PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • Dependency Confusion
  • Hijacking Dependencies
  • Python-pip
  • Nodejs-npm
  • Static Application Security Analysis (SAST)
  • Secrets Scanning
  1. AppSec

Code Review

Simple notes on code review

PreviousFuzzingNextReDos

Last updated 1 year ago

Dependency Confusion

We can use confused to scan package requirement file

git clone https://github.com/visma-prodsec/confused 
cd confused
go get 
go build

  • Usage

confused -l pip requirements.txt
confused -l npm package.json # default
confused -l composer composer.json
confused -l mvn pom.xml
confused -l rubygems Gemfile.lock

Hijacking Dependencies

Python-pip

Nodejs-npm

  • TODO

Static Application Security Analysis (SAST)

Here are a set of tools I usually use when I conduct a source code review:

python3 -m pip install semgrep
semgrep --config auto | tee -a semgrep.out

  • Snyk: Snyk is good (Available Vscode extension)

  • Trivy: Built mainly for container security, it's suitable for dependency vulnerability scanning. (Available Vscode extension)

Secrets Scanning

# Require golang to be installed
git clone https://github.com/zricethezav/gitleaks.git
cd gitleaks
make build

# Usage
gitleaks detect --report-path gitleaks-report.json -v
sudo apt install -y trivy
trivy image --severity HIGH,CRITICAL --security-checks vuln,secret,config <image> 
# Append --offline-scan to scan a local image
git clone https://github.com/trufflesecurity/trufflehog.git
cd trufflehog
go install
# Scan a repo
trufflehog git <REPO-URL> --only-verified --json
# Scan a github organization
trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json
# Scan filesystem
trufflehog filesystem --directory <PATH> --json [--only-verified]

: It has a good set of rules for pointing out weak code practices.

I personally prefer for scanning a git repo, Because it points out informative information beside the secret.

For scanning container images for secrets and vulnerabilities, i would use .

Other than that is good.

https://github.com/zAbuQasem/dependecy-confusion-templates/tree/main/python-pip
Semgrep
gitleaks
trivy
trufflehog