me, 2.0: jose nazario
beauty and the street
insecurity stats via google codesearch
some closing throughts on google codesearch
for today after i tried some more security bug-class specific requests. this is just
based on the "1-10 of about N" report from google. note that they cover a lot of older
versions of software (but plenty of people still use it).
some stats based on simple queries used to find bugs (ie based on some reasonable regular
expressions). this is by no means scientific, i think these are only ballpark
figures. factors that are not accounted for include old versions that get
indexed, variable passing and scrubbing, actually guarded, safe uses of
some of these scenarios, and the like.
- strcpy from argv[x]: about 7,000
- strcat from argv[x]: about 1,000
- PHP-based remote file include vulns: 117 or so using GET, 100 or so for POST
- PHP-based SQL injection vulns:
- SELECT: about 600 using GET, about 500 using POST vars
- UPDATE: about 200 using GET, about 400 using POST vars
- DELETE: about 300 using GET, about 300 using POST vars
- PHP-based XSS vulns (it is the summer of file include, SQL injection and XSS on bugtraq): about 2700
- about 200 based on the info sent outside of the POST vars or the URL requested (ie User-Agent fun)
- an additional 100 based on COOKIE variables ...
- *printf-based buffer overflows? about 202,000 possible, hopefully lss!
- about 50 format string vulns revealed
- off-by-ones (as pointed out by aaron@)? about 300.
- CreateFileMapping NULL Security (using Ollie's idea but adjusted for google codesearch): about 400
if you're feeling like you need to make some waves on bugtraq, have fun. now you can see why
i hacked on this for the past couple of days. it's addictive :)
i leave the bulk of the regular expression generation up to you.
|
next Monday, Oct 09, 2006 @ 10:26am |
previous Saturday, Oct 07, 2006 @ 09:05pm
| archives
|
Last modified: Saturday, Oct 07, 2006 @ 09:34pm
|
copyright © 2002-2005 jose nazario, all rights reserved.