About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Google Code Search for Security Vulnerabilities

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search:

Google's code search provides an easy way to find obvious software flaws in open source and example applications.

He provided a few example queries to illustrate his point:

There is certainly some potential for abuse. Here are a few queries for PHP and MySQL vulnerabilities off the top of my head:

There are a few false positives in these results, but hopefully it's clear that with a little bit of effort, it's easy to create a collection of queries to search for common web application security vulnerabilities.

Maybe I'm being naive, but I see a silver lining. With this tool that Google has created, it seems possible to develop a useful static analysis tool for the source code that's in the index. As easily as vulnerabilities can be discovered by the bad guys, they can also be discovered by the good guys.

Can you think of some good queries to add to this list? Please share!

About This Post

Google Code Search for Security Vulnerabilities was posted on Thu, 05 Oct 2006 at 19:58:38 GMT.

19 Comments

1. fett's Gravatarfett said:

Wow, this is ... well ... great? And I actually thought that the average Java guy takes security more seriously (I don't know why I did). I also thought such obvious vulnerabilities are more common in PHP. But hey, we all learn.

Thu, 05 Oct 2006 at 20:34:35 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

This one is from Slashdot:

http://google.com/codesearch?q=+fil...ig.php+username

Thu, 05 Oct 2006 at 20:48:04 GMT Link

3. Peter's GravatarPeter said:

Only thing that pops into my head immedately is to add REQUEST to those subpatterns, a la $_(GET|POST|REQUEST)

Dare I think you should look for the old globals? $HTTP_POST_VARS and the like?

Thu, 05 Oct 2006 at 20:51:37 GMT Link

4. Pierre's GravatarPierre said:

Searching for INSERT/UPDATE and POST/GET should give more relevant results ;)

An example with another tool (koders):

http://koders.com/?s=INSERT+_POST&a...HP&_%3Ali=*

Thu, 05 Oct 2006 at 21:01:12 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

Thanks, Pierre.

(Note to self: Fix the URL regex pattern in the comments.)

Thu, 05 Oct 2006 at 21:17:50 GMT Link

6. Tim's GravatarTim said:

Has anyone done a set of design patterns for user-input validation? I don't want to end up one of those people who are told about sql injection and start writing javascript functions that replace single quotes.

Thu, 05 Oct 2006 at 22:04:48 GMT Link

7. Chris Shiflett's GravatarChris Shiflett said:

Ilia has posted some more here:

http://ilia.ws/archives/133-Google-...d.html#extended

Thu, 05 Oct 2006 at 22:55:52 GMT Link

8. metapundit's Gravatarmetapundit said:

Just searching for "security flaw" yields interesting results... Lots of fixes, but also lots of "this could be a security flaw" type comments...

Fri, 06 Oct 2006 at 01:20:46 GMT Link

9. Chris Shiflett's GravatarChris Shiflett said:

Harry Fuecks has a good one for finding remote code injection vulnerabilities:

http://www.sitepoint.com/blogs/2006/10/06/oh-dear/

Fri, 06 Oct 2006 at 02:06:45 GMT Link

10. Pure-PHP's GravatarPure-PHP said:

I thought Java is secure ;-)

Fri, 06 Oct 2006 at 07:54:23 GMT Link

11. Chris Shiflett's GravatarChris Shiflett said:

Martin Brotzeller has posted more here:

http://blog.thinkphp.de/archives/15...lver-Plate.html

Fri, 06 Oct 2006 at 11:39:42 GMT Link

12. Aubrey Kilian's GravatarAubrey Kilian said:

I found some nice ones too, all of them not quite security holes... Over at http://bug.reaper.org/archive/180

Fri, 06 Oct 2006 at 11:54:04 GMT Link

13. kae verens's Gravatarkae verens said:

lang:php require.*db\.inc\"

Fri, 06 Oct 2006 at 15:40:39 GMT Link

14. Chris Shiflett's GravatarChris Shiflett said:

More from Harry Fuecks:

http://www.sitepoint.com/blogs/2006.../php-mapreduce/

Fri, 06 Oct 2006 at 16:12:40 GMT Link

15. nobody's Gravatarnobody said:

don't know if it's been mentioned already but:

http://www.google.com/codesearch?hl...amp;btnG=Search

and that was thought of by me, with barely an imaginative bone in my body...

people mustn't realise how much of their stuff is public

Sun, 08 Oct 2006 at 06:35:47 GMT Link

16. nobody's Gravatarnobody said:

forgot all about double quotes, which is even worse:

http://www.google.com/codesearch?hl...amp;btnG=Search

Sun, 08 Oct 2006 at 06:42:06 GMT Link

17. Ivan Markovic's GravatarIvan Markovic said:

Dirty one:

http://google.com/codesearch?hl=en&...amp;btnG=Search

Mon, 09 Oct 2006 at 18:26:39 GMT Link

18. Chris Shiflett's GravatarChris Shiflett said:

Jose Nazario has posted some insecurity stats:

http://monkey.org/~jose/blog/viewpa...de_search_stats

Thu, 12 Oct 2006 at 17:41:20 GMT Link

19. Chris Shiflett's GravatarChris Shiflett said:

Nitesh Dhanjani has blogged his thoughts:

http://dhanjani.com/archives/2006/1...arch_to_fi.html

Mon, 16 Oct 2006 at 03:35:20 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments