694 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!