Common Weaknesses
- Hardcoded credentials/secrets/keys
- Information leakage/verbose errors
- Missing security flags
- Weak password hashing
- XSS
- No CSRF protection
- SQLi
- RCE
- Directory listing
- Local/Remote file inclusion
- Cryptographic issues
- Signature bypass
- Authentication bypass
Resources
- https://github.com/wireghoul/graudit
- https://github.com/tomnomnom/gf
- https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
- https://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackers
Suspicious Functions and Keywords
General Functions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
system()
exec()
eval()
assert()
popen()
preg_replace()
passthru()
shell_exec()
proc_open()
include()
include_once()
require()
require_once()
mail()
serialize()
unserialize()
rand()
date()
Cryptographic Functions
1
2
3
4
5
encrypt()
decrypt()
decode()
encode()
digest()
Database Functions
1
2
3
4
5
6
7
8
9
10
11
querydb()
query_db()
mysql_query()
mysql_db_query()
db.cursor()
db.prepare()
MySQLdb.connect()
selectQueryString
Database.Open
db.Query()
db.Execute()
Hunting with Grep
Grep provides endless possibilities:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
grep -iRl 'api\|key\|api_key\|apikey\|apitoken\|token'
grep -R '.*?(shell_exec|exec|passthru|system|popen|proc_open|eval)\(.*?'
grep -iRl '$_GET\|$_POST\|$_REQUEST\|$_COOKIE'
grep -iR '<pattern>' --exclude='*.css'
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" // IP
grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" // URLs
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" // emails
grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' // mac
grep -e "[0-9a-f]\{32\}" // md5
grep -o -E -e "[0-9a-f]{40}" // sha1
grep -Ea '\$2[ayb]\$.{56}' // bcrypt
grep -e "$2a\$\08\$(.){75}" // blowfish