What could be better than Google Code Search for finding vulnerabilities? Look at MAMA. I bet you never heard of it – I hadn’t, until my buddy .mario pointed it out to me. It’s (as of today) an internal tool that Opera uses to crawl the web and index the structure of the world’s web pages, which is very different from Google’s engine which is strictly interested in text content.

Brian Wilson of the Opera team has said on their forums that general public release is definitely the plan. What could you do with MAMA? Just off the top of my head, anything an appscanner could find without stateful context. Simple queries could produce a lot of noise, but could be optimized greatly with correlating conditions and keywords. Some quick thoughts, and who knows, maybe Johnny Long can do a few of these things already:

  • DOM-based XSS vulnerabilities
  • CSRF (forms without a token >20 bytes of seemingly random stuff)
  • CAPTCHA-less comment forms (hello targeted, optimized spam!)
  • hidden administration login pages (already kind of doable with Google)
  • clickjackable sites (absence of frame breaking code)
  • interesting HTML comments (HACK, FIXME, TODO are usually good ones)
  • insecurely implemented postMessage() senders or listeners
  • insecure password policies
  • suspiciously named hidden fields
  • meta tags with incorrectly spelled charsets (for followup exploitation with content sniffing and utf-7)

This would also be useful to security researchers who are asking browsers to kill off crazy API abuse. For example, my first question for MAMA is: does any legitimate site out there use <img src=”javascript:…>? This tool could provide assurance to browsers that any API cleanups don’t cause any back breakage significant.

I can’t wait to hear more about this project, which has not, as far as I can tell, been released to the public. In the meantime check out Brian’s list of articles that hint at the power this thing could give the unscrupulous. They should make you pass a breathalyzer before using that thing.