Mwongozo na & Orodha ya zana

• https://owasp.org/www-community/Source_Code_Analysis_Tools

• https://github.com/analysis-tools-dev/static-analysis

Zana za Lugha Nyingi

Naxus - AI-Gents

Kuna mfuko wa bure wa kupitia PRs.

Semgrep

Ni zana ya chanzo wazi.

Lugha Zinazoungwa Mkono

Kuanza Haraka

# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep

# Go to your repo code and scan
cd repo
semgrep scan --config auto

Unaweza pia kutumia Kifaa cha Uzalishaji wa VSCode cha semgrep kupata matokeo ndani ya VSCode.

SonarQube

Kuna toleo huru linaloweza kusakinishwa.

Kuanza Haraka

# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner

# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it

# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
-Dsonar.projectKey=<project-name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.token=<sonar_project_token>

CodeQL

Kuna toleo la bure linaloweza kusakinishwa lakini kulingana na leseni unaweza kutumia toleo la bure la CodeQL katika miradi ya chanzo wazi tu.

Sakinisha

# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz

# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql

# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz

# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc

# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks #Get paths to QL packs

Kuanza Haraka - Andaa database

• Unaweza kuruhusu codeql kutambua lugha ya repo kiotomatiki na kuunda database

codeql database create <database> --language <language>

# Example
codeql database create /path/repo/codeql_db --source-root /path/repo
## DB will be created in /path/repo/codeql_db

• Unaweza kufanya hivi kwa mkono ukionyesha repo na lugha (orodha ya lugha)

codeql database create <database> --language <language> --source-root </path/to/repo>

# Example
codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo
## DB will be created in /path/repo/codeql_db

• Ikiwa repo yako inatumia lugha zaidi ya 1, unaweza pia kuunda DB 1 kwa kila lugha ikionyesha kila lugha.

export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --source-root /path/to/repo --db-cluster --language "javascript,python"

# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python"
## DBs will be created in /path/repo/codeql_db/*

• Unaweza pia kuruhusu codeql kutambua lugha zote kwa niaba yako na kuunda DB kwa kila lugha. Unahitaji kumpa GITHUB_TOKEN.

export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>

# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo
## DBs will be created in /path/repo/codeql_db/*

Anza Haraka - Tathmini nambari

Kumbuka kwamba ikiwa ulitumia lugha kadhaa, DB kwa kila lugha ingekuwa imeundwa katika njia uliyotaja.

# Default analysis
codeql database analyze <database> --format=<format> --output=</out/file/path>
# Example
codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif

# Specify QL pack to use in the analysis
codeql database analyze <database> \
<qls pack> --sarif-category=<language> \
--sarif-add-baseline-file-info \ --format=<format> \
--output=/out/file/path>
# Example
codeql database analyze /tmp/codeql_db \
javascript-security-extended --sarif-category=javascript \
--sarif-add-baseline-file-info --format=sarif-latest \
--output=/tmp/sec-extended.sarif

Kuanza Haraka - Kimeandikwa

export GITHUB_TOKEN=ghp_32849y23hij4...
export REPO_PATH=/path/to/repo
export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results"
mkdir -p "$OUTPUT_DIR_PATH"
export FINAL_MSG="Results available in: "

echo "Creating DB"
codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH"
for db in `ls "$REPO_PATH/codeql_db"`; do
echo "Analyzing $db"
codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
echo ""
done

echo $FINAL_MSG

Unaweza kuona matokeo kwenye https://microsoft.github.io/sarif-web-component/ au kutumia kifaa cha VSCode SARIF viewer.

Unaweza pia kutumia kifaa cha VSCode kupata matokeo ndani ya VSCode. Bado utahitaji kuunda database kwa mkono, lakini baadaye unaweza kuchagua faili yoyote na bonyeza Right Click -> CodeQL: Run Queries in Selected Files

Snyk

Kuna toleo la bure linaloweza kusakinishwa.

Kuanza Haraka

# Install
sudo npm install -g snyk

# Authenticate (you can use a free account)
snyk auth

# Test for open source vulns & license issues
snyk test [--all-projects]

# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code

# Test for vulns in images
snyk container test [image]

# Test for IaC vulns
snyk iac test

Unaweza pia kutumia snyk VSCode Extension kupata matokeo ndani ya VSCode.

Insider

Ni Chanzo Huru, lakini inaonekana haijatunzwa.

Lugha Zinazoungwa mkono

Java (Maven na Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, na Javascript (Node.js).

Kuanza Haraka

# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript  --target <projectfolder>

DeepSource

Bure kwa repos za umma.

NodeJS

• yarn

# Install
brew install yarn
# Run
cd /path/to/repo
yarn audit
npm audit

• pnpm

# Install
npm install -g pnpm
# Run
cd /path/to/repo
pnpm audit

• nodejsscan: Kijikagua msimbo wa usalama wa statiki (SAST) kwa maombi ya Node.js yaliyotumia libsast na semgrep.

# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code

• RetireJS: Lengo la Retire.js ni kukusaidia kugundua matumizi ya toleo la maktaba ya JS lenye mapungufu yanayojulikana.

# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors

Electron

• electronegativity: Ni chombo cha kutambua mipangilio isiyo sahihi na mifano ya usalama katika programu zinazotumia Electron.

Python

• Bandit: Bandit ni chombo kilichoundwa kwa lengo la kutambua masuala ya kawaida ya usalama katika nambari za Python. Ili kufanya hivyo, Bandit huprocess kila faili, hujenga AST kutoka kwake, na hutekeleza programu husika dhidi ya nodi za AST. Mara Bandit inapomaliza kutafuta faili zote, inazalisha ripoti.

# Install
pip3 install bandit

# Run
bandit -r <path to folder>

• usalama: Usalama hufanya ukaguzi wa mahitaji ya Python kwa mapungufu ya usalama yanayojulikana na kupendekeza marekebisho sahihi kwa mapungufu yaliyogunduliwa. Usalama inaweza kukimbia kwenye mashine za waendelezaji, kwenye mifumo ya CI/CD na kwenye mifumo ya uzalishaji.

# Install
pip install safety
# Run
safety check

• Pyt: Haijasimamiwa.

.NET

# dnSpy
https://github.com/0xd4d/dnSpy

# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs

RUST

RUST

RUST ni lugha ya programu ya kisasa inayojulikana kwa usalama wake na utendaji wake wa haraka. Ni chaguo bora kwa maendeleo ya zana za usalama na upimaji wa usalama.

# Install
cargo install cargo-audit

# Run
cargo audit

#Update the Advisory Database
cargo audit fetch

Java

FindBugs

FindBugs ni chombo cha kupima ubora wa nambari kinachotumika kugundua kasoro za kawaida katika programu za Java.

PMD

PMD ni chombo kingine cha kupima ubora wa nambari kinachotumika kugundua makosa ya kawaida katika nambari za Java.

Checkstyle

Checkstyle ni chombo kingine cha kupima ubora wa nambari kinachotumika kuhakiki ikiwa nambari inazingatia viwango vilivyowekwa.

# JD-Gui
https://github.com/java-decompiler/jd-gui

# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class

Endelea

https://github.com/securego/gosec

PHP

Psalm na PHPStan.

Wordpress Plugins

https://www.pluginvulnerabilities.com/plugin-security-checker/

Solidity

• https://www.npmjs.com/package/solium

JavaScript

Ugunduzi

1. Burp:

• Spider na ugundue maudhui

• Sitemap > kichuja

• Sitemap > bofya-kulia kwenye kikoa > Zana za Ushirikiano > Tafuta skripti

2. WaybackURLs:

• waybackurls <kikoa> |grep -i "\.js" |sort -u

Uchambuzi Statis

Unminimize/Beautify/Prettify

• https://prettier.io/playground/

• https://beautifier.io/

• Angalia baadhi ya zana zilizotajwa katika 'Deobfuscate/Unpack' hapo chini pia.

