hacktricks/network-services-pentesting/pentesting-web/code-review-tools.md

217 lines
11 KiB
Markdown
Raw Normal View History

2022-05-07 10:35:17 +00:00
# Code Review Tools
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2023-04-25 18:35:28 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>
2022-05-07 10:35:17 +00:00
## General
2020-11-10 09:27:45 +00:00
2022-09-27 00:18:19 +00:00
* [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)\
* [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)
2021-09-25 13:27:46 +00:00
2020-11-10 09:27:45 +00:00
```bash
https://www.sonarqube.org/downloads/
https://deepsource.io/signup/
https://github.com/pyupio/safety
https://github.com/returntocorp/semgrep
https://github.com/WhaleShark-Team/cobra
2021-09-25 13:27:46 +00:00
https://github.com/insidersec/insider
2020-11-10 09:27:45 +00:00
# Find interesting strings
https://github.com/s0md3v/hardcodes
https://github.com/micha3lb3n/SourceWolf
https://libraries.io/pypi/detect-secrets
```
2022-05-07 10:35:17 +00:00
## JavaScript
2022-09-02 04:20:58 +00:00
### Discovery
1. Burp:
- Spider and discover content
- Sitemap > filter
- Sitemap > right-click domain > Engagement tools > Find scripts
2. [WaybackURLs](https://github.com/tomnomnom/waybackurls):
- `waybackurls <domain> |grep -i "\.js" |sort -u`
### Static Analysis
#### Unminimize/Beautify/Prettify
https://prettier.io/playground/
https://beautifier.io/
#### Deobfuscate/Unpack
__Note__: It may not be possible to fully deobfuscate.
1. Find and use .map files:
- If the .map files are exposed, they can be used to easily deobfuscate.
- Commonly, foo.js.map maps to foo.js. Manually look for them.
- Use [JS Miner](https://github.com/PortSwigger/js-miner) to look for them.
- Ensure active scan is conducted.
- Read '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)'
- If found, use [Maximize](https://www.npmjs.com/package/maximize) to deobfuscate.
2. Without .map files, try JSnice:
- References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
- Tips:
- If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
- Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
3. Use console.log(<packerReturnVariable>);
- Find the return value at the end and change it to `console.log(<packerReturnVariable>);` so the deobfuscated js is printed instead of being executing.
- Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
- Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
- __Note__: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
#### Analyze
References:
https://medium.com/techiepedia/javascript-code-review-guide-for-bug-bounty-hunters-c95a8aa7037a
Look for:
- Anti-debug loading
- Angular: [enableProdMode](https://blog.nvisium.com/angular-for-pentesters-part-2)
- Secrets
- Use:
- [JS Miner](https://github.com/PortSwigger/js-miner)
- [RegHex](https://github.com/l4yton/RegHex) patterns
- [gf](https://github.com/tomnomnom/gf/tree/master/examples) patterns
- Grep relevant dictionary patterns:
- pass, user, admin
- auth, login, sign, challenge, 2fa
- key, apikey, api_key, api-key, jwt, token
- secret, security, secure
- ...
- Manual review
- If API key found, check here for potential usage syntax: https://github.com/streaak/keyhacks.
- Vuln functions
- InnerHTML() - If you found this, it means there is a potential chance for XSS if no proper sanitisation takes place. Even if your payload is sanitised, dont worry. Trace the code to find out where the sanitisation takes place. Study it and try to get around the sanitisation.
- Postmessage() - If you have read my previous post (https://medium.com/techiepedia/what-are-sop-cors-and-ways-to-exploit-it-62a5e02100dc), you would notice that Postmessage() might lead to potential CORS issue. If the second parameter of the function set to *, you are the lucky one. Checkout my previous post to understand more about the mechanism behind.
- String.prototype.search() - This function looks normal. Why would it be a dangerous function? Well, it is because some developers used this to find occurrence of a string inside another string. However, “.” is treated as wildcard in this function. So, if this function is used as sanitisation check, you can simply bypass it by inputting “.”. Checkout Filedescryptors hackerone report: https://hackerone.com/reports/129873
- Endpoints & params
- Use [LinkFinder](https://github.com/GerbenJavado/LinkFinder) & [JS Miner](https://github.com/PortSwigger/js-miner).
