Fall behind and someone will always beat you to the punch! Gadi Evron posted an entry over at Securiteam on the topic of using Google’s Codesearch to find vulns. Since he and others are writing about this, I don’t have to! However, i’ll post a few more thoughts before anyone else maybe!
[separator]
First, we have this great ability to (ab)use Google’s Codesearch to find vulnerabilities through fast code analysis. Is this a fun but very short fad? Or will we see people use this to disclose vulnerabilities and give credit to their method? Will it lead to a lot of false positives like we’re seeing with remote file inclusion? Several ‘researchers’ are grep’ing for a single stringle, finding it, and posting it as a remote file inclusion vulnerability without really analyzing the code or testing their own “proof of concept”. Hopefully, researchers will use this new tool to not only find vulnerabilities, but truly validate their finding before disclosing.
Second, who is going to be the first to create an interface that smoothly links the Google Codesearch with a robust static code analyzer? Imagine a web interface where you choose a few key things like what language, what types of vulnerabilities, and click click for all the results. The program would then use the Codesearch results to pipe into the code analyzer and spit out a list of high probability vulnerabilities.
Some of these ideas courtesy of email discussions with Chris Wysopal, Mudge and others.
jericho Says:
October 17th, 2006 at 4:26 pm
Seems people are using this to find remote file inclusion (RFI) issues.
http://www.milw0rm.com/exploits/2503
# Using http://www.google.com/codesearch
# Few examples about what we can do with a code search engine
# For educational purpose only.
I have also commented recently (but I don’t recall if it was public or in e-mail) about RFI vulnerabilities becoming the next great thing. We’re seeing more and more disclosed, and as stated previously on the blog, many are still coming up as false positives. Now, to aid in finding these we have presumably one of the first RFI specific scanners:
October 30th, 2006 at 1:18 am
I’m kind of ‘on the fence’ with this one. I belive the potential for false positives is definitely there. People may be quick to simply look for strcpy or other insecure functions and just make quick assumptions that security issues exist within the given code set without truly verifying. I also believe the tool can be used in a valid context to find and research issues within code. We all know that having more than one set of eyes on something usually helps us find flaws, so perhaps this could be a good thing as well? Just a few late night thoughts from middle of the corn field IA.. ugh.. I’m ready to go back to Denver!
订阅数:364236
http://www.i170.com/Article/47630/trackback
主题:[