├── .gitignore
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .vscode


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Source Code Review Bug Patterns
  2 | 
  3 | This repository contains Regex patterns to look for while performing manual application source code analysis. The patterns are pretty open-scoped and, if used in automated tools, would provide lots of false-positives. However, it still brings value when doing manual investigation and could lead into some serious bug findings. The match of the pattern in the code does not necessarily mean the application being vulnerable to a certain type of attack. It is security tester's responsibility to evaluate each case and arrive to the conclusion.
  4 | 
  5 | ## Tools
  6 | 
  7 | Usage with `grep`
  8 | 
  9 | ```bash
 10 | # List files with a specific extension
 11 | find . -name "*.html" -o -name "*.jsp"
 12 | 
 13 | grep -rnw -P "do(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\b" -l | grep -vP ".*.(?:js|css|jpg)$" |  xargs grep -iP "WHERE.*" --color
 14 | ```
 15 | 
 16 | ---
 17 | 
 18 | ## Javascript
 19 | 
 20 | ### Node JS
 21 | 
 22 | ```regex
 23 | unserialize\s*\(
 24 | eval\s*\(
 25 | \bchild_process\b
 26 | exec\s*\(
 27 | spawn\s*\(
 28 | execFile\s*\(
 29 | \bfork\s*\(
 30 | ```
 31 | 
 32 | ### HTML DOM Related
 33 | 
 34 | ```regex
 35 | innerText
 36 | innerHTML
 37 | document\.location
 38 | document\.create
 39 | document\.URL
 40 | document\.URLUnencoded
 41 | document\.referrer
 42 | window\.location
 43 | document\.write\s*\(
 44 | document\.writeln\s*\(
 45 | document\.body\.innerHtml
 46 | eval\s*\(
 47 | document\.cookie
 48 | window\.execScript\s*\(
 49 | window\.setInterval\s*\(
 50 | window\.setTimeout\s*\(
 51 | document\.location
 52 | document\.URL
 53 | document\.open\s*\(
 54 | window\.location\.href
 55 | window.navigate\s*\(
 56 | window\.open\s*\(
 57 | document\.execCommand
 58 | location\.hash
 59 | location\.href
 60 | window\.createRequest
 61 | document\.attachEvent
 62 | window\.execScript
 63 | window\.setInterval
 64 | target\s*=\s*["']_blank['"]
 65 | ```
 66 | 
 67 | ---
 68 | 
 69 | ## PHP
 70 | 
 71 | ### PHP Deserialization
 72 | 
 73 | ```regex
 74 | unserialize\s?\(
 75 | unserialize_callback_func
 76 | ```
 77 | 
 78 | ### Command Execution
 79 | 
 80 | ```regex
 81 | exec\s*\(
 82 | passthru\s*\(
 83 | popen\s*\(
 84 | shell_exec\s*\(
 85 | system\s*\(
 86 | `[^`]+`
 87 | eval\s*\(
 88 | proc_open\s*\(
 89 | proc_close\s*\(
 90 | proc_get_status\s*\(
 91 | proc_nice\s*\(
 92 | proc_terminate\s*\(
 93 | ```
 94 | 
 95 | ### User Input
 96 | 
 97 | ```regex
 98 | \$_ENV\[.*\]
 99 | \$_GET\[.*\]
100 | \$_POST\[.*\]
101 | \$_COOKIE\[.*\]
102 | \$_REQUEST\[.*\]
103 | \$_FILES\[.*\]
104 | \$_SERVER\[.*\]
105 | \$HTTP_GET_VARS
106 | \$http_get_vars
107 | \$HTTP_POST_VARS
108 | \$http_post_vars
109 | \$HTTP_ENV_VARS
110 | \$http_env_vars
111 | \$HTTP_RAW_POST_DATA
112 | \$http_raw_post_data
113 | \$HTTP_POST_FILES
114 | \$http_post_files
115 | ```
116 | 
117 | ### SQL Commands
118 | 
119 | ```regex
120 | mysql_query\s*\(
121 | WHERE\s+.*=.*
122 | mysql_connect\s*\(
123 | mysql_pconnect\s*\(
124 | mysqli\s*\(
125 | (mysqli::[^ ]*|mysqli_[^ ]*)
126 | mysql_query\s*\(
127 | mysql_error\s*\(
128 | pg_connect\s*\(
129 | pg_pconnect\s*\(
130 | pg_execute\s*\(
131 | pg_insert\s*\(
132 | pg_put_line\s*\(
133 | pg_query\s*\(
134 | pg_select\s*\(
135 | pg_send_query\s*\(
136 | pg_update\s*\(
137 | sqlite_open\s*\(
138 | sqlite_query\s*\(
139 | sqlite_array_query\s*\(
140 | sqlite_create_function\s*\(
141 | sqlite_create_aggregate\s*\(
142 | sqlite_exec\s*\(
143 | sqlite_fetch_.*
144 | msql_.*
145 | mssql_.*
146 | odbc_.*
147 | fbsql_.*
148 | db2_.*
149 | sqlsrv_.*
150 | sybase_.*
151 | ibase_.*
152 | dbx_.*
153 | ingres_.*
154 | ifx_.*
155 | oci_.*
156 | px_.*
157 | ovrimos_.*
158 | maxdb_.*
159 | ```
160 | 
161 | ### File Related Functions
162 | 
163 | ```regex
164 | (include|include_once|require|require_once)
165 | file\s*\(
166 | file_get_contents\s*\(
167 | fopen\s*\(
168 | p?fsockopen\s*\(
169 | fwrite\s*\(
170 | move_uploaded_file
171 | stream_.*
172 | readfile\s*\(
173 | ```
174 | 
175 | ### Other Interesting Stuff
176 | 
177 | ```regex
178 | get_loaded_extensions
179 | getenv\s?\(
180 | putenv\s?\(
181 | apache_setenv\s?\(
182 | apache_request_headers\s?\(
183 | apache_response_headers\s?\(
184 | header\s?\(
185 | stream_context_create
186 | create_function\s?\(
187 | mail\s?\(
188 | preg_replace
189 | \<\?\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
190 | \<\%\=\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http)
191 | {php}
192 | ```
193 | 
194 | ### I/O Streams
195 | 
196 | ```regex
197 | php://stdin
198 | php://stdout
199 | php://stderr
200 | php://output
201 | php://input
202 | php://filter
203 | php://memory
204 | php://temp
205 | ```
206 | 
207 | ---
208 | 
209 | ## JAVA
210 | 
211 | - [FindBugs JAVA weaknesses database](https://find-sec-bugs.github.io/bugs.htm)
212 | - [Sonarqube Rules](https://rules.sonarsource.com/java)
213 | - [PMD Java Coding Patterns](https://pmd.github.io/pmd-6.18.0/pmd_rules_java.html)
214 | - [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
215 | 
216 | ### Deserialization
217 | 
218 | ```regex
219 | \bObjectInputStream\(
220 | \breadObject\(
221 | \bdefaultReadObject\s*\(
222 | \breadUnshared\s*\(
223 | \breadResolve\s*\(
224 | \bwriteObject\s*\(
225 | \bXMLDecoder\s*\(
226 | \bXStream\b
227 | \.enableDefaultTyping\(\)
228 | \bcom\.fasterxml\.jackson\.databind\.ObjectMapper\b
229 | \bnew\s+ObjectMapper()\b
230 | \b@JsonTypeInfo\(
231 | \breadValue\([^,]+,\s*Object\.class\)
232 | \bJSON\.parseObject\b
233 | \bcom\.alibaba\.fastjson\.JSON\b
234 | ```
235 | 
236 | ### Command Execution
237 | 
238 | ```regex
239 | \bexec\s?\(
240 | ```
241 | 
242 | ### User Input
243 | 
244 | ```regex
245 | do(?:Post|Get|Put|Patch|Delete|Options|Copy|Move)\b
246 | @WebServlet\(.*
247 | \bjavax\.servlet\..*
248 | getParameter\s*\(
249 | getParameterNames\s*\(
250 | getParameterValues\s*\(
