19 KiB
Mapitio ya Msimbo wa Chanzo / Zana za SAST
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mwongozo na Orodha za zana
- https://owasp.org/www-community/Source_Code_Analysis_Tools
- https://github.com/analysis-tools-dev/static-analysis
Zana za Lugha Mbalimbali
Naxus - AI-Gents
Kuna kifurushi cha bure cha kukagua PRs.
Semgrep
Ni zana ya Open Source.
Lugha Zinazoungwa Mkono
| Kategoria | Lugha |
|---|---|
| GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
| Beta | Kotlin · Rust |
| Kijaribio | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · |
Mwanzo wa Haraka
{% code overflow="wrap" %}
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep
# Go to your repo code and scan
cd repo
semgrep scan --config auto
{% endcode %}
Unaweza pia kutumia semgrep VSCode Extension kupata matokeo ndani ya VSCode.
SonarQube
Kuna toleo la bure linaloweza kusakinishwa.
Kuanzia Haraka
{% code overflow="wrap" %}
# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner
# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it
# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
-Dsonar.projectKey=<project-name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<sonar_project_token>
{% endcode %}
CodeQL
Kuna toleo la bure linaloweza kusakinishwa lakini kulingana na leseni unaweza kutumia tu toleo la bure la codeQL katika miradi ya Open Source.
Install
{% code overflow="wrap" %}
# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz
# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql
# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz
# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc
# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks #Get paths to QL packs
{% endcode %}
Quick Start - Andaa hifadhidata
{% hint style="success" %} Jambo la kwanza unahitaji kufanya ni kuandaa hifadhidata (unda mti wa msimbo) ili baadaye maswali yafanywe juu yake. {% endhint %}
- Unaweza kuruhusu codeql kutambua kiotomatiki lugha ya repo na kuunda hifadhidata
{% code overflow="wrap" %}
codeql database create <database> --language <language>
# Example
codeql database create /path/repo/codeql_db --source-root /path/repo
## DB will be created in /path/repo/codeql_db
{% endcode %}
{% hint style="danger" %} Hii kwa kawaida itasababisha kosa linalosema kwamba lugha zaidi ya moja ilitolewa (au kugunduliwa kiotomatiki). Angalia chaguzi zifuatazo ili kurekebisha hili! {% endhint %}
- Unaweza kufanya hivi kwa mikono ukionyesha repo na lugha (orodha ya lugha)
{% code overflow="wrap" %}
codeql database create <database> --language <language> --source-root </path/to/repo>
# Example
codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo
## DB will be created in /path/repo/codeql_db
{% endcode %}
- Ikiwa repo yako inatumia zaidi ya lugha 1, unaweza pia kuunda DB 1 kwa kila lugha ukionyesha kila lugha.
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --source-root /path/to/repo --db-cluster --language "javascript,python"
# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python"
## DBs will be created in /path/repo/codeql_db/*
{% endcode %}
- Unaweza pia kuruhusu
codeqlkutambua lugha zote kwa ajili yako na kuunda DB kwa kila lugha. Unahitaji kumpa GITHUB_TOKEN.
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>
# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo
## DBs will be created in /path/repo/codeql_db/*
{% endcode %}
Quick Start - Changanua msimbo
{% hint style="success" %} Sasa hatimaye ni wakati wa kuchanganua msimbo {% endhint %}
Kumbuka kwamba ikiwa ulitumia lugha kadhaa, DB kwa kila lugha ingekuwa imeundwa katika njia uliyotaja.
{% code overflow="wrap" %}
# Default analysis
codeql database analyze <database> --format=<format> --output=</out/file/path>
# Example
codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif
# Specify QL pack to use in the analysis
codeql database analyze <database> \
<qls pack> --sarif-category=<language> \
--sarif-add-baseline-file-info \ --format=<format> \
--output=/out/file/path>
# Example
codeql database analyze /tmp/codeql_db \
javascript-security-extended --sarif-category=javascript \
--sarif-add-baseline-file-info --format=sarif-latest \
--output=/tmp/sec-extended.sarif
Quick Start - Scripted
{% code overflow="wrap" %}
export GITHUB_TOKEN=ghp_32849y23hij4...
export REPO_PATH=/path/to/repo
export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results"
mkdir -p "$OUTPUT_DIR_PATH"
export FINAL_MSG="Results available in: "
echo "Creating DB"
codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH"
for db in `ls "$REPO_PATH/codeql_db"`; do
echo "Analyzing $db"
codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
echo ""
done
echo $FINAL_MSG
{% endcode %}
Unaweza kuona matokeo katika https://microsoft.github.io/sarif-web-component/ au kutumia nyongeza ya VSCode SARIF viewer.
