Cenzic 232 Patent
Paid Advertising
web application security lab

Google Dorks Strike Again

Stephen de Vries came up with a few interesting Google dorks today, that I thought would be worth checking out. These are specifically targeting XSS and SQL Injection. It’s interesting because “all the world’s information” really help to speak to find large scale attacks across the internet. Being able to query all the source code in the world is being able to run a massive (poor man’s) security audit across all availible source code. This really opens the doors for large scale distributed attacks.

Google’s code search provides an easy way to find obvious software flaws in open source and example applications, e.g.:


XSS in Java apps
http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%
3D.*getParameter&btnG=Search


(Really obvious) SQL Injection in Java apps:
http://www.google.com/codesearch?
hl=en&lr=&q=executeQuery.*getParameter&btnG=Search


Ever wonder why we’re still seeing XSS in 2006?:
http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter
+package%3A%28oreilly%7Capress.com%29&btnG=Search

Of course this is a super simple list and only affects one language, but you get the idea. Funny enough this isn’t too far off from how some white box source code scanners work. Of course the better ones attempt to traverse the logic, but in a pinch this is pretty close to how it’s done. I remember finding several dozen privelage escalation and local exec holes in one PERL application I audited using almost the exact same methods.

One Response to “Google Dorks Strike Again”

  1. Kispad Says:

    Kódturkálás…

    A napokban jött ki a Google a kódkereső szolgáltatása, ami ha nem is teljesen újdonság - itt van már egy ideje például a Krugle is - azért legalábbis szórakoztató mások programozói kvázimagánéletében turkálni. InSay az üzenő füz…