bugleGoogle Source Code Bug Finder

is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results.

To submit search queries click the button below or sent an email to BUGLE [AT] with the search term, small description and programming language. Also drop an email if you find bugs using bugle.

Google Alert = , Description = , Possible bug = , CodeSearch = , SimpleSearch =

Buffer Overflows (15)

Simple Strcpy RegEx Lang:C
Generic BoF Lang:C
strecpy Lang:C
realpath Lang:C
getwd Lang:C
Umask – permssions Lang:C
Another Simple Strcpy Lang:C
Strncpy – Buffer Length Miscalculation Lang:C by Varun Uppal
argv Strcpy Lang:C
Generic Strcpy Lang:C by Daniel Crompton
Simple Strcpy Lang:C
Generic Sprintf Lang:C
Generic gets Lang:C
Generic Strcat Lang:C
Simple fscanf Lang:C

Integer Overflows (2)

atoi Lang:C
Generic Integer overflow If Statement Lang:C

Format String (9)

Printf ARGV Lang:C by Christer berg
Unsecure syslog() Lang:C by Nicolas Ruff
getenv Lang:C by anonymous
Simple vsprintf Lang:C
Simple vfprintf Lang:C
Simple snprintf Lang:C
Simple fprintf Lang:C
Simple printf Lang:C
Printf ARGV Lang:C by Christer Oberg

Command injection (6)

Execute command Lang:PHP by gemaglabin
Eval using Lang:PHP by gemaglabin
Generic injection Lang:ALL by Dmitry Chan
Unfiltered preg_replace parameters Lang:PHP by Ams
system() and argv Lang:C
popen() and argv Lang:C

Control Flow (1)

Switch no break/no default Lang:C

SQL Injection (9)

SQL Injection [request] Lang:ASP by Sergey V. Gordeychik
SQL Injection [GetParameter] Lang:JAVA by Stephen de Vries
Mysql_query Lang:PHP by gemaglabin
Sql Injection Lang:PHP by gemaglabin
Generic sql injection Lang:ALL by Dmitry Chan
SQL Injection Lang:JAVA by Stephen de Vries
SQL Injection ASP Lang:ASP by Sergey V. Gordeychik
Sql Injection WHERE clause Lang:PHP by ettee
SQL injection mysql_query() Lang:PHP by ettee

Cross Site Scripting (13)

PHP_SELF xss Lang:PHP by gemaglabin
PHP XSS (GET|POST) Lang:PHP by ettee
generic xss Lang:PERL by Dmitry Chan
ASP href injection Lang:ASP by Dmitry Chan
Generic xss Lang:ALL by Dmitry Chan
ASP XSS (Response Splitting ) Lang:ASP by Sergey V. Gordeychik
ASP XSS (USER_AGENT) Lang:ASP by Sergey V. Gordeychik
ASP XSS (REFERER) Lang:ASP by Sergey V. Gordeychik
PHP XSS (COOKIE) Lang:PHP by Neftaly Hernandez
PHP XSS (POST) Lang:PHP by Neftaly Hernandez
PHP XSS (GET) Lang:PHP by Neftaly Hernandez
ASP XSS Lang:ASP by Ollie Whitehouse
XSS in Java Applications Lang:JAVA by ettee

Bad Practices (11)

PHP injection Lang:PHP by gemaglabin
HTTP Request smuggling Lang:PHP by gemaglabin
phpMyAdmin/ password Lang:PHP by ettee
Default passwords(config.php) Lang:PHP by ettee
PHP RFI vulns Lang:PHP
Off by one Lang:C by anonymous
CreateFileMapping NULL Security Lang:C by Ollie Whitehouse
CreateFileMapping NULL Security Lang:C++ by Ollie Whitehouse
Unsafe Keyword Lang:C# by Ollie Whitehouse
Option Explicit Off Lang:ASP by Philipp Lenssen
Default passwords(README.TXT) Lang:TXT by ettee

Suspicious comments (6)

Backdoor Lang:C
bug or hack etc Lang:ALL by Steve Beattie
Known Bugs Lang:C by 42Bastian
Fixme Lang:ALL
Dirty Hack Lang:C by Ollie Whitehouse
Dirty Hack Lang:C++ by Ollie Whitehouse

Race Condition (2)

Temporary file race condition Lang:C by Diomidis Spinellis
Access vulnerable to race condition Lang:C by Diomidis Spinellis

Logic-bombs, Trapdoors, Trojan Horses (1)

Time (00:00) Lang:ALL

The last section is for searching code and not searching comments, if you have suspicous comments that might indicate malicious behaviour submit them in the “Suspicious comments” category.

Total Number of Queries :75

Query Syntax

Normal google engine
To specify language you need to use the “filetype” tag provided by google. For example to search within C files
you use filetype:c for perl filetype:pl and so on. After that you specify what you want to look for , for example
to look for a potential buffer overflow resulted by strcpy you can use as query : “strcpy(*,argv[?])” filetype:c .

Google Code Search
Google code search can do much more , for example regular expressions.
strcpy\(.*,argv\[.*\]\); lang:c to do the same thing as above.
Have a look at the RegExp Cheat Sheet and make your own recipes.

“The rest is up to your imagination”

If you want to be more active you can click the alert () icon next to a query and add a Google Alert. This way you will get new vulnerable source code for each query as soon as it becomes available.

Vim plugin
There is an experimental vim plugin/syntax at
with some of of Bugle’s signatures.

News ref :eWeek,The Register


Get every new post delivered to your Inbox.

%d bloggers like this: