WebApp Sec mailing list archives

Re: Google code search

From: "Ryan Barnett" <rcbarnett () gmail com>
Date: Thu, 5 Oct 2006 08:55:51 -0400

Thumbs Up for Google labs.
Thumbs Down for poor security coding.

This looks somewhat similar to Bugle -
http://www.cipher.org.uk/index.php?p=projects/bugle.project

Nice find Stephen.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 10/5/06, Stephen de Vries <stephen () corsaire com> wrote:


Google's code search provides an easy way to find obvious software
flaws in open source and example applications, e.g.:

XSS in Java apps
http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%
3D.*getParameter&btnG=Search

(Really obvious) SQL Injection in Java apps:
http://www.google.com/codesearch?
hl=en&lr=&q=executeQuery.*getParameter&btnG=Search

Ever wonder why we're still seeing XSS in 2006?:
http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter
+package%3A%28oreilly%7Capress.com%29&btnG=Search


--
Stephen de Vries
Corsaire Ltd
E-mail: stephen () corsaire com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com





-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants touse AppScan in client engagements. AppScan is the leading Web applicationassessment tool. Want to see it for yourself? Take a look today!


https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------

Current thread:

Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
  - Message not available
    - Re: Magic Quotes DokFLeed (Oct 10)
  - Re: Magic Quotes Tomek Perlak (Oct 10)
    - RE: Magic Quotes Matt Fisher (Oct 11)
  - Re: Magic Quotes Steve Slater (Oct 11)
    - Re: Magic Quotes DokFLeed (Oct 15)
    - Re: Magic Quotes Brad Lhotsky (Oct 16)
    - Message not available
    - Re: Magic Quotes DokFLeed (Oct 17)
    - Re: Magic Quotes Brad Lhotsky (Oct 17)
    - Re: Magic Quotes DokFLeed (Oct 17)