251 | getParameterMap\s*\(
252 | getQueryString\s*\(
253 | HttpServletRequest
254 | getScheme\s*\(
255 | getProtocol\s*\(
256 | getContentType\s*\(
257 | getServerName\s*\(
258 | getRemoteAddr\s*\(
259 | getRemoteHost\s*\(
260 | getRealPath\s*\(
261 | getLocalName\s*\(
262 | getAttribute\s*\(
263 | getAttributeNames\s*\(
264 | getLocalAddr\s*\(
265 | getAuthType\s*\(
266 | getRemoteUser\s*\(
267 | getCookies\s*\(
268 | getHeaderNames\s*\(
269 | getHeaders?\s*\(
270 | getPrincipal\s*\(
271 | getUserPrincipal\s*\(
272 | getRequestedSessionId\s*\(
273 | XMLReader
274 | \bCookie\b
275 | getRequestURI
276 | getRequestURL
277 | getComment\s*\(
278 | 
279 | \.get(?:Parameter(?:Names?|Values?|Map)?|QueryString|ContentType|Cookies|Header(?:s|Names)|Request(?:URL|URI))\s*\(
280 | ```
281 | 
282 | ### JSP
283 | 
284 | ```regex
285 | \brequest\.getParameter\(
286 | \bsession\.setAttribute\(
287 | \$\{[^}]+\}
288 | \.getRequestDispatcher\(                                        #look for .include(request, response)
289 | (?!.*\.jspf?['"])(?:<jsp:include\s+page|<jsp:directive\.include\s+file|<%@\s+include\s+file|<c:import\s+url)\s*=\s*["'].*
290 | <c:out.*escapeXml\s*=\s*["']false["']
291 | <%=\s+[a-zA-Z0-9_$]+\s+%>
292 | <x:transform\b.*\b(?:xml|xslt)\s*=.*(?:xml|xslt)\s*=.*>
293 | 
294 | ```
295 | 
296 | ### Servlet Response Functions
297 | 
298 | ```regex
299 | \.sendRedirect\((?:.*\.getParameter\(.*\))?
300 | setJavaScriptEnabled
301 | getWriter
302 | addCookie\s*\(
303 | \b(?:add|set)Header\s*\(
304 | \bsetStatus
305 | setAttribute\s*\(
306 | HttpServletResponse
307 | ServletOutputStream
308 | \.addHeader\("Access-Control-Allow-Origin", "\*"\)
309 | ```
310 | 
311 | ### SQL Commands
312 | 
313 | ```regex
314 | execute(?:Query|Update)\s*\(
315 | Prepared?Statement\b
316 | \b(?:SELECT|UPDATE|DELETE|WHERE|GROUP BY|HAVING|ORDER BY)\s+.*=.*
317 | (?:create|execute)[sS]tatement\s*\(
318 | get(?:Object|String)\s*\(
319 | addBatch\s*\(
320 | execute\s*\(
321 | prepareCall\s*\(
322 | jdbc:.*
323 | ```
324 | 
325 | ### Files/Streams Related Functions
326 | 
327 | ```regex
328 | \bcreateRequest\b
329 | \b(?:new )?File\b
330 | \bFiles\.exists\((?:\s*Paths\.get\()?
331 | \bfromFile\s*\(
332 | java\.io\.File
333 | \bFileReader\b
334 | \bFileWriter\b
335 | renameTo\s*\(
336 | mkdir\s*\(
337 | \bRandomAccessFile\b
338 | \bFileOutputStream\b
339 | \bHttpsURLConnection\b
340 | \bFileInputStream\b
341 | \bFilterInputStream\b
342 | \bPipedInputStream\b
343 | \bBufferedReader\b
344 | \bFileOutputStream\b
345 | \bSequenceInputStream\b
346 | \bStringBufferInputStream\b
347 | \bByteArrayInputStream\b
348 | \bSocket\s*\(
349 | \bServerSocket\s*\(
350 | \bFileNotFoundException\b
351 | (?:\bnew\s+URL(.*))?\.(?:getContent|open(?:Connection|Stream))\(\)
352 | ```
353 | 
354 | ### XXE
355 | 
356 | ```regex
357 | \.createXMLStreamReader\s*\(
358 | (?<!Pattern|RegExp|JsonPointer)(?:XPathExpression\b.*)?\.compile\s*\(
359 | (?:\bSAXParser\b.*)?\.newSAXParser\s*\(\b                                # look for parser.parse(..)
