In the process of indexing, information is collected and stored by the indexing process. Similar to Directory Indexing, Insecure Indexing allows sensitive information to be retrieved by a determined attacker. The attacker does not thwart the security model of the search engine; therefore, this attack is subtle and very hard to detect and to foil. With an Insecure Indexing attack, it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries.
Insecure Indexing threatens the data confidentiality of a website. Indexing website contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files and about their content. In the process of indexing, such information is collected and stored by the indexing process, and can later be retrieved by a determined attacker, typically through a series of queries to the search engine.