Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 12:13:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4415: No subject

Browse source
This commit is contained in:
CPol 2024-09-27 11:25:19 +00:00 committed by gitbook-bot
parent b29dabf605
commit dbf1c970b3
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 23 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
network-services-pentesting/pentesting-web/code-review-tools.md
View file

@ -1,8 +1,8 @@
# Source code Review / SAST Tools
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -273,7 +273,7 @@ $ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
```
### [**DeepSource**](https://deepsource.com/pricing)&#x20;
### [**DeepSource**](https://deepsource.com/pricing)
Free for **public repos**.
@ -286,7 +286,10 @@ Free for **public repos**.
brew install yarn
# Run
cd /path/to/repo
yarn audit
yarn install
yarn audit # In lower versions
yarn npm audit # In 2+ versions
npm audit
```
@ -297,6 +300,7 @@ npm audit
npm install -g pnpm
# Run
cd /path/to/repo
pnpm install
pnpm audit
```
@ -447,17 +451,17 @@ https://github.com/securego/gosec
* Tips:
* If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
* Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
4. For some more modern alternatives to JSNice, you might like to look at the following:
* [https://github.com/pionxzh/wakaru](https://github.com/pionxzh/wakaru)
* > Javascript decompiler, unpacker and unminify toolkit
> Wakaru is the Javascript decompiler for modern frontend. It brings back the original code from a bundled and transpiled source.
* [https://github.com/j4k0xb/webcrack](https://github.com/j4k0xb/webcrack)
* > Deobfuscate obfuscator.io, unminify and unpack bundled javascript
* [https://github.com/jehna/humanify](https://github.com/jehna/humanify)
* > Un-minify Javascript code using ChatGPT
> This tool uses large language modeles (like ChatGPT & llama2) and other tools to un-minify Javascript code. Note that LLMs don't perform any structural changes they only provide hints to rename variables and functions. The heavy lifting is done by Babel on AST level to ensure code stays 1-1 equivalent.
* [https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html](https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html)
* > Using LLMs to reverse JavaScript variable name minification
3. For some more modern alternatives to JSNice, you might like to look at the following:
* [https://github.com/pionxzh/wakaru](https://github.com/pionxzh/wakaru)
* > Javascript decompiler, unpacker and unminify toolkit Wakaru is the Javascript decompiler for modern frontend. It brings back the original code from a bundled and transpiled source.
* [https://github.com/j4k0xb/webcrack](https://github.com/j4k0xb/webcrack)
* > Deobfuscate obfuscator.io, unminify and unpack bundled javascript
* [https://github.com/jehna/humanify](https://github.com/jehna/humanify)
* > Un-minify Javascript code using ChatGPT This tool uses large language modeles (like ChatGPT & llama2) and other tools to un-minify Javascript code. Note that LLMs don't perform any structural changes they only provide hints to rename variables and functions. The heavy lifting is done by Babel on AST level to ensure code stays 1-1 equivalent.
* [https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html](https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html)
* > Using LLMs to reverse JavaScript variable name minification
3. Use `console.log()`;
* Find the return value at the end and change it to `console.log(<packerReturnVariable>);` so the deobfuscated js is printed instead of being executing.
* Then, paste the modified (and still obfuscated) js into [https://jsconsole.com/](https://jsconsole.com/) to see the deobfuscated js logged to the console.
@ -466,10 +470,10 @@ https://github.com/securego/gosec
#### References
* [YouTube: DAST - Javascript Dynamic Analysis](https://www.youtube.com/watch?v=_v8r_t4v6hQ)
* [YouTube: DAST - Javascript Dynamic Analysis](https://www.youtube.com/watch?v=\_v8r\_t4v6hQ)
* [https://blog.nvisium.com/angular-for-pentesters-part-1](https://web.archive.org/web/20221226054137/https://blog.nvisium.com/angular-for-pentesters-part-1)
* [https://blog.nvisium.com/angular-for-pentesters-part-2](https://web.archive.org/web/20230204012439/https://blog.nvisium.com/angular-for-pentesters-part-2)
* [devalias](https://twitter.com/_devalias)'s [GitHub Gists](https://gist.github.com/0xdevalias):
* [devalias](https://twitter.com/\_devalias)'s [GitHub Gists](https://gist.github.com/0xdevalias):
* [Deobfuscating / Unminifying Obfuscated Web App Code](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code)
* [Reverse Engineering Webpack Apps](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps)
* [etc](https://gist.github.com/search?q=user:0xdevalias+javascript)
@ -486,8 +490,8 @@ https://github.com/securego/gosec
* [https://github.com/jshint/jshint/](https://github.com/jshint/jshint/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>