360 | (?:\bXMLReader\b.*)?\.createXMLReader\s*\(                               # look for reader.parse(...);
361 | (?:\bDocumentBuilder\b.*)?\.newDocumentBuilder\s*\(                      # look for db.parse(input);
362 | \bDocument\s.*\.parse\s*\(
363 | (?:\bTransformer\s.*)?\.newTransformer\s*\(
364 | ```
365 | 
366 | ### Spring
367 | 
368 | ```regex
369 | @(?:Request|Get|Post|Put|Delete|Patch)Mapping
370 | \.csrf\(\)\.disable\(\)
371 | \bExpression\s.*\.parseExpression\s*\(
372 | redirect\(\s*@RequestParam\(.*
373 | \bModelAndView\(
374 | <spring:eval\s*expression\s*=\s*"
375 | ```
376 | 
377 | ### Other Interesting Stuff
378 | 
379 | ```regex
380 | \bRandom\(
381 | getPropert(y|ies)\s*\(
382 | getSession\s*\(
383 | \bHTTPCookie\b
384 | \bdoPrivileged\b
385 | IS_SUPPORTING_EXTERNAL_ENTITIES
386 | eval\s*\(
387 | \bprint[Ss]tack[Tt]race\b
388 | Base64
389 | \.newTransformer\(
390 | import java\.lang\.Runtime
391 | \bXPath\b
392 | (?:\bXPath\s.*)\.newXPath\s*\(
393 | (?:\bXPathExpression\s.*)\.compile\s*\(
394 | \bNamingEnumeration\b.*\.search\s*\(
395 | (?:\bScriptEngine\s.*)?\.getEngineByName\s*\(
396 | (?!.*=\s*"\s*\+.*\+\s*")(?:String\s*)?(?:secret|token|pass(?:key|phrase|word|wd)?|api_?key|hash|user(?:name|id)?|login|admin|account(?:id)?|auth|email)[a-zA-Z0-9$_]*\s*=\s*".{4,}";
397 | \.newTransformer\s*\(
398 | Velocity\.evaluate\(
399 | BeanUtils\.populate\(
400 | \bMimeMessage\(
401 | \.setEscapeModelStrings\(false\)
402 | (?:setHeader|setRequestProperty)\("Authorization"\s*,\s*"Basic
403 | \bisActiveSession\([a-z0-9_$]+\.getRequestedSessionId\(\)\)
404 | \bTemplate\s+[a-zA-Z0-9_$]+\s*=\s*[a-zA-Z0-9_$]+.getTemplate\(
405 | ```
406 | 
407 | ---
408 | 
409 | ## C#
410 | 
411 | - [Security Code Scan Rules](https://security-code-scan.github.io/#Rules)
412 | 
413 | ### Deserialization
414 | 
415 | ```regex
416 | XmlReader
417 | XmlReader\.Create
418 | XamlReader\.Load
419 | JsonConvert.DeserializeObject
420 | \.DeserializeObject
421 | JSON.ToObject
422 | \.ToObject
423 | JsonSerializer
424 | JavaScriptSerializer
425 | SimpleTypeResolvers\s*\(
426 | XmlSerializer\s*\(
427 | DataContractSerializer\s*\(
428 | DeserializerBuilder
429 | \.Deserialize\s*\(
430 | BinaryFormatter
431 | ObjectStateFormatter
432 | SoapFormatter
433 | NetDataContractSerializer
434 | LosFormatter
435 | SerializationFormatter
436 | ```
437 | 
438 | ### Command Execution
439 | 
440 | ```regex
441 | Server\.Execute
442 | \bExecute\b
443 | \bEval\b
444 | \bProcess\b
445 | \.StartInfo\.FileName\b
446 | \.StartInfo\.Arguments\b
447 | 
448 | ```
449 | 
450 | ### User Input
451 | 
452 | ```regex
453 | System\.Net\.Cookie
454 | Cookie
455 | \.Cookies
456 | request\.cookies
457 | Request
458 | Request\.Files
459 | Request\.Headers
460 | request\.querystring
461 | request\.form
462 | request\.item
463 | request\.url
464 | request\.urlreferrer
465 | request\.useragent
466 | request\.userlanguages
467 | ```
468 | 
469 | ### Server Response Functions
470 | 
471 | ```regex
472 | response\.write
473 | innerText
474 | HttpUtility
475 | innerHTML
476 | HtmlEncode
477 | <%=
478 | UrlEncode
479 | document\.cookie
480 | HTTPOnly
481 | htmlcontrols\.
