Web Application 0-Day

Discovering Vulnerabilities with Google CodeSearch

By Jon Rose

Common Web Application Vulnerabilities

  • SQL Injection
  • Cross-Site Scripting
  • Handling Sensitive Data
  • Hard-Coded Passwords
  • Filesystem Interaction

Google Labs Code Search

  • Public Source Code
  • Regex Searches
Web Application Vulnerability Search through Google Code Search


Google it!

SQL Injection

Insecure use of string building techniques

  • Dynamic SQL
  • Parameterized Queries
  • Stored Procedures

SQL Injection Example


Query = "SELECT uid FROM users
WHERE email = '"+ request.getParameter("email") +"'
AND pass = '"+ request.getParameter("pass") +"'";

SQL Injection Example

https://url.com/login.jsp?email=' or 1=1--&pass=Ali3n

SELECT uid FROM users
WHERE email = '' or 1=1--'
AND pass = 'Ali3n';

SQL Injection Code Search

SQL Injection Impact

  • Access to database records
  • Privilege escalation
  • Access to various application tiers
  • Bypass business logic

SQL Injection Recommendations

  • Perform strict input validation
  • Do not employ string building for queries
  • Use parameterized queries or stored procedures
  • Use a low privileged database account

Cross-Site Scripting (XSS)

Redisplaying User-Supplied Input

  • HTML
  • JavaScript
  • ActiveX
  • VBScript
  • Flash

Cross-Site Scripting Example


User-supplied value stored as HTML hidden input:

<input type=hidden name=lang

Cross-Site Scripting Example

https://mysite.com/home.asp?lang="><script>EVIL JAVASCRIPT</script>

Users can modify the HTML code:

<input type=hidden name=lang
value=""><script>EVIL JAVASCRIPT</script>">

Cross-Site Scripting Code Search

Cross-Site Scripting Impact

Cross-Site Scripting Recommendations

Handling Sensitive Data

Things I've seen exposed in files, logs, and databases:

  • Credit Card Data
  • Usernames and Passwords
  • Social Security Numbers
  • Personal Identifiable Information (PII)

Handling Sensitive Data Code Search

Insecure Logging

Database Storage

Handling Sensitive Data Impact

Handling Sensitive Data Recommendations

Hard-Coded Passwords

Passwords found in code or config files:

  • Databases
  • LDAP Servers
  • Web Services
  • Network Proxies
  • Other Systems

Hard-Coded Passwords Code Search

Hard-Coded Passwords Impact

Hard-Coded Passwords Recommendations

Filesystem Interaction

Security holes often appear when:

  • Opening files
  • Writing files
  • Uploading files
  • Downloading files

Filesystem Interaction Example

Set a = fso.OpenTextFile(request.querystring("file"))
response.write "<h1>" & data & "</h1>"

Filesystem Interaction Code Search

Filesystem Interaction Impact

Filesystem Interaction Recommendations

Other Fun Searches

  • Weak encryption
  • Remote command injection
  • XPath/LDAP injection
  • Buffer overflows
  • Format string vulnerabilites
  • /* FIXME */

Next Steps

Questions or Comments?

Thank You!

Contact Info:

Jon Rose