19 KiB
Mapitio ya Msimbo wa Chanzo / Zana za SAST
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
- Pata swag rasmi wa PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mwongozo na & Orodha ya zana
- https://owasp.org/www-community/Source_Code_Analysis_Tools
- https://github.com/analysis-tools-dev/static-analysis
Zana za Lugha Nyingi
Naxus - AI-Gents
Kuna mfuko wa bure wa kupitia PRs.
Semgrep
Ni zana ya chanzo wazi.
Lugha Zinazoungwa Mkono
| Jamii | Lugha |
|---|---|
| GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
| Beta | Kotlin · Rust |
| Kielelezo | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · |
Kuanza Haraka
{% code overflow="wrap" %}
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep
# Go to your repo code and scan
cd repo
semgrep scan --config auto
{% endcode %}
Unaweza pia kutumia Kifaa cha Uzalishaji wa VSCode cha semgrep kupata matokeo ndani ya VSCode.
SonarQube
Kuna toleo huru linaloweza kusakinishwa.
Kuanza Haraka
{% code overflow="wrap" %}
# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner
# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it
# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
-Dsonar.projectKey=<project-name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<sonar_project_token>
{% endcode %}
CodeQL
Kuna toleo la bure linaloweza kusakinishwa lakini kulingana na leseni unaweza kutumia toleo la bure la CodeQL katika miradi ya chanzo wazi tu.
Sakinisha
{% code overflow="wrap" %}
# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz
# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql
# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz
# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc
# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks #Get paths to QL packs
Kuanza Haraka - Andaa database
{% hint style="success" %} Jambo la kwanza unalohitaji kufanya ni kuandaa database (umba mti wa nambari) ili baadaye maswali yaweze kutekelezwa juu yake. {% endhint %}
- Unaweza kuruhusu codeql kutambua lugha ya repo kiotomatiki na kuunda database
{% code overflow="wrap" %}
codeql database create <database> --language <language>
# Example
codeql database create /path/repo/codeql_db --source-root /path/repo
## DB will be created in /path/repo/codeql_db
{% endcode %}
{% hint style="danger" %} Hii kawaida itasababisha kosa linalosema kwamba zaidi ya lugha moja ilitajwa (au ikagunduliwa moja kwa moja). Angalia chaguo zifuatazo kusahihisha hili! {% endhint %}
- Unaweza kufanya hivi kwa mkono ukionyesha repo na lugha (orodha ya lugha)
{% code overflow="wrap" %}
codeql database create <database> --language <language> --source-root </path/to/repo>
# Example
codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo
## DB will be created in /path/repo/codeql_db
{% endcode %}
- Ikiwa repo yako inatumia lugha zaidi ya 1, unaweza pia kuunda DB 1 kwa kila lugha ikionyesha kila lugha.
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --source-root /path/to/repo --db-cluster --language "javascript,python"
# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python"
## DBs will be created in /path/repo/codeql_db/*
{% endcode %}
- Unaweza pia kuruhusu
codeqlkutambua lugha zote kwa niaba yako na kuunda DB kwa kila lugha. Unahitaji kumpa GITHUB_TOKEN.
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>
# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo
## DBs will be created in /path/repo/codeql_db/*
{% endcode %}
Anza Haraka - Tathmini nambari
{% hint style="success" %} Sasa ni wakati wa mwisho wa kuchambua nambari {% endhint %}
Kumbuka kwamba ikiwa ulitumia lugha kadhaa, DB kwa kila lugha ingekuwa imeundwa katika njia uliyotaja.
{% code overflow="wrap" %}
# Default analysis
codeql database analyze <database> --format=<format> --output=</out/file/path>
# Example
codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif
# Specify QL pack to use in the analysis
codeql database analyze <database> \
<qls pack> --sarif-category=<language> \
--sarif-add-baseline-file-info \ --format=<format> \
--output=/out/file/path>
# Example
codeql database analyze /tmp/codeql_db \
javascript-security-extended --sarif-category=javascript \
--sarif-add-baseline-file-info --format=sarif-latest \
--output=/tmp/sec-extended.sarif
{% endcode %}
Kuanza Haraka - Kimeandikwa
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
export REPO_PATH=/path/to/repo
export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results"
mkdir -p "$OUTPUT_DIR_PATH"
export FINAL_MSG="Results available in: "
echo "Creating DB"
codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH"
for db in `ls "$REPO_PATH/codeql_db"`; do
echo "Analyzing $db"
codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
echo ""
done
echo $FINAL_MSG
{% endcode %}
Unaweza kuona matokeo kwenye https://microsoft.github.io/sarif-web-component/ au kutumia kifaa cha VSCode SARIF viewer.
Unaweza pia kutumia kifaa cha VSCode kupata matokeo ndani ya VSCode. Bado utahitaji kuunda database kwa mkono, lakini baadaye unaweza kuchagua faili yoyote na bonyeza Right Click -> CodeQL: Run Queries in Selected Files
Snyk
Kuna toleo la bure linaloweza kusakinishwa.
Kuanza Haraka
# Install
sudo npm install -g snyk
# Authenticate (you can use a free account)
snyk auth
# Test for open source vulns & license issues
snyk test [--all-projects]
# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code
# Test for vulns in images
snyk container test [image]
# Test for IaC vulns
snyk iac test
Unaweza pia kutumia snyk VSCode Extension kupata matokeo ndani ya VSCode.
Insider
Ni Chanzo Huru, lakini inaonekana haijatunzwa.
Lugha Zinazoungwa mkono
Java (Maven na Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, na Javascript (Node.js).
Kuanza Haraka
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
DeepSource
Bure kwa repos za umma.
NodeJS
yarn
# Install
brew install yarn
# Run
cd /path/to/repo
yarn audit
npm audit
pnpm
# Install
npm install -g pnpm
# Run
cd /path/to/repo
pnpm audit
- nodejsscan: Kijikagua msimbo wa usalama wa statiki (SAST) kwa maombi ya Node.js yaliyotumia libsast na semgrep.
# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code
- RetireJS: Lengo la Retire.js ni kukusaidia kugundua matumizi ya toleo la maktaba ya JS lenye mapungufu yanayojulikana.
# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors
Electron
- electronegativity: Ni chombo cha kutambua mipangilio isiyo sahihi na mifano ya usalama katika programu zinazotumia Electron.
Python
- Bandit: Bandit ni chombo kilichoundwa kwa lengo la kutambua masuala ya kawaida ya usalama katika nambari za Python. Ili kufanya hivyo, Bandit huprocess kila faili, hujenga AST kutoka kwake, na hutekeleza programu husika dhidi ya nodi za AST. Mara Bandit inapomaliza kutafuta faili zote, inazalisha ripoti.
# Install
pip3 install bandit
# Run
bandit -r <path to folder>
- usalama: Usalama hufanya ukaguzi wa mahitaji ya Python kwa mapungufu ya usalama yanayojulikana na kupendekeza marekebisho sahihi kwa mapungufu yaliyogunduliwa. Usalama inaweza kukimbia kwenye mashine za waendelezaji, kwenye mifumo ya CI/CD na kwenye mifumo ya uzalishaji.
# Install
pip install safety
# Run
safety check
Pyt: Haijasimamiwa.
.NET
# dnSpy
https://github.com/0xd4d/dnSpy
# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
RUST
RUST
RUST ni lugha ya programu ya kisasa inayojulikana kwa usalama wake na utendaji wake wa haraka. Ni chaguo bora kwa maendeleo ya zana za usalama na upimaji wa usalama.
# Install
cargo install cargo-audit
# Run
cargo audit
#Update the Advisory Database
cargo audit fetch
Java
FindBugs
FindBugs ni chombo cha kupima ubora wa nambari kinachotumika kugundua kasoro za kawaida katika programu za Java.
PMD
PMD ni chombo kingine cha kupima ubora wa nambari kinachotumika kugundua makosa ya kawaida katika nambari za Java.
Checkstyle
Checkstyle ni chombo kingine cha kupima ubora wa nambari kinachotumika kuhakiki ikiwa nambari inazingatia viwango vilivyowekwa.
