Google Code Search for Security Vulnerabilities05 Oct 2006
Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search:
Google's code search provides an easy way to find obvious software flaws in open source and example applications.
He provided a few example queries to illustrate his point:
There is certainly some potential for abuse. Here are a few queries for PHP and MySQL vulnerabilities off the top of my head:
- XSS due to echoing raw input: lang:php echo.*\$_(GET|POST)
- XSS due to echoing
$_SERVER['PHP_SELF']: lang:php echo.*\$_SERVER\['PHP_SELF']
- SQL injection due to using raw input directly in
mysql_query(): lang:php mysql_query\(.*\$_(GET|POST).*\)
- SQL injection due to using raw input directly in a
WHEREclause: lang:php "WHERE username='$_"
- Vulnerabilities due to a misplaced trust in
$_SERVER['HTTP_REFERER']: lang:php \$_SERVER\['HTTP_REFERER']
There are a few false positives in these results, but hopefully it's clear that with a little bit of effort, it's easy to create a collection of queries to search for common web application security vulnerabilities.
Maybe I'm being naive, but I see a silver lining. With this tool that Google has created, it seems possible to develop a useful static analysis tool for the source code that's in the index. As easily as vulnerabilities can be discovered by the bad guys, they can also be discovered by the good guys.
Can you think of some good queries to add to this list? Please share!