Unaweza pia kutumia nyongeza ya VSCode kupata matokeo ndani ya VSCode. Bado utahitaji kuunda database kwa mikono, lakini kisha unaweza kuchagua faili zozote na kubonyeza Right Click -> CodeQL: Run Queries in Selected Files
Snyk
Kuna toleo la bure linaloweza kusakinishwa.
Quick Start
# Install
sudo npm install -g snyk
# Authenticate (you can use a free account)
snyk auth
# Test for open source vulns & license issues
snyk test [--all-projects]
# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code
# Test for vulns in images
snyk container test [image]
# Test for IaC vulns
snyk iac test
You can also use the snyk VSCode Extension kupata matokeo ndani ya VSCode.
Insider
Ni Open Source, lakini inaonekana haijatunzwa.
Lugha Zinazoungwa Mkono
Java (Maven na Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, na Javascript (Node.js).
Kuanzia Haraka
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
DeepSource
Bila malipo kwa repo za umma.
NodeJS
yarn
# Install
brew install yarn
# Run
cd /path/to/repo
yarn audit
npm audit
pnpm
# Install
npm install -g pnpm
# Run
cd /path/to/repo
pnpm audit
- nodejsscan: Skana wa usalama wa msimbo wa statiki (SAST) kwa programu za Node.js unaotumiwa na libsast na semgrep.
# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code
- RetireJS: Lengo la Retire.js ni kukusaidia kugundua matumizi ya toleo la maktaba ya JS yenye udhaifu unaojulikana.
# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors
Electron
- electronegativity: Ni chombo cha kutambua makosa ya usanidi na mifumo mibaya ya usalama katika programu zinazotumia Electron.
Python
- Bandit: Bandit ni chombo kilichoundwa kutafuta masuala ya kawaida ya usalama katika msimbo wa Python. Ili kufanya hivyo, Bandit inachakata kila faili, inajenga AST kutoka kwake, na inatekeleza nyongeza zinazofaa dhidi ya voz nodes za AST. Mara Bandit inapokamilisha skanning ya faili zote, inazalisha ripoti.
# Install
pip3 install bandit
# Run
bandit -r <path to folder>
- safety: Safety inakagua utegemezi wa Python kwa ajili ya udhaifu wa usalama unaojulikana na inapendekeza marekebisho sahihi kwa udhaifu ulio gundulika. Safety inaweza kuendeshwa kwenye mashine za waendelezaji, katika mchakato wa CI/CD na kwenye mifumo ya uzalishaji.
# Install
pip install safety
# Run
safety check
Pyt: Haijashughulikiwa.
.NET
# dnSpy
https://github.com/0xd4d/dnSpy
# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
RUST
# Install
cargo install cargo-audit
# Run
cargo audit
#Update the Advisory Database
cargo audit fetch
Java
# JD-Gui
https://github.com/java-decompiler/jd-gui
# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
| Task | Command |
|---|---|
| Execute Jar | java -jar [jar] |
| Unzip Jar | unzip -d [output directory] [jar] |
| Create Jar | jar -cmf META-INF/MANIFEST.MF [output jar] * |
| Base64 SHA256 | sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64 |
| Remove Signing | rm META-INF/.SF META-INF/.RSA META-INF/*.DSA |
| Delete from Jar | zip -d [jar] [file to remove] |
| Decompile class | procyon -o . [path to class] |
| Decompile Jar | procyon -jar [jar] -o [output directory] |
| Compile class | javac [path to .java file] |
Nenda
https://github.com/securego/gosec
PHP
Wordpress Plugins
https://www.pluginvulnerabilities.com/plugin-security-checker/
Solidity
JavaScript
Discovery
- Burp:
- Spider na gundua maudhui
- Sitemap > filter
- Sitemap > bonyeza-kulia kwenye domain > Zana za ushirikiano > Pata scripts
waybackurls <domain> |grep -i "\.js" |sort -u
Static Analysis
Unminimize/Beautify/Prettify
- https://prettier.io/playground/
- https://beautifier.io/
- Angalia baadhi ya zana zilizotajwa katika 'Deobfuscate/Unpack' hapa chini pia.
