Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Vulnerability Scans via Search Engines (Request for Logs) - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability Scans via Search Engines (Request for Logs)

We had a reader this week submit the following web log to us:

GET /geography/slide.php?image_name=Free+gay+black+movies&slide_file=
script%E2%84%91_id=0+union+select+0x3f736372aca074200372 HTTP/1.1

The request, as you can probably tell, is an attempt to detect SQL Injection and likely XSS vulnerabilities. As such, it isn't really all that special. What makes this more interesting is the fact that it came from Microsoft's Bing search engine. Not only the user agent matched, but also the source IP address.

User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +
Client IP Address:

This technique of using search engines to proxy vulnerability scans has been mentioned in the past. For example, Google's translate service has been used to proxy requests. Also, "Google Hacking", which refers to specially crafted Google searches to find vulnerabilities are quite common.

What I am wondering is how wide spread this "Bing Reflection" attack is. If you got a couple minutes, check your web logs and see if you can find similar requests. Search for "bingbot" and some exploit strings like "union" or "script". So far, a qucik search of my logs for came up empty, but we are a bit "special" in that users legitimatly search for exploit strings to find diaries on our site.

From a defensive point of view, I am not too worried about these queries. A direct scan is certainly more "dangerous" even though it is easier to block and maybe to attribute. But as usual, the real defense against a vulnerability scan is to eliminate vulnerabilities. (plus add some of the offensive techniques we mentioned in the past).


Interested in Web Application Security? I will be teaching "Defending Web Applications" in Orlando from March 8th-15th

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4469 Posts
ISC Handler
Jan 25th 2013

Sign Up for Free or Log In to start participating in the conversation!