Source code Review / SAST Tools

Reading time: 13 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Guidance and & Lists of tools

Multi-Language Tools

Naxus - AI-Gents

There is a free package to review PRs.

Semgrep

It's an Open Source tool.

Supported Languages

CategoryLanguages
GAC# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX
BetaKotlin · Rust
ExperimentalBash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp ·

Quick Start

bash
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli brew install semgrep # Go to your repo code and scan cd repo semgrep scan --config auto

You can also use the semgrep VSCode Extension to get the findings inside VSCode.

SonarQube

There is an installable free version.

Quick Start

bash
# Run the paltform in docker docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest # Install cli tool brew install sonar-scanner # Go to localhost:9000 and login with admin:admin or admin:sonar # Generate a local project and then a TOKEN for it # Using the token and from the folder with the repo, scan it cd path/to/repo sonar-scanner \ -Dsonar.projectKey=<project-name> \ -Dsonar.sources=. \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.token=<sonar_project_token>

CodeQL

There is an installable free version but according to the license you can only use free codeQL version in Open Source projects.

Install

bash
# Download your release from https://github.com/github/codeql-action/releases ## Example wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz # Move it to the destination folder mkdir ~/codeql mv codeql-bundle* ~/codeql # Decompress it cd ~/codeql tar -xzvf codeql-bundle-*.tar.gz rm codeql-bundle-*.tar.gz # Add to path echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc # Check it's correctly installed ## Open a new terminal codeql resolve qlpacks #Get paths to QL packs

Quick Start - Prepare the database

tip

The first thing you need to do is to prepare the database (create the code tree) so later the queries are run over it.

  • You can allow codeql to automatically identify the language of the repo and create the database
bash
codeql database create <database> --language <language> # Example codeql database create /path/repo/codeql_db --source-root /path/repo ## DB will be created in /path/repo/codeql_db

caution

This will usually trigger and error saying that more than one language was specified (or automatically detected). Check the next options to fix this!

bash
codeql database create <database> --language <language> --source-root </path/to/repo> # Example codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo ## DB will be created in /path/repo/codeql_db
  • If your repo is using more than 1 language, you can also create 1 DB per language indicating each language.
bash
export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create <database> --source-root /path/to/repo --db-cluster --language "javascript,python" # Example export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python" ## DBs will be created in /path/repo/codeql_db/*
  • You can also allow codeql to identify all the languages for you and create a DB per language. You need to give it a GITHUB_TOKEN.
bash
export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create <database> --db-cluster --source-root </path/to/repo> # Example export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo ## DBs will be created in /path/repo/codeql_db/*

Quick Start - Analyze the code

tip

Now it's finally time to analyze the code

Remember that if you used several languages, a DB per language would have been crated in the path you specified.

bash
# Default analysis codeql database analyze <database> --format=<format> --output=</out/file/path> # Example codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif # Specify QL pack to use in the analysis codeql database analyze <database> \ <qls pack> --sarif-category=<language> \ --sarif-add-baseline-file-info \ --format=<format> \ --output=/out/file/path> # Example codeql database analyze /tmp/codeql_db \ javascript-security-extended --sarif-category=javascript \ --sarif-add-baseline-file-info --format=sarif-latest \ --output=/tmp/sec-extended.sarif

Quick Start - Scripted

bash
export GITHUB_TOKEN=ghp_32849y23hij4... export REPO_PATH=/path/to/repo export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results" mkdir -p "$OUTPUT_DIR_PATH" export FINAL_MSG="Results available in: " echo "Creating DB" codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH" for db in `ls "$REPO_PATH/codeql_db"`; do echo "Analyzing $db" codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif" FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ," echo "" done echo $FINAL_MSG

You can visualize the findings in https://microsoft.github.io/sarif-web-component/ or using VSCode extension SARIF viewer.

You can also use the VSCode extension to get the findings inside VSCode. You will still need to create a database manually, but then you can select any files and click on Right Click -> CodeQL: Run Queries in Selected Files

Snyk

There is an installable free version.

Quick Start

bash
# Install sudo npm install -g snyk # Authenticate (you can use a free account) snyk auth # Test for open source vulns & license issues snyk test [--all-projects] # Test for code vulnerabilities ## This will upload your code and you need to enable this option in: Settings > Snyk Code snyk test code # Test for vulns in images snyk container test [image] # Test for IaC vulns snyk iac test

You can also use the snyk VSCode Extension to get findings inside VSCode.

Insider

It's Open Source, but looks unmaintained.

Supported Languages

Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

Quick Start

bash
# Check the correct release for your environment $ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz $ tar -xf insider_2.1.0_linux_x86_64.tar.gz $ chmod +x insider $ ./insider --tech javascript --target <projectfolder>

DeepSource

Free for public repos.

NodeJS

  • yarn
bash
# Install brew install yarn # Run cd /path/to/repo yarn install yarn audit # In lower versions yarn npm audit # In 2+ versions npm audit
  • pnpm
bash
# Install npm install -g pnpm # Run cd /path/to/repo pnpm install pnpm audit
bash
# Install & run docker run -it -p 9090:9090 opensecurity/nodejsscan:latest # Got to localhost:9090 # Upload a zip file with the code
  • RetireJS: The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
bash
# Install npm install -g retire # Run cd /path/to/repo retire --colors

Electron

  • electronegativity: It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

Python

  • Bandit: Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
bash
# Install pip3 install bandit # Run bandit -r <path to folder>
  • safety: Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
bash
# Install pip install safety # Run safety check
  • Pyt: Unmaintained.

.NET

bash
# dnSpy https://github.com/0xd4d/dnSpy # .NET compilation C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs

RUST

bash
# Install cargo install cargo-audit # Run cargo audit #Update the Advisory Database cargo audit fetch

Java

bash
# JD-Gui https://github.com/java-decompiler/jd-gui # Java compilation step-by-step javac -source 1.8 -target 1.8 test.java mkdir META-INF echo "Main-Class: test" > META-INF/MANIFEST.MF jar cmvf META-INF/MANIFEST.MF test.jar test.class
TaskCommand
Execute Jarjava -jar [jar]
Unzip Jarunzip -d [output directory] [jar]
Create Jarjar -cmf META-INF/MANIFEST.MF [output jar] *
Base64 SHA256sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64
Remove Signingrm META-INF/.SF META-INF/.RSA META-INF/*.DSA
Delete from Jarzip -d [jar] [file to remove]
Decompile classprocyon -o . [path to class]
Decompile Jarprocyon -jar [jar] -o [output directory]
Compile classjavac [path to .java file]

Go

bash
https://github.com/securego/gosec

PHP

Psalm and PHPStan.

Wordpress Plugins

https://www.pluginvulnerabilities.com/plugin-security-checker/

Solidity

JavaScript

Discovery

  1. Burp:
    • Spider and discover content
    • Sitemap > filter
    • Sitemap > right-click domain > Engagement tools > Find scripts
  2. WaybackURLs:
    • waybackurls <domain> |grep -i "\.js" |sort -u

Static Analysis

Unminimize/Beautify/Prettify

Deobfuscate/Unpack

Note: It may not be possible to fully deobfuscate.

  1. Find and use .map files:
    • If the .map files are exposed, they can be used to easily deobfuscate.
    • Commonly, foo.js.map maps to foo.js. Manually look for them.
    • Use JS Miner to look for them.
    • Ensure active scan is conducted.
    • Read 'Tips/Notes'
    • If found, use Maximize to deobfuscate.
  2. Without .map files, try JSnice:
    • References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
    • Tips:
      • If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
      • Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
  3. For some more modern alternatives to JSNice, you might like to look at the following:
  1. Use console.log();
    • Find the return value at the end and change it to console.log(<packerReturnVariable>); so the deobfuscated js is printed instead of being executing.
    • Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
    • Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
    • Note: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.

References

Tools

Less Used References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks