# Code Review Tools
๐ŸŽ™๏ธ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ๐ŸŽ™๏ธ - ๐ŸŽฅ Youtube ๐ŸŽฅ - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**๐Ÿ’ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐Ÿฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
## General * [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)\ * [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis) ```bash https://www.sonarqube.org/downloads/ https://deepsource.io/signup/ https://github.com/pyupio/safety https://github.com/returntocorp/semgrep https://github.com/WhaleShark-Team/cobra https://github.com/insidersec/insider # Find interesting strings https://github.com/s0md3v/hardcodes https://github.com/micha3lb3n/SourceWolf https://libraries.io/pypi/detect-secrets ``` ## JavaScript ### Discovery 1. Burp: - Spider and discover content - Sitemap > filter - Sitemap > right-click domain > Engagement tools > Find scripts 2. [WaybackURLs](https://github.com/tomnomnom/waybackurls): - `waybackurls |grep -i "\.js" |sort -u` ### Static Analysis #### Unminimize/Beautify/Prettify https://prettier.io/playground/ https://beautifier.io/ #### Deobfuscate/Unpack __Note__: It may not be possible to fully deobfuscate. 1. Find and use .map files: - If the .map files are exposed, they can be used to easily deobfuscate. - Commonly, foo.js.map maps to foo.js. Manually look for them. - Use [JS Miner](https://github.com/PortSwigger/js-miner) to look for them. - Ensure active scan is conducted. - Read '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)' - If found, use [Maximize](https://www.npmjs.com/package/maximize) to deobfuscate. 2. Without .map files, try JSnice: - References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice - Tips: - If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments. - Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results. 3. Use console.log(); - Find the return value at the end and change it to `console.log();` so the deobfuscated js is printed instead of being executing. - Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console. - Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis. - __Note__: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process. #### Analyze References: https://medium.com/techiepedia/javascript-code-review-guide-for-bug-bounty-hunters-c95a8aa7037a Look for: - Anti-debug loading - Angular: [enableProdMode](https://blog.nvisium.com/angular-for-pentesters-part-2) - Secrets - Use: - [JS Miner](https://github.com/PortSwigger/js-miner) - [RegHex](https://github.com/l4yton/RegHex) patterns - [gf](https://github.com/tomnomnom/gf/tree/master/examples) patterns - Grep relevant dictionary patterns: - pass, user, admin - auth, login, sign, challenge, 2fa - key, apikey, api_key, api-key, jwt, token - secret, security, secure - ... - Manual review - If API key found, check here for potential usage syntax: https://github.com/streaak/keyhacks. - Vuln functions - InnerHTML() - If you found this, it means there is a potential chance for XSS if no proper sanitisation takes place. Even if your payload is sanitised, donโ€™t worry. Trace the code to find out where the sanitisation takes place. Study it and try to get around the sanitisation. - Postmessage() - If you have read my previous post (https://medium.com/techiepedia/what-are-sop-cors-and-ways-to-exploit-it-62a5e02100dc), you would notice that Postmessage() might lead to potential CORS issue. If the second parameter of the function set to *, you are the lucky one. Checkout my previous post to understand more about the mechanism behind. - String.prototype.search() - This function looks normal. Why would it be a dangerous function? Well, it is because some developers used this to find occurrence of a string inside another string. However, โ€œ.โ€ is treated as wildcard in this function. So, if this function is used as sanitisation check, you can simply bypass it by inputting โ€œ.โ€. Checkout Filedescryptorโ€™s hackerone report: https://hackerone.com/reports/129873 - Endpoints & params - Use [LinkFinder](https://github.com/GerbenJavado/LinkFinder) & [JS Miner](https://github.com/PortSwigger/js-miner). - Vuln libs & deps - Use [Retire.js](https://retirejs.github.io/retire.js/) and [NPM](https://snyk.io/advisor/) (scroll down to security section > all versions link). - Cloud URLs - Use [JS Miner](https://github.com/PortSwigger/js-miner). - Subdomains - Use [JS Miner](https://github.com/PortSwigger/js-miner). - Logic Flaws - Gain situational awareness: - `use strict;`? - Grep for client-side controls: - disable, enable, hidden, hide, show - catch, finally, throw, try - input, validate, verify, valid, correct, check, confirm, require, .. - Grep for non-primatives: - function , => - class ### Dynamic Analysis References - https://www.youtube.com/watch?v=_v8r_t4v6hQ - https://blog.nvisium.com/angular-for-pentesters-part-1 - https://blog.nvisium.com/angular-for-pentesters-part-2 Tools - https://portswigger.net/burp/documentation/desktop/tools/dom-invader #### Less Used References - https://cyberchef.org/ - https://olajs.com/javascript-prettifier - https://jshint.com/ - https://github.com/jshint/jshint/ ## NodeJS ``` https://github.com/ajinabraham/nodejsscan ``` ## Electron ``` https://github.com/doyensec/electronegativity ``` ## Python ```bash # bandit https://github.com/PyCQA/bandit # pyt https://github.com/python-security/pyt ``` ## .NET ```bash # dnSpy https://github.com/0xd4d/dnSpy # .NET compilation C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs ``` ## Java ```bash # JD-Gui https://github.com/java-decompiler/jd-gui # Java compilation step-by-step javac -source 1.8 -target 1.8 test.java mkdir META-INF echo "Main-Class: test" > META-INF/MANIFEST.MF jar cmvf META-INF/MANIFEST.MF test.jar test.class ``` | Task | Command | | --------------- | --------------------------------------------------------- | | Execute Jar | java -jar \[jar] | | Unzip Jar | unzip -d \[output directory] \[jar] | | Create Jar | jar -cmf META-INF/MANIFEST.MF \[output jar] \* | | Base64 SHA256 | sha256sum \[file] \| cut -d' ' -f1 \| xxd -r -p \| base64 | | Remove Signing | rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA | | Delete from Jar | zip -d \[jar] \[file to remove] | | Decompile class | procyon -o . \[path to class] | | Decompile Jar | procyon -jar \[jar] -o \[output directory] | | Compile class | javac \[path to .java file] | ## Go ```bash https://github.com/securego/gosec ``` ## PHP [Psalm](https://phpmagazine.net/2018/12/find-errors-in-your-php-applications-with-psalm.html) and [PHPStan](https://phpmagazine.net/2020/09/phpstan-pro-edition-launched.html). ### Wordpress Plugins [https://www.pluginvulnerabilities.com/plugin-security-checker/](https://www.pluginvulnerabilities.com/plugin-security-checker/) ## Solidity * [https://www.npmjs.com/package/solium](https://www.npmjs.com/package/solium)
๐ŸŽ™๏ธ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ๐ŸŽ™๏ธ - ๐ŸŽฅ Youtube ๐ŸŽฅ - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**๐Ÿ’ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐Ÿฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.