Skip to content

Source code Review / SAST Tools โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Guidance and & Lists of tools โ€‹

Multi-Language Tools โ€‹

Naxus - AI-Gents โ€‹

There is a free package to review PRs.

Semgrep โ€‹

It's an Open Source tool.

Supported Languages โ€‹

CategoryLanguages
GAC# ยท Go ยท Java ยท JavaScript ยท JSX ยท JSON ยท PHP ยท Python ยท Ruby ยท Scala ยท Terraform ยท TypeScript ยท TSX
BetaKotlin ยท Rust
ExperimentalBash ยท C ยท C++ ยท Clojure ยท Dart ยท Dockerfile ยท Elixir ยท HTML ยท Julia ยท Jsonnet ยท Lisp ยท

Quick Start โ€‹

bash
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-cli
brew install semgrep

# Go to your repo code and scan
cd repo
semgrep scan --config auto

You can also use the semgrep VSCode Extension to get the findings inside VSCode.

SonarQube โ€‹

There is an installable free version.

Quick Start โ€‹

bash
# Run the paltform in docker
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
# Install cli tool
brew install sonar-scanner

# Go to localhost:9000 and login with admin:admin or admin:sonar
# Generate a local project and then a TOKEN for it

# Using the token and from the folder with the repo, scan it
cd path/to/repo
sonar-scanner \
  -Dsonar.projectKey=<project-name> \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.token=<sonar_project_token>

CodeQL โ€‹

There is an installable free version but according to the license you can only use free codeQL version in Open Source projects.

Install โ€‹

bash
# Download your release from https://github.com/github/codeql-action/releases
## Example
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz

# Move it to the destination folder
mkdir ~/codeql
mv codeql-bundle* ~/codeql

# Decompress it
cd ~/codeql
tar -xzvf codeql-bundle-*.tar.gz
rm codeql-bundle-*.tar.gz

# Add to path
echo 'export PATH="$PATH:/Users/username/codeql/codeql"' >> ~/.zshrc

# Check it's correctly installed
## Open a new terminal
codeql resolve qlpacks #Get paths to QL packs

Quick Start - Prepare the database โ€‹

โœ…

The first thing you need to do is to prepare the database (create the code tree) so later the queries are run over it.

  • You can allow codeql to automatically identify the language of the repo and create the database
bash
codeql database create <database> --language <language>

# Example
codeql database create /path/repo/codeql_db --source-root /path/repo
## DB will be created in /path/repo/codeql_db

โŒ

This will usually trigger and error saying that more than one language was specified (or automatically detected). Check the next options to fix this!

bash
codeql database create <database> --language <language> --source-root </path/to/repo>

# Example
codeql database create /path/repo/codeql_db --language javascript --source-root /path/repo
## DB will be created in /path/repo/codeql_db
  • If your repo is using more than 1 language, you can also create 1 DB per language indicating each language.
bash
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --source-root /path/to/repo --db-cluster --language "javascript,python"

# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-cluster --language "javascript,python"
## DBs will be created in /path/repo/codeql_db/*
  • You can also allow codeql to identify all the languages for you and create a DB per language. You need to give it a GITHUB_TOKEN.
bash
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create <database> --db-cluster --source-root </path/to/repo>

# Example
export GITHUB_TOKEN=ghp_32849y23hij4...
codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo
## DBs will be created in /path/repo/codeql_db/*

Quick Start - Analyze the code โ€‹

โœ…

Now it's finally time to analyze the code

Remember that if you used several languages, a DB per language would have been crated in the path you specified.

bash
# Default analysis
codeql database analyze <database> --format=<format> --output=</out/file/path>
# Example
codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output=/tmp/graphql_results.sarif

# Specify QL pack to use in the analysis
codeql database analyze <database> \
    <qls pack> --sarif-category=<language> \
    --sarif-add-baseline-file-info \ --format=<format> \
    --output=/out/file/path>
# Example
codeql database analyze /tmp/codeql_db \
    javascript-security-extended --sarif-category=javascript \
    --sarif-add-baseline-file-info --format=sarif-latest \
    --output=/tmp/sec-extended.sarif

Quick Start - Scripted โ€‹

bash
export GITHUB_TOKEN=ghp_32849y23hij4...
export REPO_PATH=/path/to/repo
export OUTPUT_DIR_PATH="$REPO_PATH/codeql_results"
mkdir -p "$OUTPUT_DIR_PATH"
export FINAL_MSG="Results available in: "

echo "Creating DB"
codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH"
for db in `ls "$REPO_PATH/codeql_db"`; do
    echo "Analyzing $db"
    codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
    FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
    echo ""
done

echo $FINAL_MSG

You can visualize the findings in https://microsoft.github.io/sarif-web-component/ or using VSCode extension SARIF viewer.

