17 KiB
Source code Review / SAST Tools
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Guidance and & Lists of tools
- https://owasp.org/www-community/Source_Code_Analysis_Tools
- https://github.com/analysis-tools-dev/static-analysis
Multi-Language Tools
Naxus - AI-Gents
There is a free package to review PRs.
Semgrep
It's an Open Source tool.
Supported Languages
Category | Languages |
---|---|
GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
Beta | Kotlin · Rust |
Experimental | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · |
Quick Start
{% code overflow="wrap" %}
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep
# Go to your repo code and scan
cd repo
semgrep scan --config auto
{% endcode %}
You can also use the semgrep VSCode Extension to get the findings inside VSCode.
SonarQube
There is an installable free version.
Quick Start
{% code overflow="wrap" %}
# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner
# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it
# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
-Dsonar.projectKey=<project-name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<sonar_project_token>
{% endcode %}
Snyk
There is an installable free version.
Quick Start
# Install
sudo npm install -g snyk
# Authenticate (you can use a free account)
snyk auth
# Test for open source vulns & license issues
snyk test [--all-projects]
# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code
# Test for vulns in images
snyk container test [image]
# Test for IaC vulns
snyk iac test
You can also use the snyk VSCode Extension to get findings inside VSCode.
CodeQL
There is an installable free version.
Install
brew install codeql
# Check it's correctly installed
codeql resolve qlpacks
Or
{% code overflow="wrap" %}
# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz
# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql
# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz
# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc
# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks
{% endcode %}
Quick Start
{% code overflow="wrap" %}
# Prepare the database
## You need to export a GITHUB_TOKEN (codeql will detect languages automatically)
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>
## Or to indicate the languages yourself
codeql database create <database> --language=<language-identifier> --source-root </path/to/repo>
## For example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/to/repo # This will generate the folder /tmp/codeql_db
# Analyze the code
codeql database analyze <database> --format=<format> --output=</out/file/path>
# If you used --db-cluster a different db was created per language, you need to indicate it. In this example I analyze the javascript folder.
codeql database analyze /tmp/codeql_db/javascript --format=csv --output=/tmp/graphql_results.csv
# Get sarif format
codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif
# You can visualize the findings in https://microsoft.github.io/sarif-web-component/
{% endcode %}
You can also use the VSCode extension to get the findings inside VSCode. You will still need to create a database manually, but then you can select any files and click on Right Click
-> CodeQL: Run Queries in Selected Files
Insider
It's Open Source, but looks unmaintained.
Supported Languages
Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Quick Start
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
DeepSource
Free for public repos.
NodeJS
yarn
# Install
brew isntall yarn
# Run
cd /path/to/repo
yarn audit
- nodejsscan: Static security code scanner (SAST) for Node.js applications powered by libsast and semgrep.
# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code
- RetireJS: The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors
Electron
- electronegativity: It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
Python
- Bandit: Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
# Install
pip3 install bandit
# Run
bandit -r <path to folder>
- safety: Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
# Install
pip install safety
# Run
safety check
Pyt: Unmaintained
.NET
# dnSpy
https://github.com/0xd4d/dnSpy
# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
Java
# JD-Gui
https://github.com/java-decompiler/jd-gui
# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
Task | Command |
---|---|
Execute Jar | java -jar [jar] |
Unzip Jar | unzip -d [output directory] [jar] |
Create Jar | jar -cmf META-INF/MANIFEST.MF [output jar] * |
Base64 SHA256 | sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64 |
Remove Signing | rm META-INF/.SF META-INF/.RSA META-INF/*.DSA |
Delete from Jar | zip -d [jar] [file to remove] |
Decompile class | procyon -o . [path to class] |
Decompile Jar | procyon -jar [jar] -o [output directory] |
Compile class | javac [path to .java file] |
Go
https://github.com/securego/gosec
PHP
Wordpress Plugins
https://www.pluginvulnerabilities.com/plugin-security-checker/
Solidity
JavaScript
Discovery
- Burp:
- Spider and discover content
- Sitemap > filter
- Sitemap > right-click domain > Engagement tools > Find scripts
- WaybackURLs:
waybackurls <domain> |grep -i "\.js" |sort -u
Static Analysis
Unminimize/Beautify/Prettify
Deobfuscate/Unpack
Note: It may not be possible to fully deobfuscate.
- Find and use .map files:
- If the .map files are exposed, they can be used to easily deobfuscate.
- Commonly, foo.js.map maps to foo.js. Manually look for them.
- Use JS Miner to look for them.
- Ensure active scan is conducted.
- Read 'Tips/Notes'
- If found, use Maximize to deobfuscate.
- Without .map files, try JSnice:
- References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
- Tips:
- If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
- Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
- Use console.log();
- Find the return value at the end and change it to
console.log(<packerReturnVariable>);
so the deobfuscated js is printed instead of being executing. - Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
- Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
- Note: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
- Find the return value at the end and change it to
Analyze
References: https://medium.com/techiepedia/javascript-code-review-guide-for-bug-bounty-hunters-c95a8aa7037a
Look for:
- Anti-debug loading
- Angular: enableProdMode
- Secrets
- Use:
- If API key found, check here for potential usage syntax: https://github.com/streaak/keyhacks.
- Vuln functions
- InnerHTML() - If you found this, it means there is a potential chance for XSS if no proper sanitisation takes place. Even if your payload is sanitised, don’t worry. Trace the code to find out where the sanitisation takes place. Study it and try to get around the sanitisation.
- Postmessage() - If you have read my previous post (https://medium.com/techiepedia/what-are-sop-cors-and-ways-to-exploit-it-62a5e02100dc), you would notice that Postmessage() might lead to potential CORS issue. If the second parameter of the function set to *, you are the lucky one. Checkout my previous post to understand more about the mechanism behind.
- String.prototype.search() - This function looks normal. Why would it be a dangerous function? Well, it is because some developers used this to find occurrence of a string inside another string. However, “.” is treated as wildcard in this function. So, if this function is used as sanitisation check, you can simply bypass it by inputting “.”. Checkout Filedescryptor’s hackerone report: https://hackerone.com/reports/129873
- Endpoints & params
- Use LinkFinder & JS Miner.
- Vuln libs & deps
- Cloud URLs
- Use JS Miner.
- Subdomains
- Use JS Miner.
- Logic Flaws
- Gain situational awareness:
use strict;
?
- Grep for client-side controls:
- disable, enable, hidden, hide, show
- catch, finally, throw, try
- input, validate, verify, valid, correct, check, confirm, require, ..
- Grep for non-primatives:
- function , =>
- class
- Gain situational awareness:
Dynamic Analysis
References
- https://www.youtube.com/watch?v=_v8r_t4v6hQ
- https://blog.nvisium.com/angular-for-pentesters-part-1
- https://blog.nvisium.com/angular-for-pentesters-part-2
Tools
Less Used References
- https://cyberchef.org/
- https://olajs.com/javascript-prettifier
- https://jshint.com/
- https://github.com/jshint/jshint/
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.