# Bronne kode Hersiening / SAST Gereedskap {{#include ../../banners/hacktricks-training.md}} ## Riglyne en Lyste van gereedskap - [**https://owasp.org/www-community/Source_Code_Analysis_Tools**](https://owasp.org/www-community/Source_Code_Analysis_Tools) - [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis) ## Multi-Taal Gereedskap ### [Naxus - AI-Gents](https://www.naxusai.com/) Daar is 'n **gratis pakket om PRs te hersien**. ### [**Semgrep**](https://github.com/returntocorp/semgrep) Dit is 'n **Open Source gereedskap**. #### Gesteunde Tale | Kategori | Tale | | ------------ | ----------------------------------------------------------------------------------------------------- | | GA | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX | | Beta | Kotlin · Rust | | Eksperimenteel | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp · | #### Vinning Begin ```bash # Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli brew install semgrep # Go to your repo code and scan cd repo semgrep scan --config auto ``` U kan ook die [**semgrep VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=Semgrep.semgrep) gebruik om die bevindings binne VSCode te kry. ### [**SonarQube**](https://www.sonarsource.com/products/sonarqube/downloads/) Daar is 'n installeerbare **gratis weergawe**. #### Vinning Begin ```bash # Run the paltform in docker docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest # Install cli tool brew install sonar-scanner # Go to localhost:9000 and login with admin:admin or admin:sonar # Generate a local project and then a TOKEN for it # Using the token and from the folder with the repo, scan it cd path/to/repo sonar-scanner \ -Dsonar.projectKey= \ -Dsonar.sources=. \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.token= ``` ### CodeQL Daar is 'n **installeerbare gratis weergawe** maar volgens die lisensie kan jy **slegs die gratis codeQL weergawe in Open Source projekte gebruik**. #### Installeer ```bash # Download your release from https://github.com/github/codeql-action/releases ## Example wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz # Move it to the destination folder mkdir ~/codeql mv codeql-bundle* ~/codeql # Decompress it cd ~/codeql tar -xzvf codeql-bundle-*.tar.gz rm codeql-bundle-*.tar.gz # Add to path echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc # Check it's correctly installed ## Open a new terminal codeql resolve qlpacks #Get paths to QL packs ``` #### Vinning Begin - Berei die databasis voor > [!TIP] > Die eerste ding wat jy moet doen is om die **databasis voor te berei** (die kodeboom te skep) sodat die navrae later daaroor uitgevoer kan word. - Jy kan codeql toelaat om outomaties die taal van die repo te identifiseer en die databasis te skep. ```bash codeql database create --language # Example codeql database create /path/repo/codeql_db --source-root /path/repo ## DB will be created in /path/repo/codeql_db ``` > [!CAUTION] > Dit **sal gewoonlik 'n fout veroorsaak** wat sê dat meer as een taal gespesifiseer is (of outomaties opgespoor). **Kyk na die volgende opsies** om dit reg te stel! - Jy kan dit **handmatig aandui** deur die **repo** en die **taal** ([lys van tale](https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#running-codeql-database-create)) ```bash codeql database create --language --source-root # Example codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo ## DB will be created in /path/repo/codeql_db ``` - As jou repo **meer as 1 taal** gebruik, kan jy ook **1 DB per taal** skep wat elke taal aandui. ```bash export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create --source-root /path/to/repo --db-cluster --language "javascript,python" # Example export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python" ## DBs will be created in /path/repo/codeql_db/* ``` - Jy kan ook `codeql` toelaat om **alle tale** vir jou te identifiseer en 'n DB per taal te skep. Jy moet dit 'n **GITHUB_TOKEN** gee. ```bash export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create --db-cluster --source-root # Example export GITHUB_TOKEN=ghp_32849y23hij4... codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo ## DBs will be created in /path/repo/codeql_db/* ``` #### Vinning Begin - Analiseer die kode > [!TIP] > Nou is dit uiteindelik tyd om die kode te analiseer Onthou dat as jy verskeie tale gebruik het, **'n DB per taal** in die pad wat jy gespesifiseer het, geskep sou gewees het. ```bash # Default analysis codeql database analyze --format= --output= # Example codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif # Specify QL pack to use in the analysis codeql database analyze \ --sarif-category= \ --sarif-add-baseline-file-info \ --format= \ --output=/out/file/path> # Example codeql database analyze /tmp/codeql_db \ javascript-security-extended --sarif-category=javascript \ --sarif-add-baseline-file-info --format=sarif-latest \ --output=/tmp/sec-extended.sarif ``` #### Vinning Begin - Geskryf ```bash export GITHUB_TOKEN=ghp_32849y23hij4... export REPO_PATH=/path/to/repo export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results" mkdir -p "$OUTPUT_DIR_PATH" export FINAL_MSG="Results available in: " echo "Creating DB" codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH" for db in `ls "$REPO_PATH/codeql_db"`; do echo "Analyzing $db" codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif" FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ," echo "" done echo $FINAL_MSG ``` U kan die bevindinge visualiseer in [**https://microsoft.github.io/sarif-web-component/**](https://microsoft.github.io/sarif-web-component/) of deur die VSCode uitbreiding [**SARIF viewer**](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer). U kan ook die [**VSCode uitbreiding**](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) gebruik om die bevindinge binne VSCode te kry. U sal steeds 'n databasis handmatig moet skep, maar dan kan u enige lêers kies en op `Regsklik` -> `CodeQL: Run Queries in Selected Files` klik. ### [**Snyk**](https://snyk.io/product/snyk-code/) Daar is 'n **installeerbare gratis weergawe**. #### Vinning Begin ```bash # Install sudo npm install -g snyk # Authenticate (you can use a free account) snyk auth # Test for open source vulns & license issues snyk test [--all-projects] # Test for code vulnerabilities ## This will upload your code and you need to enable this option in: Settings > Snyk Code snyk test code # Test for vulns in images snyk container test [image] # Test for IaC vulns snyk iac test ``` U kan ook die [**snyk VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) gebruik om bevindings binne VSCode te kry. ### [Insider](https://github.com/insidersec/insider) Dit is **Open Source**, maar lyk **onondersteun**. #### Gesteunde Tale Java (Maven en Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, en Javascript (Node.js). #### Vinning Begin ```bash # Check the correct release for your environment $ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz $ tar -xf insider_2.1.0_linux_x86_64.tar.gz $ chmod +x insider $ ./insider --tech javascript --target ``` ### [**DeepSource**](https://deepsource.com/pricing) Gratis vir **openbare repos**. ## NodeJS - **`yarn`** ```bash # Install brew install yarn # Run cd /path/to/repo yarn install yarn audit # In lower versions yarn npm audit # In 2+ versions npm audit ``` - **`pnpm`** ```bash # Install npm install -g pnpm # Run cd /path/to/repo pnpm install pnpm audit ``` - [**nodejsscan**](https://github.com/ajinabraham/nodejsscan)**:** Statiese sekuriteitskode skandeerder (SAST) vir Node.js toepassings aangedryf deur [libsast](https://github.com/ajinabraham/libsast) en [semgrep](https://github.com/returntocorp/semgrep). ```bash # Install & run docker run -it -p 9090:9090 opensecurity/nodejsscan:latest # Got to localhost:9090 # Upload a zip file with the code ``` - [**RetireJS**](https://github.com/RetireJS/retire.js)**:** Die doel van Retire.js is om jou te help om die gebruik van JS-biblioteek weergawes met bekende kwesbaarhede te ontdek. ```bash # Install npm install -g retire # Run cd /path/to/repo retire --colors ``` ## Electron - [**electronegativity**](https://github.com/doyensec/electronegativity)**:** Dit is 'n hulpmiddel om miskonfigurasies en sekuriteitsanti-patrone in Electron-gebaseerde toepassings te identifiseer. ## Python - [**Bandit**](https://github.com/PyCQA/bandit)**:** Bandit is 'n hulpmiddel wat ontwerp is om algemene sekuriteitskwessies in Python-kode te vind. Om dit te doen, verwerk Bandit elke lêer, bou 'n AST daaruit, en voer toepaslike plugins teen die AST-knope uit. Sodra Bandit klaar is met die skandering van al die lêers, genereer dit 'n verslag. ```bash # Install pip3 install bandit # Run bandit -r ``` - [**safety**](https://github.com/pyupio/safety): Safety kontroleer Python afhanklikhede vir bekende sekuriteitskwesbaarhede en stel die toepaslike herstelmaatreëls voor vir opgespoorde kwesbaarhede. Safety kan op ontwikkelaarsmasjiene, in CI/CD pypelines en op produksiesisteme gedraai word. ```bash # Install pip install safety # Run safety check ``` - [~~**Pyt**~~](https://github.com/python-security/pyt): Nie onderhoude nie. ## .NET ```bash # dnSpy https://github.com/0xd4d/dnSpy # .NET compilation C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs ``` ## RUST ```bash # Install cargo install cargo-audit # Run cargo audit #Update the Advisory Database cargo audit fetch ``` ## Java ```bash # JD-Gui https://github.com/java-decompiler/jd-gui # Java compilation step-by-step javac -source 1.8 -target 1.8 test.java mkdir META-INF echo "Main-Class: test" > META-INF/MANIFEST.MF jar cmvf META-INF/MANIFEST.MF test.jar test.class ``` | Taak | Opdrag | | --------------- | --------------------------------------------------------- | | Voer Jar uit | java -jar \[jar] | | Unzip Jar | unzip -d \[uitvoer gids] \[jar] | | Skep Jar | jar -cmf META-INF/MANIFEST.MF \[uitvoer jar] \* | | Base64 SHA256 | sha256sum \[lêer] \| cut -d' ' -f1 \| xxd -r -p \| base64 | | Verwyder Teken | rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA | | Verwyder uit Jar| zip -d \[jar] \[lêer om te verwyder] | | Decompile klas | procyon -o . \[pad na klas] | | Decompile Jar | procyon -jar \[jar] -o \[uitvoer gids] | | Compile klas | javac \[pad na .java lêer] | ## Gaan ```bash https://github.com/securego/gosec ``` ## PHP [Psalm](https://phpmagazine.net/2018/12/find-errors-in-your-php-applications-with-psalm.html) en [PHPStan](https://phpmagazine.net/2020/09/phpstan-pro-edition-launched.html). ### Wordpress Plugins [https://www.pluginvulnerabilities.com/plugin-security-checker/](https://www.pluginvulnerabilities.com/plugin-security-checker/) ## Solidity - [https://www.npmjs.com/package/solium](https://www.npmjs.com/package/solium) ## JavaScript ### Discovery 1. Burp: - Spider en ontdek inhoud - Sitemap > filter - Sitemap > regsklik op domein > Betrokkenheid gereedskap > Vind skripte 2. [WaybackURLs](https://github.com/tomnomnom/waybackurls): - `waybackurls |grep -i "\.js" |sort -u` ### Static Analysis #### Unminimize/Beautify/Prettify - [https://prettier.io/playground/](https://prettier.io/playground/) - [https://beautifier.io/](https://beautifier.io/) - Sien sommige van die gereedskap genoem in 'Deobfuscate/Unpack' hieronder ook. #### Deobfuscate/Unpack **Nota**: Dit mag nie moontlik wees om volledig te deobfuscate nie. 1. Vind en gebruik .map lêers: - As die .map lêers blootgestel is, kan hulle gebruik word om maklik te deobfuscate. - Gewoonlik, foo.js.map kaart na foo.js. Soek hulle handmatig. - Gebruik [JS Miner](https://github.com/PortSwigger/js-miner) om daarna te soek. - Verseker dat 'n aktiewe skandering uitgevoer word. - Lees '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)' - As gevind, gebruik [Maximize](https://www.npmjs.com/package/maximize) om te deobfuscate. 