You can also use the VSCode extension to get the findings inside VSCode. You will still need to create a database manually, but then you can select any files and click on Right Click -> CodeQL: Run Queries in Selected Files

Snyk โ€‹

There is an installable free version.

Quick Start โ€‹

bash
# Install
sudo npm install -g snyk

# Authenticate (you can use a free account)
snyk auth

# Test for open source vulns & license issues
snyk test [--all-projects]

# Test for code vulnerabilities
## This will upload your code and you need to enable this option in: Settings > Snyk Code
snyk test code

# Test for vulns in images
snyk container test [image]

# Test for IaC vulns
snyk iac test

You can also use the snyk VSCode Extension to get findings inside VSCode.

Insider โ€‹

It's Open Source, but looks unmaintained.

Supported Languages โ€‹

Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

Quick Start โ€‹

bash
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz 
$ chmod +x insider
$ ./insider --tech javascript  --target <projectfolder>

DeepSource โ€‹

Free for public repos.

NodeJS โ€‹

  • yarn
bash
# Install
brew install yarn
# Run
cd /path/to/repo
yarn audit
npm audit
  • pnpm
bash
# Install
npm install -g pnpm
# Run
cd /path/to/repo
pnpm audit
bash
# Install & run
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
# Got to localhost:9090
# Upload a zip file with the code
  • RetireJS: The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
bash
# Install
npm install -g retire
# Run
cd /path/to/repo
retire --colors

Electron โ€‹

  • electronegativity: It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

Python โ€‹

  • Bandit: Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
bash
# Install
pip3 install bandit

# Run
bandit -r <path to folder>
  • safety: Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
bash
# Install
pip install safety
# Run
safety check
  • Pyt: Unmaintained.

.NET โ€‹

bash
# dnSpy
https://github.com/0xd4d/dnSpy

# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs

RUST โ€‹

bash
# Install
cargo install cargo-audit

# Run
cargo audit

#Update the Advisory Database
cargo audit fetch

Java โ€‹

bash
# JD-Gui
https://github.com/java-decompiler/jd-gui

# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
TaskCommand
Execute Jarjava -jar [jar]
Unzip Jarunzip -d [output directory] [jar]
Create Jarjar -cmf META-INF/MANIFEST.MF [output jar] *
Base64 SHA256sha256sum [file] | cut -d' ' -f1 | xxd -r -p | base64
Remove Signingrm META-INF/.SF META-INF/.RSA META-INF/*.DSA
Delete from Jarzip -d [jar] [file to remove]
Decompile classprocyon -o . [path to class]
Decompile Jarprocyon -jar [jar] -o [output directory]
Compile classjavac [path to .java file]

Go โ€‹

bash
https://github.com/securego/gosec

PHP โ€‹

Psalm and PHPStan.

Wordpress Plugins โ€‹

https://www.pluginvulnerabilities.com/plugin-security-checker/

Solidity โ€‹

JavaScript โ€‹

Discovery โ€‹

  1. Burp:
    • Spider and discover content
    • Sitemap > filter
    • Sitemap > right-click domain > Engagement tools > Find scripts
  2. WaybackURLs:
    • waybackurls <domain> |grep -i "\.js" |sort -u

Static Analysis โ€‹

Unminimize/Beautify/Prettify โ€‹

Deobfuscate/Unpack โ€‹

Note: It may not be possible to fully deobfuscate.

  1. Find and use .map files:
    • If the .map files are exposed, they can be used to easily deobfuscate.
    • Commonly, foo.js.map maps to foo.js. Manually look for them.
    • Use JS Miner to look for them.
    • Ensure active scan is conducted.
    • Read 'Tips/Notes'
    • If found, use Maximize to deobfuscate.
  2. Without .map files, try JSnice:
    • References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
    • Tips:
      • If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
      • Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
  3. For some more modern alternatives to JSNice, you might like to look at the following:
  1. Use console.log();
    • Find the return value at the end and change it to console.log(<packerReturnVariable>); so the deobfuscated js is printed instead of being executing.
    • Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
    • Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
    • Note: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.

References โ€‹

Tools โ€‹

Less Used References โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: