Last active
May 8, 2017 07:10
-
-
Save compermisos/5474234 to your computer and use it in GitHub Desktop.
Java code statical analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Java static analysis (very simple) functions | |
# by Enrique Alfonso Sanchez Montellano | |
# http://security-dojo.com/programming-bits/static-source-code-audit-on-terminal-aka-glorified-greps-part-2/ | |
auditjava () | |
{ | |
if [ -z "$1" ]; then | |
echo "Missing directory to audit!" | |
echo "Usage: auditjava <directory>" | |
else | |
if [ -d "security_logs" ]; then | |
mkdir security_logs | |
echo "[ + ] Directory security_logs created, all logs will go into it" | |
fi | |
echo "[ + ] Be warned logs WILL BE OVERWRITTEN!" | |
echo -n "[ - ] Verifying for possible command injection calls ... " | |
grep -r -b 'system(' $1 | grep -v "Binary file" | grep -v 'lib/ruby' | grep -v '.git' | grep -v buildfile | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3\n\n"}' > security_logs/command_injection.log | |
grep -r -b '`' $1 | grep -v "Binary file" | grep -v 'lib/ruby' | grep -v '.git' | grep -v buildfile | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3\n\n"}' >> security_logs/command_injection.log | |
grep -r -b 'getRuntime(\|Runtime\|.exec(' $1 | grep -v "Binary file" | grep -v 'lib/ruby' | grep -v '.git' | grep -v buildfile | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3\n\n"}' >> security_logs/command_injection.log | |
echo "DONE" | |
echo -n "[ - ] Verifying for SQL Java Dangerous Functions ... " | |
grep -r -b 'preparedStatement(\|executeQuery(\|execute(\|addBatch(\|executeBatch(' $1 | grep -v "Binary file" | grep -v 'lib/ruby' | grep -v '.git' | grep -v buildfile | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3\n\n"}' > security_logs/sql_functions.log | |
echo "DONE" | |
echo -n "[ - ] Verifying for user input ... " | |
grep -r -b 'getParameter\|getQueryString\|getHeader\|getRequestURL\|getCookies\|getInputStream\|getReader\|getMethod\|getProtocol\|getServerName\|getRemoteUser\|getUserPrincipal' $1 | grep -v "Binary file" | grep -v 'lib/ruby' | grep -v '.git' | grep -v buildfile | awk -F : '{print "Filename: "$1"\nline: "$2"\nmatch: "$3\n\n"}' > security_logs/user_input.log | |
echo "DONE" | |
fi | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment