- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
In the process of indexing, information is collected and stored by the indexing process. Similar to Directory Indexing, Insecure Indexing allows sensitive information to be retrieved by a determined attacker. The attacker does not thwart the security model of the search engine; therefore, this attack is subtle and very hard to detect and to foil. With an Insecure Indexing attack, it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries.
Insecure Indexing threatens the data confidentiality of a website. Indexing website contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files and about their content. In the process of indexing, such information is collected and stored by the indexing process, and can later be retrieved by a determined attacker, typically through a series of queries to the search engine.
Recently this has been exploited by malicious attackers to retrieve sensitive documents such as quarterly reports of publicly traded companies before their official release date, as these documents had been uploaded weeks before but not linked to from anywhere on the company’s website.