- Vuln libs & deps
- Use [Retire.js](https://retirejs.github.io/retire.js/) and [NPM](https://snyk.io/advisor/) (scroll down to security section > all versions link).
- Cloud URLs
- Use [JS Miner](https://github.com/PortSwigger/js-miner).
- Subdomains
- Use [JS Miner](https://github.com/PortSwigger/js-miner).
- Logic Flaws
- Gain situational awareness:
- `use strict;`?
- Grep for client-side controls:
- disable, enable, hidden, hide, show
- catch, finally, throw, try
- input, validate, verify, valid, correct, check, confirm, require, ..
- Grep for non-primatives:
- function , =>
- class
### Dynamic Analysis
References
- https://www.youtube.com/watch?v=_v8r_t4v6hQ
- https://blog.nvisium.com/angular-for-pentesters-part-1
- https://blog.nvisium.com/angular-for-pentesters-part-2
Tools
- https://portswigger.net/burp/documentation/desktop/tools/dom-invader
#### Less Used References
- https://cyberchef.org/
- https://olajs.com/javascript-prettifier
- https://jshint.com/
- https://github.com/jshint/jshint/
2020-11-10 09:27:45 +00:00
2022-05-07 10:35:17 +00:00
## NodeJS
2020-11-10 09:27:45 +00:00
2022-04-11 00:18:13 +00:00
```
2020-11-10 09:27:45 +00:00
https://github.com/ajinabraham/nodejsscan
```
2022-05-07 10:35:17 +00:00
## Electron
2020-11-10 09:27:45 +00:00
2022-04-11 00:18:13 +00:00
```
2020-11-10 09:27:45 +00:00
https://github.com/doyensec/electronegativity
```
2022-05-07 10:35:17 +00:00
## Python
2020-11-10 09:27:45 +00:00
```bash
# bandit
https://github.com/PyCQA/bandit
# pyt
https://github.com/python-security/pyt
```
2022-05-07 10:35:17 +00:00
## .NET
2020-11-10 09:27:45 +00:00
```bash
# dnSpy
https://github.com/0xd4d/dnSpy
# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
```
2022-05-07 10:35:17 +00:00
## Java
2020-11-10 09:27:45 +00:00
```bash
# JD-Gui
https://github.com/java-decompiler/jd-gui
# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
```
2022-04-11 00:18:13 +00:00
| Task | Command |
| --------------- | --------------------------------------------------------- |
| Execute Jar | java -jar \[jar] |
| Unzip Jar | unzip -d \[output directory] \[jar] |
| Create Jar | jar -cmf META-INF/MANIFEST.MF \[output jar] \* |
| Base64 SHA256 | sha256sum \[file] \| cut -d' ' -f1 \| xxd -r -p \| base64 |
| Remove Signing | rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA |
| Delete from Jar | zip -d \[jar] \[file to remove] |
| Decompile class | procyon -o . \[path to class] |
| Decompile Jar | procyon -jar \[jar] -o \[output directory] |
| Compile class | javac \[path to .java file] |
2020-11-10 09:27:45 +00:00
2022-05-07 10:35:17 +00:00
## Go
2021-05-26 11:18:48 +00:00
```bash
https://github.com/securego/gosec
```
2022-05-07 10:35:17 +00:00
## PHP
[Psalm](https://phpmagazine.net/2018/12/find-errors-in-your-php-applications-with-psalm.html) and [PHPStan](https://phpmagazine.net/2020/09/phpstan-pro-edition-launched.html).
2022-05-07 10:35:17 +00:00
### Wordpress Plugins
2022-04-11 00:18:13 +00:00
2022-05-07 10:35:17 +00:00
[https://www.pluginvulnerabilities.com/plugin-security-checker/](https://www.pluginvulnerabilities.com/plugin-security-checker/)
2022-04-28 16:01:33 +00:00
2022-05-07 10:35:17 +00:00
## Solidity
* [https://www.npmjs.com/package/solium](https://www.npmjs.com/package/solium)
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2023-04-25 18:35:28 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>