Skip to content

va1da5/manual-source-code-review

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Source Code Review Bug Patterns

This repository contains Regex patterns to look for while performing manual application source code analysis. The patterns are pretty open-scoped and, if used in automated tools, would provide lots of false-positives. However, it still brings value when doing manual investigation and could lead into some serious bug findings. The match of the pattern in the code does not necessarily mean the application being vulnerable to a certain type of attack. It is security tester's responsibility to evaluate each case and arrive to the conclusion.

Tools

Usage with grep

# List files with a specific extension
find . -name "*.html" -o -name "*.jsp"

grep -rnw -P "do(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\b" -l | grep -vP ".*.(?:js|css|jpg)$" |  xargs grep -iP "WHERE.*" --color

Javascript

Node JS

unserialize\s*\(
eval\s*\(
\bchild_process\b
exec\s*\(
spawn\s*\(
execFile\s*\(
\bfork\s*\(

HTML DOM Related

innerText
innerHTML
document\.location
document\.create
document\.URL
document\.URLUnencoded
document\.referrer
window\.location
document\.write\s*\(
document\.writeln\s*\(
document\.body\.innerHtml
eval\s*\(
document\.cookie
window\.execScript\s*\(
window\.setInterval\s*\(
window\.setTimeout\s*\(
document\.location
document\.URL
document\.open\s*\(
window\.location\.href
window.navigate\s*\(
window\.open\s*\(
document\.execCommand
location\.hash
location\.href
window\.createRequest
document\.attachEvent
window\.execScript
window\.setInterval
target\s*=\s*["']_blank['"]

PHP

PHP Deserialization

unserialize\s?\(
unserialize_callback_func

Command Execution

exec\s*\(
passthru\s*\(
popen\s*\(
shell_exec\s*\(
system\s*\(
`[^`]+`
eval\s*\(
proc_open\s*\(
proc_close\s*\(
proc_get_status\s*\(
proc_nice\s*\(
proc_terminate\s*\(

User Input

\$_ENV\[.*\]
\$_GET\[.*\]
\$_POST\[.*\]
\$_COOKIE\[.*\]
\$_REQUEST\[.*\]
\$_FILES\[.*\]
\$_SERVER\[.*\]
\$HTTP_GET_VARS
\$http_get_vars
\$HTTP_POST_VARS
\$http_post_vars
\$HTTP_ENV_VARS
\$http_env_vars
\$HTTP_RAW_POST_DATA
\$http_raw_post_data
\$HTTP_POST_FILES
\$http_post_files

SQL Commands

mysql_query\s*\(
WHERE\s+.*=.*
mysql_connect\s*\(
mysql_pconnect\s*\(
mysqli\s*\(
(mysqli::[^ ]*|mysqli_[^ ]*)
mysql_query\s*\(
mysql_error\s*\(
pg_connect\s*\(
pg_pconnect\s*\(
pg_execute\s*\(
pg_insert\s*\(
pg_put_line\s*\(
pg_query\s*\(
pg_select\s*\(
pg_send_query\s*\(
pg_update\s*\(
sqlite_open\s*\(
sqlite_query\s*\(
sqlite_array_query\s*\(
sqlite_create_function\s*\(
sqlite_create_aggregate\s*\(
sqlite_exec\s*\(
sqlite_fetch_.*
msql_.*
mssql_.*
odbc_.*
fbsql_.*
db2_.*
sqlsrv_.*
sybase_.*
ibase_.*
dbx_.*
ingres_.*
ifx_.*
oci_.*
px_.*
ovrimos_.*
maxdb_.*

File Related Functions

(include|include_once|require|require_once)
file\s*\(
file_get_contents\s*\(
fopen\s*\(
p?fsockopen\s*\(
fwrite\s*\(
move_uploaded_file
stream_.*
readfile\s*\(

Other Interesting Stuff

get_loaded_extensions
getenv\s?\(
putenv\s?\(
apache_setenv\s?\(
apache_request_headers\s?\(
apache_response_headers\s?\(
header\s?\(
stream_context_create
create_function\s?\(
mail\s?\(
preg_replace
\<\?\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
\<\%\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
{php}

I/O Streams

php://stdin
php://stdout
php://stderr
php://output
php://input
php://filter
php://memory
php://temp

