Using Google to Find Security Bugs at 10:05 AM

Reviewing software for security bugs is a highly recommended best practice. There are various techniques for doing source code reviews, one of them being "static code analysis" which (in most cases) involves the use of a 'grepping' (pattern matching) tool along with a database of patterns that indicate potential security flaws. There are disadvantages to static code analysis: high rate of false positives and the inability to detect logic errors that may lead to security bugs. That said, static code analysis tools can be used to perform a quick first pass on the source code to detect bugs that can be easily identified by a grepping technique ("low hanging fruit"). Some of the free static code analyzers (security) are: Flawfinder, RATS, and SWAAT.

The idea is query Google Code Search using techniques previously reserved for local static code analysis. Here are a few interesting queries:

- SQL Injection in Java caused by executing a dynamic SQL query with user supplied input: http://www.google.com/codesearch?hl=en&lr=&q=.*executeQuery.*getParameter.*

- SQL Injection in PHP caused by executing a dynamic SQL query with user supplied input: http://google.com/codesearch?hl=en&lr=&q=.*mysql_query%5C%28.*%5C%24_%28GET%7CPOST%29.*

- Cross-Site Scripting (XSS) in Java caused by echoing user supplied input without HTML encoding: http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter*

- Cross-Site Scripting (XSS) in PHP caused by echoing user supplied input without HTML encoding it: http://google.com/codesearch?hl=en&lr=&q=echo.*%5C%24_%28GET%7CPOST%29.*

See the resources below for more details and queries:

http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/

http://blogs.securiteam.com/index.php/archives/663

Google in my opinion is the most handy & the most powerfull hacking tool.Use it smartly