Bugle
Google Source Code Bug Finder
Bugle
is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results.
To submit search queries click the button below or sent an email to BUGLE [AT] cipher.org.uk with the search term, small description and programming language. Also drop an email if you find bugs using bugle.
Google Alert = 
, Description = 
, Possible bug = 
, CodeSearch = 
, SimpleSearch = 
Buffer Overflows (15)
| Simple Strcpy RegEx |
|
Lang:C | ||
| Generic BoF |
|
Lang:C | ||
| strecpy |
|
Lang:C | |
|
| realpath |
|
Lang:C | |
|
| getwd |
|
Lang:C | |
|
| Umask - permssions |
|
Lang:C | |
|
| Another Simple Strcpy |
|
Lang:C | ||
| Strncpy - Buffer Length Miscalculation |
|
Lang:C | |
by Varun Uppal |
| argv Strcpy |
|
Lang:C | ||
| Generic Strcpy |
|
Lang:C | |
by Daniel Crompton |
| Simple Strcpy |
|
Lang:C | ||
| Generic Sprintf |
|
Lang:C | ||
| Generic gets |
|
Lang:C | ||
| Generic Strcat |
|
Lang:C | ||
| Simple fscanf |
|
Lang:C |
Integer Overflows (2)
| atoi |
|
Lang:C | |
|
| Generic Integer overflow If Statement |
|
Lang:C |
Format String (9)
| Printf ARGV |
|
Lang:C | by Christer berg | |
| Unsecure syslog() |
|
Lang:C | by Nicolas Ruff | |
| getenv |
|
Lang:C | by anonymous | |
| Simple vsprintf |
|
Lang:C | ||
| Simple vfprintf |
|
Lang:C | ||
| Simple snprintf |
|
Lang:C | ||
| Simple fprintf |
|
Lang:C | ||
| Simple printf |
|
Lang:C | ||
| Printf ARGV |
|
Lang:C | by Christer Oberg |
Command injection (6)
| Execute command |
|
Lang:PHP | |
by gemaglabin |
| Eval using |
|
Lang:PHP | |
by gemaglabin |
| Generic injection |
|
Lang:ALL | |
by Dmitry Chan |
| Unfiltered preg_replace parameters |
|
Lang:PHP | |
by Ams |
| system() and argv |
|
Lang:C | ||
| popen() and argv |
|
Lang:C |
Control Flow (1)
| Switch no break/no default |
|
Lang:C |
SQL Injection (9)
| SQL Injection [request] |
|
Lang:ASP | |
by Sergey V. Gordeychik |
| SQL Injection [GetParameter] |
|
Lang:JAVA | |
by Stephen de Vries |
| Mysql_query |
|
Lang:PHP | |
by gemaglabin |
| Sql Injection |
|
Lang:PHP | by gemaglabin | |
| Generic sql injection |
|
Lang:ALL | |
by Dmitry Chan |
| SQL Injection |
|
Lang:JAVA | |
by Stephen de Vries |
| SQL Injection ASP |
|
Lang:ASP | |
by Sergey V. Gordeychik |
| Sql Injection WHERE clause |
|
Lang:PHP | by ettee | |
| SQL injection mysql_query() |
|
Lang:PHP | by ettee |
Cross Site Scripting (13)
| PHP_SELF xss |
|
Lang:PHP | |
by gemaglabin |
| PHP XSS (GET|POST) |
|
Lang:PHP | by ettee | |
| generic xss |
|
Lang:PERL | |
by Dmitry Chan |
| ASP href injection |
|
Lang:ASP | |
by Dmitry Chan |
| Generic xss |
|
Lang:ALL | |
by Dmitry Chan |
| ASP XSS (Response Splitting ) |
|
Lang:ASP | |
by Sergey V. Gordeychik |
| ASP XSS (USER_AGENT) |
|
Lang:ASP | |
by Sergey V. Gordeychik |
| ASP XSS (REFERER) |
|
Lang:ASP | |
by Sergey V. Gordeychik |
| PHP XSS (COOKIE) |
|
Lang:PHP | |
by Neftaly Hernandez |
| PHP XSS (POST) |
|
Lang:PHP | |
by Neftaly Hernandez |
| PHP XSS (GET) |
|
Lang:PHP | |
by Neftaly Hernandez |
| ASP XSS |
|
Lang:ASP | |
by Ollie Whitehouse |
| XSS in Java Applications |
|
Lang:JAVA | by ettee |
Bad Practices (11)
| PHP injection |
|
Lang:PHP | |
by gemaglabin |
| HTTP Request smuggling |
|
Lang:PHP | |
by gemaglabin |
| phpMyAdmin/config.inc.php password |
|
Lang:PHP | by ettee | |
| Default passwords(config.php) |
|
Lang:PHP | by ettee | |
| PHP RFI vulns |
|
Lang:PHP | ||
| Off by one |
|
Lang:C | by anonymous | |
| CreateFileMapping NULL Security |
|
Lang:C | |
by Ollie Whitehouse |
| CreateFileMapping NULL Security |
|
Lang:C++ | |
by Ollie Whitehouse |
| Unsafe Keyword |
|
Lang:C# | |
by Ollie Whitehouse |
| Option Explicit Off |
|
Lang:ASP | by Philipp Lenssen | |
| Default passwords(README.TXT) |
|
Lang:TXT | by ettee |
Suspicious comments (6)
| Backdoor |
|
Lang:C | ||
| bug or hack etc |
|
Lang:ALL | by Steve Beattie | |
| Known Bugs |
|
Lang:C | |
by 42Bastian |
| Fixme |
|
Lang:ALL | ||
| Dirty Hack |
|
Lang:C | by Ollie Whitehouse | |
| Dirty Hack |
|
Lang:C++ | by Ollie Whitehouse |
Race Condition (2)
| Temporary file race condition |
|
Lang:C | by Diomidis Spinellis | |
| Access vulnerable to race condition |
|
Lang:C | by Diomidis Spinellis |
Logic-bombs, Trapdoors, Trojan Horses (1)
| Time (00:00) |
|
Lang:ALL |
The last section is for searching code and not searching comments, if you have suspicous comments that might indicate malicious behaviour submit them in the "Suspicious comments" category.
Total Number of Queries :75
Query Syntax
Normal google engine
To specify language you need to use the "filetype" tag provided by google. For example to search within C files
you use filetype:c for perl filetype:pl and so on. After that you specify what you want to look for , for example
to look for a potential buffer overflow resulted by strcpy you can use as query : "strcpy(*,argv[?])" filetype:c .
Google Code Search
Google code search can do much more , for example regular expressions.
strcpy\(.*,argv\[.*\]\); lang:c to do the same thing as above.
Have a look at the RegExp Cheat Sheet and make your own recipes.
"The rest is up to your imagination"
Alerts
If you want to be more active you can click the alert () icon next to a query and add a Google Alert. This way you will get new vulnerable source code for each query as soon as it becomes available.
Vim plugin
There is an experimental vim plugin/syntax at
http://www.vim.org/scripts/script.php?script_id=1734 with some of of Bugle's signatures.
News ref :eWeek,The Register