About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

Google Code Search for Security Vulnerabilities

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search:

Google's code search provides an easy way to find obvious software flaws in open source and example applications.

He provided a few example queries to illustrate his point:

There is certainly some potential for abuse. Here are a few queries for PHP and MySQL vulnerabilities off the top of my head:

There are a few false positives in these results, but hopefully it's clear that with a little bit of effort, it's easy to create a collection of queries to search for common web application security vulnerabilities.

Maybe I'm being naive, but I see a silver lining. With this tool that Google has created, it seems possible to develop a useful static analysis tool for the source code that's in the index. As easily as vulnerabilities can be discovered by the bad guys, they can also be discovered by the good guys.

Can you think of some good queries to add to this list? Please share!

About this post

Google Code Search for Security Vulnerabilities was posted on Thu, 05 Oct 2006. If you liked it, follow me on Twitter or share:


1.fett said:

Wow, this is ... well ... great? And I actually thought that the average Java guy takes security more seriously (I don't know why I did). I also thought such obvious vulnerabilities are more common in PHP. But hey, we all learn.

Thu, 05 Oct 2006 at 20:34:35 GMT Link

2.Chris Shiflett said:

This one is from Slashdot:


Thu, 05 Oct 2006 at 20:48:04 GMT Link

3.Peter said:

Only thing that pops into my head immedately is to add REQUEST to those subpatterns, a la $_(GET|POST|REQUEST)

Dare I think you should look for the old globals? $HTTP_POST_VARS and the like?

Thu, 05 Oct 2006 at 20:51:37 GMT Link

4.Pierre said:

Searching for INSERT/UPDATE and POST/GET should give more relevant results ;)

An example with another tool (koders):


Thu, 05 Oct 2006 at 21:01:12 GMT Link

5.Chris Shiflett said:

Thanks, Pierre.

(Note to self: Fix the URL regex pattern in the comments.)

Thu, 05 Oct 2006 at 21:17:50 GMT Link

6.Tim said:

Has anyone done a set of design patterns for user-input validation? I don't want to end up one of those people who are told about sql injection and start writing javascript functions that replace single quotes.

Thu, 05 Oct 2006 at 22:04:48 GMT Link

7.Chris Shiflett said:

Ilia has posted some more here:


Thu, 05 Oct 2006 at 22:55:52 GMT Link

8.metapundit said:

Just searching for "security flaw" yields interesting results... Lots of fixes, but also lots of "this could be a security flaw" type comments...

Fri, 06 Oct 2006 at 01:20:46 GMT Link

9.Chris Shiflett said:

Harry Fuecks has a good one for finding remote code injection vulnerabilities:


Fri, 06 Oct 2006 at 02:06:45 GMT Link

10.Pure-PHP said:

I thought Java is secure ;-)

Fri, 06 Oct 2006 at 07:54:23 GMT Link

11.Chris Shiflett said:

Martin Brotzeller has posted more here:


Fri, 06 Oct 2006 at 11:39:42 GMT Link

12.Aubrey Kilian said:

I found some nice ones too, all of them not quite security holes... Over at http://bug.reaper.org/archive/180

Fri, 06 Oct 2006 at 11:54:04 GMT Link

13.kae verens said:

lang:php require.*db\.inc\"

Fri, 06 Oct 2006 at 15:40:39 GMT Link

14.Chris Shiflett said:

More from Harry Fuecks:


Fri, 06 Oct 2006 at 16:12:40 GMT Link

15.nobody said:

don't know if it's been mentioned already but:


and that was thought of by me, with barely an imaginative bone in my body...

people mustn't realise how much of their stuff is public

Sun, 08 Oct 2006 at 06:35:47 GMT Link

16.nobody said:

forgot all about double quotes, which is even worse:


Sun, 08 Oct 2006 at 06:42:06 GMT Link

17.Ivan Markovic said:

Dirty one:


Mon, 09 Oct 2006 at 18:26:39 GMT Link

18.Chris Shiflett said:

Jose Nazario has posted some insecurity stats:


Thu, 12 Oct 2006 at 17:41:20 GMT Link

19.Chris Shiflett said:

Nitesh Dhanjani has blogged his thoughts:


Mon, 16 Oct 2006 at 03:35:20 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.