Full Disclosure mailing list archives

Insecurity Stats via Google Code Search

From: Gadi Evron <ge () linuxbox org>
Date: Sun, 8 Oct 2006 03:21:39 -0500 (CDT)

This isn't terribly shocking, and seems rather preliminary. Still,
very interesting.

Jose Nazario worked out some numbers using the Google code search.

http://monkey.org/~jose/blog/viewpage.php?page=google_code_search_stats

Interesting quotes:

some stats based on simple queries used to find bugs (ie based on some
reasonable regular expressions):

    * strcpy from argv[x]: about 7,000
    * strcat from argv[x]: about 1,000
    * PHP-based remote file include vulns: 117 or so using GET, 100 or so
for POST
    * PHP-based SQL injection vulns:
          o SELECT: about 600 using GET, about 500 using POST vars
          o UPDATE: about 200 using GET, about 400 using POST vars
          o DELETE: about 300 using GET, about 300 using POST vars 
    * PHP-based XSS vulns (it is the summer of file include, SQL injection
and XSS on bugtraq): about 2700
          o about 200 based on the info sent outside of the POST vars or
the URL requested (ie User-Agent fun)
          o an additional 100 based on COOKIE variables ... 
    * *printf-based buffer overflows? about 202,000 possible, hopefully
lss!
    * about 50 format string vulns revealed
    * off-by-ones (as pointed out by aaron@)? about 300.
    * CreateFileMapping NULL Security (using Ollie's idea but adjusted for
google codesearch): about 400 

I also keep updating every search pattern I find, here:
http://blogs.securiteam.com/index.php/archives/663

        Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Insecurity Stats via Google Code Search Gadi Evron (Oct 08)
- Re: Insecurity Stats via Google Code Search Niall FitzGibbon (Oct 10)