Deobfuscate/Unpack
Kumbuka: Inaweza kuwa haiwezekani kuondoa kabisa obfuscation.
- Tafuta na tumia .map files:
- Ikiwa .map files zimefunuliwa, zinaweza kutumika kwa urahisi kuondoa obfuscation.
- Kwa kawaida, foo.js.map inahusiana na foo.js. Tafuta kwa mikono.
- Tumia JS Miner kutafuta.
- Hakikisha skana hai inafanywa.
- Soma 'Tips/Notes'
- Ikiwa zimepatikana, tumia Maximize kuondoa obfuscation.
- Bila .map files, jaribu JSnice:
- Marejeleo: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
- Vidokezo:
- Ikiwa unatumia jsnice.org, bonyeza kwenye kitufe cha chaguo kilicho karibu na kitufe cha "Nicify JavaScript", na uondoe "Infer types" ili kupunguza machafuko katika msimbo.
- Hakikisha huacha mistari yoyote tupu kabla ya script, kwani inaweza kuathiri mchakato wa kuondoa obfuscation na kutoa matokeo yasiyo sahihi.
- Kwa baadhi ya mbadala za kisasa zaidi kwa JSNice, unaweza kutaka kuangalia yafuatayo:
- https://github.com/pionxzh/wakaru
-
Javascript decompiler, unpacker na unminify toolkit
Wakaru ni decompiler ya Javascript kwa frontend ya kisasa. Inarejesha msimbo wa asili kutoka kwa chanzo kilichofungwa na kilichotranspiled.
- https://github.com/j4k0xb/webcrack
-
Deobfuscate obfuscator.io, unminify na unpack bundled javascript
- https://github.com/jehna/humanify
-
Un-minify Javascript code using ChatGPT
Zana hii inatumia mifano mikubwa ya lugha (kama ChatGPT & llama2) na zana nyingine kuondoa un-minify Javascript code. Kumbuka kwamba LLMs hazifanyi mabadiliko yoyote ya muundo – zinatoa tu vidokezo vya kubadilisha majina ya mabadiliko na kazi. Kazi nzito inafanywa na Babel kwenye kiwango cha AST ili kuhakikisha msimbo unabaki sawa 1-1.
- https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html
-
Kutumia LLMs kubadilisha majina ya mabadiliko ya Javascript
- Tumia
console.log();
- Tafuta thamani ya kurudi mwishoni na ibadilishe kuwa
console.log(<packerReturnVariable>);ili js iliyondolewa obfuscation iweze kuchapishwa badala ya kutekelezwa. - Kisha, bandika js iliyobadilishwa (na bado imefichwa) kwenye https://jsconsole.com/ ili kuona js iliyondolewa obfuscation ikichapishwa kwenye console.
- Mwishowe, bandika matokeo yaliyondolewa obfuscation kwenye https://prettier.io/playground/ ili kuipamba kwa uchambuzi.
- Kumbuka: Ikiwa bado unaona js iliyofungwa (lakini tofauti), inaweza kuwa imefungwa kwa njia ya kurudi. Rudia mchakato.
References
- YouTube: DAST - Javascript Dynamic Analysis
- https://blog.nvisium.com/angular-for-pentesters-part-1
- https://blog.nvisium.com/angular-for-pentesters-part-2
- devalias's GitHub Gists:
- Deobfuscating / Unminifying Obfuscated Web App Code
- Reverse Engineering Webpack Apps
- etc
Tools
Less Used References
- https://cyberchef.org/
- https://olajs.com/javascript-prettifier
- https://jshint.com/
- https://github.com/jshint/jshint/
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.