# JD-Gui
https://github.com/java-decompiler/jd-gui
# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
| Kazi | Amri |
|---|---|
| Tekeleza Jar | java -jar [jar] |
| Fungua Jar | unzip -d [directory ya matokeo] [jar] |
| Unda Jar | jar -cmf META-INF/MANIFEST.MF [jar ya matokeo] * |
| Base64 SHA256 | sha256sum [faili] | kata -d' ' -f1 | xxd -r -p | base64 |
| Ondoa Kusaini | rm META-INF/.SF META-INF/.RSA META-INF/*.DSA |
| Futa kutoka kwa Jar | zip -d [jar] [faili ya kuondoa] |
| Changanya darasa | procyon -o . [njia ya darasa] |
| Changanya Jar | procyon -jar [jar] -o [directory ya matokeo] |
| Changanya darasa | javac [njia ya .java faili] |
Endelea
https://github.com/securego/gosec
PHP
Wordpress Plugins
https://www.pluginvulnerabilities.com/plugin-security-checker/
Solidity
JavaScript
Ugunduzi
- Burp:
- Spider na ugundue maudhui
- Sitemap > kichuja
- Sitemap > bofya-kulia kwenye kikoa > Zana za Ushirikiano > Tafuta skripti
waybackurls <kikoa> |grep -i "\.js" |sort -u
Uchambuzi Statis
Unminimize/Beautify/Prettify
- https://prettier.io/playground/
- https://beautifier.io/
- Angalia baadhi ya zana zilizotajwa katika 'Deobfuscate/Unpack' hapo chini pia.
Deobfuscate/Unpack
Angalia: Huenda isingewezekana kudeobfuscate kabisa.
- Tafuta na tumia faili za .map:
- Ikiwa faili za .map zimefunuliwa, zinaweza kutumika kudeobfuscate kwa urahisi.
- Kawaida, foo.js.map inalingana na foo.js. Tafuta kwa mikono.
- Tumia JS Miner kuzitafuta.
- Hakikisha uchanganuzi wa moja kwa moja unafanywa.
- Soma 'Vidokezo/Maelezo'
- Ikiwa zimepatikana, tumia Maximize kudeobfuscate.
- Bila faili za .map, jaribu JSnice:
- Marejeo: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
- Vidokezo:
- Ikiwa unatumia jsnice.org, bofya kitufe cha chaguo karibu na kitufe cha "Nicify JavaScript", na batilisha "Infer types" ili kupunguza kuchafua kwa namna ya maoni kwenye msimbo.
- Hakikisha hauachi mistari tupu kabla ya skripti, kwani inaweza kuathiri mchakato wa kudeobfuscate na kutoa matokeo yasiyo sahihi.
- Kwa baadhi ya mbadala wa kisasa zaidi kwa JSNice, unaweza kutaka kutazama yafuatayo:
- https://github.com/pionxzh/wakaru
-
Decompiler ya Javascript, unpacker na zana ya unminify
Wakaru ni decompiler ya Javascript kwa mbele ya kisasa. Inarudisha msimbo halisi kutoka chanzo kilichobebwa na kubadilishwa.
- https://github.com/j4k0xb/webcrack
-
Deobfuscate obfuscator.io, unminify na unpack javascript iliyobebwa
- https://github.com/jehna/humanify
-
Un-minify msimbo wa Javascript kwa kutumia ChatGPT
Zana hii hutumia mifano mikubwa ya lugha (kama ChatGPT & llama2) na zana nyingine kudeobfuscate msimbo wa Javascript. Tafadhali kumbuka kuwa LLMs hazifanyi mabadiliko yoyote ya kimuundo - zinatoa viashiria vya kubadilisha majina ya pembejeo na kazi. Kazi kubwa inafanywa na Babel kwenye kiwango cha AST ili kuhakikisha msimbo unabaki sawa 1-1.
- https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html
-
Kutumia LLMs kubadilisha majina ya pembejeo ya Javascript vilivyominify
- Tumia
console.log();
- Tafuta thamani ya kurudi mwishoni na ibadilishe kuwa
console.log(<packerReturnVariable>);ili msimbo uliokudeobfuscate uchapishwe badala ya kutekelezwa. - Kisha, bandika msimbo uliobadilishwa (na bado umefichwa) kwenye https://jsconsole.com/ kuona msimbo uliokudeobfuscate ukiandikwa kwenye konsoli.
- Hatimaye, bandika pato lililokudeobfuscate kwenye https://prettier.io/playground/ ili kuupendezesha kwa uchambuzi.
- Angalia: Ikiwa bado unaona msimbo uliobebwa (lakini tofauti), huenda umepakiwa kwa njia ya kurudiarudia. Rudia mchakato.
Marejeo
- YouTube: DAST - Uchambuzi wa Kudumu wa Javascript
- https://blog.nvisium.com/angular-for-pentesters-part-1
- https://blog.nvisium.com/angular-for-pentesters-part-2
- devalias's GitHub Gists:
- Kudeobfuscate / Kufanya Minify Msimbo wa Programu ya Wavuti
- Reverse Engineering Webpack Apps
- n.k.