Reviewing software for security bugs is a highly recommended best practice. There are various techniques for doing source code reviews, one of them being “static code analysis” which (in most cases) involves the use of a ‘grepping’ (pattern matching) tool along with a database of patterns that indicate potential security flaws. There are disadvantages to static code analysis: high rate of false positives and the inability to detect logic errors that may lead to security bugs. That said, static code analysis tools can be used to perform a quick first pass on the source code to detect bugs that can be easily identified by a grepping technique (”low hanging fruit”). Some of the free static code analyzers (security) are: Flawfinder, RATS, and SWAAT.

I’ve written about using Google to find security flaws in the past. However, thanks to Google Code Search, it is now easier to scan publicly available source code for potential security issues. The idea is query Google Code Search using techniques previously reserved for local static code analysis. Here are a few interesting queries:

- SQL Injection in Java caused by executing a dynamic SQL query with user supplied input: http://www.google.com/codesearch?hl=en&lr=&q=.*executeQuery.*getParameter.*

- SQL Injection in PHP caused by executing a dynamic SQL query with user supplied input: http://google.com/codesearch?hl=en&lr=&q=.*mysql_query%5C%28.*%5C%24_%28GET%7CPOST%29.*

- Cross-Site Scripting (XSS) in Java caused by echoing user supplied input without HTML encoding: http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter*

- Cross-Site Scripting (XSS) in PHP caused by echoing user supplied input without HTML encoding it: http://google.com/codesearch?hl=en&lr=&q=echo.*%5C%24_%28GET%7CPOST%29.*

See the resources below for more details and queries:

http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/

http://blogs.securiteam.com/index.php/archives/663