JAVA

Deserialization

\bObjectInputStream\(
\breadObject\(
\bdefaultReadObject\s*\(
\breadUnshared\s*\(
\breadResolve\s*\(
\bwriteObject\s*\(
\bXMLDecoder\s*\(
\bXStream\b
\.enableDefaultTyping\(\)
\bcom\.fasterxml\.jackson\.databind\.ObjectMapper\b
\bnew\s+ObjectMapper()\b
\b@JsonTypeInfo\(
\breadValue\([^,]+,\s*Object\.class\)
\bJSON\.parseObject\b
\bcom\.alibaba\.fastjson\.JSON\b

Command Execution

\bexec\s?\(

User Input

do(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\b
@WebServlet\(.*
\bjavax\.servlet\..*
getParameter\s*\(
getParameterNames\s*\(
getParameterValues\s*\(
getParameterMap\s*\(
getQueryString\s*\(
HttpServletRequest
getScheme\s*\(
getProtocol\s*\(
getContentType\s*\(
getServerName\s*\(
getRemoteAddr\s*\(
getRemoteHost\s*\(
getRealPath\s*\(
getLocalName\s*\(
getAttribute\s*\(
getAttributeNames\s*\(
getLocalAddr\s*\(
getAuthType\s*\(
getRemoteUser\s*\(
getCookies\s*\(
getHeaderNames\s*\(
getHeaders?\s*\(
getPrincipal\s*\(
getUserPrincipal\s*\(
getRequestedSessionId\s*\(
XMLReader
\bCookie\b
getRequestURI
getRequestURL
getComment\s*\(

\.get(?:Parameter(?:Names?|Values?|Map)?|QueryString|ContentType|Cookies|Header(?:s|Names)|Request(?:URL|URI))\s*\(

JSP

\brequest\.getParameter\(
\bsession\.setAttribute\(
\$\{[^}]+\}
\.getRequestDispatcher\(                                        #look for .include(request, response)
(?!.*\.jspf?['"])(?:<jsp:include\s+page|<jsp:directive\.include\s+file|<%@\s+include\s+file|<c:import\s+url)\s*=\s*["'].*
<c:out.*escapeXml\s*=\s*["']false["']
<%=\s+[a-zA-Z0-9_$]+\s+%>
<x:transform\b.*\b(?:xml|xslt)\s*=.*(?:xml|xslt)\s*=.*>

Servlet Response Functions

\.sendRedirect\((?:.*\.getParameter\(.*\))?
setJavaScriptEnabled
getWriter
addCookie\s*\(
\b(?:add|set)Header\s*\(
\bsetStatus
setAttribute\s*\(
HttpServletResponse
ServletOutputStream
\.addHeader\("Access-Control-Allow-Origin", "\*"\)

SQL Commands

execute(?:Query|Update)\s*\(
Prepared?Statement\b
\b(?:SELECT|UPDATE|DELETE|WHERE|GROUP BY|HAVING|ORDER BY)\s+.*=.*
(?:create|execute)[sS]tatement\s*\(
get(?:Object|String)\s*\(
addBatch\s*\(
execute\s*\(
prepareCall\s*\(
jdbc:.*

Files/Streams Related Functions

\bcreateRequest\b
\b(?:new )?File\b
\bFiles\.exists\((?:\s*Paths\.get\()?
\bfromFile\s*\(
java\.io\.File
\bFileReader\b
\bFileWriter\b
renameTo\s*\(
mkdir\s*\(
\bRandomAccessFile\b
\bFileOutputStream\b
\bHttpsURLConnection\b
\bFileInputStream\b
\bFilterInputStream\b
\bPipedInputStream\b
\bBufferedReader\b
\bFileOutputStream\b
\bSequenceInputStream\b
\bStringBufferInputStream\b
\bByteArrayInputStream\b
\bSocket\s*\(
\bServerSocket\s*\(
\bFileNotFoundException\b
(?:\bnew\s+URL(.*))?\.(?:getContent|open(?:Connection|Stream))\(\)

XXE

\.createXMLStreamReader\s*\(
(?<!Pattern|RegExp|JsonPointer)(?:XPathExpression\b.*)?\.compile\s*\(
(?:\bSAXParser\b.*)?\.newSAXParser\s*\(\b                                # look for parser.parse(..)
(?:\bXMLReader\b.*)?\.createXMLReader\s*\(                               # look for reader.parse(...);
(?:\bDocumentBuilder\b.*)?\.newDocumentBuilder\s*\(                      # look for db.parse(input);
\bDocument\s.*\.parse\s*\(
(?:\bTransformer\s.*)?\.newTransformer\s*\(

