Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
This is a draft of a section of the new Testing Guide v3
This section describes how to search the Google Index and remove the associated web content from the Google Cache.
Description of the Issue
When web content is indexed by Google their Crawler referred to as "Googlebot" refers to the robots.txt file in the web root directory.
If the robots.txt file is not revised during changes to web content, then it is possible for web content not intended to be included in Google's Search Results to be indexed by Google.
Therefore, this web content must be removed from the Google Cache.
Black Box Testing
The Advanced "site:" Search Operator of Google restricts its Search Results to a specific domain.
Google provides the Advanced "cache:" Search Operator but this is the equivalent of clicking the "Cached" link of individual Google Search Results. Hence, the use of the Advanced "site:" Search Operator is advocated.
To find the web content of http://www.owasp.org indexed by Google Cache the following Google Search Query is issued:
If the removal is not urgent then simply modifying the robots.txt file to "Disallow:" this content will result in its removal from the index once Googlebot has completed crawling the web site.
For urgent removal, Google provide the "URL Removal" function as part of their "Google Webmaster Tools" service.
Gray Box testing and example
Grey Box testing is the same as Black Box testing above
 "Advanced Google Search Operators" - http://www.google.com/help/operators.html
 "Preventing content from appearing in Google search results" - http://www.google.com/support/webmasters/bin/topic.py?topic=8459