2. Sonder .map lêers, probeer JSnice: - Verwysings: [http://jsnice.org/](http://jsnice.org/) & [https://www.npmjs.com/package/jsnice](https://www.npmjs.com/package/jsnice) - Wenke: - As jy jsnice.org gebruik, klik op die opsiesknoppie langs die "Nicify JavaScript" knoppie, en deselecteer "Infer types" om rommel in die kode te verminder. - Verseker dat jy geen leë lyne voor die skrip laat nie, aangesien dit die deobfuscate proses kan beïnvloed en onakkurate resultate kan gee. 3. Vir 'n paar meer moderne alternatiewe tot JSNice, kan jy die volgende oorweeg: - [https://github.com/pionxzh/wakaru](https://github.com/pionxzh/wakaru) - > Javascript decompiler, unpacker en unminify toolkit Wakaru is die Javascript decompiler vir moderne frontend. Dit bring die oorspronklike kode terug van 'n gebundelde en getranspileerde bron. - [https://github.com/j4k0xb/webcrack](https://github.com/j4k0xb/webcrack) - > Deobfuscate obfuscator.io, unminify en unpack gebundelde javascript - [https://github.com/jehna/humanify](https://github.com/jehna/humanify) - > Un-minify Javascript kode met behulp van ChatGPT Hierdie gereedskap gebruik groot taalmodelle (soos ChatGPT & llama2) en ander gereedskap om Javascript kode te un-minify. Let daarop dat LLMs geen strukturele veranderinge aanbring nie – hulle bied net leidrade om veranderlikes en funksies te hernoem. Die swaar werk word deur Babel op AST vlak gedoen om te verseker dat die kode 1-1 ekwivalent bly. - [https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html](https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html) - > Gebruik LLMs om JavaScript veranderlike naam minification te keer 3. Gebruik `console.log()`; - Vind die terugkeerwaarde aan die einde en verander dit na `console.log();` sodat die deobfuscated js gedruk word in plaas van uitgevoer te word. - Plak dan die gemodifiseerde (en steeds obfuscated) js in [https://jsconsole.com/](https://jsconsole.com/) om die deobfuscated js in die konsole te sien. - Laastens, plak die deobfuscated uitvoer in [https://prettier.io/playground/](https://prettier.io/playground/) om dit te beautify vir analise. - **Nota**: As jy steeds gepakte (maar verskillende) js sien, mag dit herhalend gepak wees. Herhaal die proses. #### References - [YouTube: DAST - Javascript Dynamic Analysis](https://www.youtube.com/watch?v=_v8r_t4v6hQ) - [https://blog.nvisium.com/angular-for-pentesters-part-1](https://web.archive.org/web/20221226054137/https://blog.nvisium.com/angular-for-pentesters-part-1) - [https://blog.nvisium.com/angular-for-pentesters-part-2](https://web.archive.org/web/20230204012439/https://blog.nvisium.com/angular-for-pentesters-part-2) - [devalias](https://twitter.com/_devalias)'s [GitHub Gists](https://gist.github.com/0xdevalias): - [Deobfuscating / Unminifying Obfuscated Web App Code](https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code) - [Reverse Engineering Webpack Apps](https://gist.github.com/0xdevalias/8c621c5d09d780b1d321bfdb86d67cdd#reverse-engineering-webpack-apps) - [etc](https://gist.github.com/search?q=user:0xdevalias+javascript) #### Tools - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader) #### Less Used References - [https://cyberchef.org/](https://cyberchef.org/) - [https://olajs.com/javascript-prettifier](https://olajs.com/javascript-prettifier) - [https://jshint.com/](https://jshint.com/) - [https://github.com/jshint/jshint/](https://github.com/jshint/jshint/) {{#include ../../banners/hacktricks-training.md}}