Static Application Security Testing (SAST)

Note: This resource will be constantly updated – Last Updated: 28/02/2023

This resource is intended to learn from the tools that certain modules already have loaded that help detect vulnerabilities in SAST, it is not intended to replace our tasks as analysts.
Most of the tools that are used to detect vulnerabilities either in SAST or DAST will show false positives, so your duty as a cybersecurity researcher is to investigate and decide if it is a vulnerability or not.

My daily Tools:

  • Strings: grep, egrep and the best friend the Terminal (console)
  • Secrets: gitk, git, gitsecrets, trufflehog
  • Vulns: grep, egrep and some keywords list, Horusec, AppScan (VScode Extension)

Static Application Security Testing – SAST – Summary

Static Application Security Testing – SAST

Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing.

SAST – Source Code

SAST – Source Code – Angular:

SAST – Source Code – .NET C#:

SAST – Source Code – Python:

SAST – Source Code – Java:

SAST – Source Code – Golang

SAST – Source Code – PHP:

SAST – Source Code – PowerShell:

SAST – Source Code – Docker:

SAST – Source Code – Cloud

SAST – OneLiners

SAST – OneLiners – Source code Strings

# try to run this command in the root directory of your source code
# change example with the keywords of vulns that you know
# can be keywords like: password, eval, secret, auth....
# *.map example to exclude some files
# exclude-dir example to exclude some dirs

egrep --color -nri "example|example2|example3|password|eval" --exclude "*.map" --exclude-dir=test

SAST – OneLiners – Git Secrets

  • Run commands on the root of your repository
# search for specific string on commits
git grep "keyword or expression" $(git rev-list --all)
# search for specific string on commits
git rev-list --all | xargs git grep "keyword or expression"
# search for specific file
git log -p /file/example.js

SAST – OneLiners – Secret Keywords

# put this string into the burpsuite search section 
# https://github.com/h33tlit/secret-regex-list
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]

SAST Resources

SAST Resources – Secrets

SAST Resources – Regex

SAST Tools

SAST Tools – Search Secrets

SAST Tools – Regex

Tip

#check for regex
time node -e '/<VULNERABLE REGEX>/.test("<exploitstring>")'
# example normal
time node -e '/[^/]+\\.[^/]+$/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
# results: time node  0.18, if the time is > 1.00 it is vulnerable

SAST Labs

Version Control