482 | webcontrols\.
483 | Response\.AddHeader
484 | Response\.Redirect
485 | ```
486 | 
487 | ### SQL Commands
488 | 
489 | ```regex
490 | \bselect\b
491 | \bdelete\b
492 | \bupdate\b
493 | \bwhere.*=.*
494 | 
495 | sp_executesql
496 | \bExecuteQuery\b
497 | \bexecuteSQL\b
498 | \bexecuteQuery\b
499 | \bSqlDataAdapter\b
500 | \bSqlConnection\b
501 | \bCreateSQLQuery\b
502 | exec sp_
503 | exec xp_
504 | execute sp_
505 | exec @
506 | setfilter
507 | sqloledb
508 | \.Provider\b
509 | ExecuteReader\b
510 | SqlDataReader\b
511 | execute @
512 | System\.Data\.sql
513 | DataSource
514 | ExecuteReader
515 | executestatement
516 | GetQueryResultInXML
517 | \bdriver\b
518 | ADODB\.recordset
519 | SqlCommand
520 | SqlDataAdapter
521 | \badodb\b
522 | Server\.CreateObject
523 | New OleDbConnection\b
524 | \bOdbcCommand\b
525 | \bSqlCommand\b
526 | Microsoft\.Jet
527 | \bStoredProcedure\b
528 | \bExecuteSqlCommand\b
529 | \bExecuteDataSet\b
530 | \bNpgsqlCommand\b
531 | ```
532 | 
533 | ### Files/Streams Related Functions
534 | 
535 | ```regex
536 | System\.IO
537 | ReadAllBytes
538 | FileSystemObject
539 | StreamReader
540 | FileInputStream
541 | GetTempFileName
542 | ```
543 | 
544 | ### XXE
545 | 
546 | ```regex
547 | \bXmlReaderSettings\b
548 | \bXmlReader\b
549 | \bXmlDocument\b
550 | ```
551 | 
552 | ### Other Interesting Stuff
553 | 
554 | ```regex
555 | Shell\.Application
556 | Shell32
557 | Server\.CreateObject
558 | \.Run\b
559 | Wscript\.Shell
560 | System\.Security\.Cryptography
561 | \bCipherMode\.(CBC|ECB|OFB)
562 | \.SetPassword\b
563 | ```
564 | 
565 | ---
566 | 
567 | ## References
568 | 
569 | - [Regular Expression: Special Groups](https://www.regular-expressions.info/refadv.html)
570 | - [graudit](https://github.com/wireghoul/graudit)
571 | - [Security Code Scan - static code analyzer for .NET](https://security-code-scan.github.io/)
572 | - [FindBugs JAVA weaknesses database](https://find-sec-bugs.github.io/bugs.htm)
573 | - [Sonarqube Rules](https://rules.sonarsource.com/java)
574 | - [PMD Java Coding Patterns](https://pmd.github.io/pmd-6.18.0/pmd_rules_java.html)
575 | - [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
576 | - [CFR - another java decompiler](http://www.benf.org/other/cfr/)
577 | - [JD-GUI](https://java-decompiler.github.io/)
578 | 


--------------------------------------------------------------------------------