title WebLog #535 Topic: 2007-02-01 02.13.01 matt: more bug finding with google code search
user matt
ip 69.12.138.157
vol 1
lock ********

Some javascript-oriented regexps to help find cross-site scripting bugs.


/more

  We had an XSS bug we found as part of our developer testing. As part of fixing it,
/link http://urbandictionary.com Aaron Peckham
and I came up with a regexp to see if there were any other places we needed to fix. We came up with these two (the latter only works in perl, not in IntelliJ):
/pre(
\.innerHTML\s+=\s+[^'"]
/pre)
/pre(
!/escapeHTML|strip|toHTML/
/pre)

When combined (impossible to do in Google Code Search as of 1/31), they give pretty good results for places to start looking for XSS bugs. Another fun one for java and javascript I came up with based upon a findbugs true-positive I ran into a few months ago:
/pre(
indexOf.*\)\s+>\s+0
/pre)

It's a common bug to check for >0 instead of >=0 from indexOf. About 10% of the time, it's intentional. Usually, it's not. This isn't exploitable (AFAIK), but it's still a cause of functional bugs that should be fixed.

Google Code Search *still* doesn't support multi-line matching or lookahead/lookbehind, which is really necessary for the bug-finding capabilities to be taken to the next step. Of course, on your own private code you can just make a perl script and do something like:
/pre(
find . -name "*.js" | xargs perl checkcode.pl
/pre)

If anyone has improvements upon these regexps or the
/link 750 previous ones
, please let me know and I'll post an update!


/dis