Spring

@(?:Request|Get|Post|Put|Delete|Patch)Mapping
\.csrf\(\)\.disable\(\)
\bExpression\s.*\.parseExpression\s*\(
redirect\(\s*@RequestParam\(.*
\bModelAndView\(
<spring:eval\s*expression\s*=\s*"

Other Interesting Stuff

\bRandom\(
getPropert(y|ies)\s*\(
getSession\s*\(
\bHTTPCookie\b
\bdoPrivileged\b
IS_SUPPORTING_EXTERNAL_ENTITIES
eval\s*\(
\bprint[Ss]tack[Tt]race\b
Base64
\.newTransformer\(
import java\.lang\.Runtime
\bXPath\b
(?:\bXPath\s.*)\.newXPath\s*\(
(?:\bXPathExpression\s.*)\.compile\s*\(
\bNamingEnumeration\b.*\.search\s*\(
(?:\bScriptEngine\s.*)?\.getEngineByName\s*\(
(?!.*=\s*"\s*\+.*\+\s*")(?:String\s*)?(?:secret|token|pass(?:key|phrase|word|wd)?|api_?key|hash|user(?:name|id)?|login|admin|account(?:id)?|auth|email)[a-zA-Z0-9$_]*\s*=\s*".{4,}";
\.newTransformer\s*\(
Velocity\.evaluate\(
BeanUtils\.populate\(
\bMimeMessage\(
\.setEscapeModelStrings\(false\)
(?:setHeader|setRequestProperty)\("Authorization"\s*,\s*"Basic
\bisActiveSession\([a-z0-9_$]+\.getRequestedSessionId\(\)\)
\bTemplate\s+[a-zA-Z0-9_$]+\s*=\s*[a-zA-Z0-9_$]+.getTemplate\(

C#

Deserialization

XmlReader
XmlReader\.Create
XamlReader\.Load
JsonConvert.DeserializeObject
\.DeserializeObject
JSON.ToObject
\.ToObject
JsonSerializer
JavaScriptSerializer
SimpleTypeResolvers\s*\(
XmlSerializer\s*\(
DataContractSerializer\s*\(
DeserializerBuilder
\.Deserialize\s*\(
BinaryFormatter
ObjectStateFormatter
SoapFormatter
NetDataContractSerializer
LosFormatter
SerializationFormatter

Command Execution

Server\.Execute
\bExecute\b
\bEval\b
\bProcess\b
\.StartInfo\.FileName\b
\.StartInfo\.Arguments\b

User Input

System\.Net\.Cookie
Cookie
\.Cookies
request\.cookies
Request
Request\.Files
Request\.Headers
request\.querystring
request\.form
request\.item
request\.url
request\.urlreferrer
request\.useragent
request\.userlanguages

Server Response Functions

response\.write
innerText
HttpUtility
innerHTML
HtmlEncode
<%=
UrlEncode
document\.cookie
HTTPOnly
htmlcontrols\.
webcontrols\.
Response\.AddHeader
Response\.Redirect

SQL Commands

\bselect\b
\bdelete\b
\bupdate\b
\bwhere.*=.*

sp_executesql
\bExecuteQuery\b
\bexecuteSQL\b
\bexecuteQuery\b
\bSqlDataAdapter\b
\bSqlConnection\b
\bCreateSQLQuery\b
exec sp_
exec xp_
execute sp_
exec @
setfilter
sqloledb
\.Provider\b
ExecuteReader\b
SqlDataReader\b
execute @
System\.Data\.sql
DataSource
ExecuteReader
executestatement
GetQueryResultInXML
\bdriver\b
ADODB\.recordset
SqlCommand
SqlDataAdapter
\badodb\b
Server\.CreateObject
New OleDbConnection\b
\bOdbcCommand\b
\bSqlCommand\b
Microsoft\.Jet
\bStoredProcedure\b
\bExecuteSqlCommand\b
\bExecuteDataSet\b
\bNpgsqlCommand\b

Files/Streams Related Functions

System\.IO
ReadAllBytes
FileSystemObject
StreamReader
FileInputStream
GetTempFileName

XXE

\bXmlReaderSettings\b
\bXmlReader\b
\bXmlDocument\b

Other Interesting Stuff

Shell\.Application
Shell32
Server\.CreateObject
\.Run\b
Wscript\.Shell
System\.Security\.Cryptography
\bCipherMode\.(CBC|ECB|OFB)
\.SetPassword\b

References

About

Regex patterns for manual application source code review

Topics

security review regex-pattern bugs oswe oswe-prep web-300

Resources

Readme
Activity

Stars

26 stars

Watchers

2 watching

Forks

7 forks
Report repository