Deobfuscate/Unpack

Angalia: Huenda isingewezekana kudeobfuscate kabisa.

1. Tafuta na tumia faili za .map:

• Ikiwa faili za .map zimefunuliwa, zinaweza kutumika kudeobfuscate kwa urahisi.

• Kawaida, foo.js.map inalingana na foo.js. Tafuta kwa mikono.

• Tumia JS Miner kuzitafuta.

• Hakikisha uchanganuzi wa moja kwa moja unafanywa.

• Soma 'Vidokezo/Maelezo'

• Ikiwa zimepatikana, tumia Maximize kudeobfuscate.

2. Bila faili za .map, jaribu JSnice:

• Marejeo: http://jsnice.org/ & https://www.npmjs.com/package/jsnice

• Vidokezo:

• Ikiwa unatumia jsnice.org, bofya kitufe cha chaguo karibu na kitufe cha "Nicify JavaScript", na batilisha "Infer types" ili kupunguza kuchafua kwa namna ya maoni kwenye msimbo.

• Hakikisha hauachi mistari tupu kabla ya skripti, kwani inaweza kuathiri mchakato wa kudeobfuscate na kutoa matokeo yasiyo sahihi.

4. Kwa baadhi ya mbadala wa kisasa zaidi kwa JSNice, unaweza kutaka kutazama yafuatayo:

• https://github.com/pionxzh/wakaru

• Decompiler ya Javascript, unpacker na zana ya unminify

Wakaru ni decompiler ya Javascript kwa mbele ya kisasa. Inarudisha msimbo halisi kutoka chanzo kilichobebwa na kubadilishwa.

• https://github.com/j4k0xb/webcrack

• Deobfuscate obfuscator.io, unminify na unpack javascript iliyobebwa

• https://github.com/jehna/humanify

• Un-minify msimbo wa Javascript kwa kutumia ChatGPT

Zana hii hutumia mifano mikubwa ya lugha (kama ChatGPT & llama2) na zana nyingine kudeobfuscate msimbo wa Javascript. Tafadhali kumbuka kuwa LLMs hazifanyi mabadiliko yoyote ya kimuundo - zinatoa viashiria vya kubadilisha majina ya pembejeo na kazi. Kazi kubwa inafanywa na Babel kwenye kiwango cha AST ili kuhakikisha msimbo unabaki sawa 1-1.

• https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html

• Kutumia LLMs kubadilisha majina ya pembejeo ya Javascript vilivyominify

3. Tumia console.log();

• Tafuta thamani ya kurudi mwishoni na ibadilishe kuwa console.log(<packerReturnVariable>); ili msimbo uliokudeobfuscate uchapishwe badala ya kutekelezwa.

• Kisha, bandika msimbo uliobadilishwa (na bado umefichwa) kwenye https://jsconsole.com/ kuona msimbo uliokudeobfuscate ukiandikwa kwenye konsoli.

• Hatimaye, bandika pato lililokudeobfuscate kwenye https://prettier.io/playground/ ili kuupendezesha kwa uchambuzi.

• Angalia: Ikiwa bado unaona msimbo uliobebwa (lakini tofauti), huenda umepakiwa kwa njia ya kurudiarudia. Rudia mchakato.

Marejeo

• YouTube: DAST - Uchambuzi wa Kudumu wa Javascript

• https://blog.nvisium.com/angular-for-pentesters-part-1

• https://blog.nvisium.com/angular-for-pentesters-part-2

• devalias's GitHub Gists:

• Kudeobfuscate / Kufanya Minify Msimbo wa Programu ya Wavuti

• Reverse Engineering Webpack Apps

• n.k.

Zana

• https://portswigger.net/burp/documentation/desktop/tools/dom-invader

Marejeo Yanayotumiwa Kidogo

• https://cyberchef.org/

• https://olajs.com/javascript-prettifier

• https://jshint.com/

• https://github.com/jshint/jshint/