🔎 Help find Trojan Source vulnerability in code 👀 . Useful for code review in project with multiple collaborators

Last update: Jun 13, 2022

Related tags

Overview

TrojanSourceFinder

TrojanSourceFinder helps developers detect "Trojan Source" vulnerability in source code.

Trojan Source vulnerability allows an attacker to make malicious code appear innocent. In general, the attacker tries to lure by passing his code off as a comment (visually). It is a serious threat because it concerns many languages. Projects with multiple "untrusted" sources could be concerned

Detect evil 🔎 · Track evil 👀 · Trojan Source ❓

Detect Trojan Source

> Help the detection of Trojan source for manual code review or with CI/CD pipelines

To detect Trojan source in file :

tsFinder <filename>

Visualize Trojan Source

> Visualize how the code is really interpreted by machines/compiler

tsFinder is deliberately not very verbose. By default, it will only output if Trojan Source code has been detected. To have more verbosity and visualize the dangerous line add the flag -v

Issues

Feature: provide a simple "baseline" functionality

Sometimes it can be useful to have a list of files/directories that should not be scanned.

Proposal: with -b FILENAME you can specify a text file that contains one file/directory per line to be excluded from scanning.

(I’m on it)
enhancement

opened by jensschulze 9

Dependency update?

Would it be possible to upgrade the dependencies? At least one has a CVE...

usr/bin/tsfinder (gobinary)
===========================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2021-38561 │ UNKNOWN  │ v0.3.5            │ 0.3.7         │ Due to improper index calculation, an incorrectly formatted │
│                   │                │          │                   │               │ language tag can cause...                                   │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-38561                  │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

opened by temp 3

New release?

There are several commits that haven't been released yet (since about 6 months), would it be possible to create a new release 1.1.2 oder 1.2.0?

Thanks!

opened by temp 2
Feature: implement a "sparse output" option

Sometimes (CI/CD pipeline) it would be convenient to yield the file paths of the detected files without any surrounding text, coloring etc.

I suppose a -q (--quiet) flag. If this flag is set, the color flag is being ignored. If the verbose flag is set, quiet will be ignored.
enhancement

opened by jensschulze 2

Releases(v1.1.3)

v1.1.3(Jun 13, 2022)

Update dependencies (for security purpose)
Source code(tar.gz)
Source code(zip)
tsfinder(4.23 MB)
v1.1.2(Jun 4, 2022)
Added

ability to exclude file (flag -e) https://github.com/ariary/TrojanSourceFinder/issues/3

code improvment https://github.com/ariary/TrojanSourceFinder/issues/1

Source code(tar.gz)
Source code(zip)
tsfinder(4.31 MB)
v1.1.1(Nov 10, 2021)
make verbosity as low as possible (only if scan has detected things)

change exit code if scan detect something (for pipelines mainly)

add -t flag to only scan text file

Source code(tar.gz)
Source code(zip)
tsfinder(5.78 MB)
v1.1.0(Nov 6, 2021)

add homoglyph detection
Source code(tar.gz)
Source code(zip)
tsfinder(5.54 MB)
v1.0.0(Nov 5, 2021)
tsfinder first release:

detect trojan source in file and recursively in directory

color output

print dangerous line

Source code(tar.gz)
Source code(zip)
tsfinder(3.97 MB)

Owner

Ariary

Security Engineer naively hoping that his technical background will one day be more effective than social engineering

GitHub Repository

A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are n

5 Jan 6, 2022

Go-sec-code is a project for learning Go vulnerability code.

Welcome to go-sec-code ?? Go-sec-code is a project for learning Go vulnerability code. ?? Homepage Introduction 用beego作为后端框架开发的go语言靶场，目前已经完成 commandIn

4 May 27, 2022

Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

6.7k Jun 29, 2022

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

139 Jun 12, 2022

A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

725 Jun 27, 2022

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

9.3k Jun 24, 2022

Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

8.7k Jun 26, 2022

The Go Vulnerability Database

The Go Vulnerability Database golang.org/x/vulndb This repository is a prototype of the Go Vulnerability Database. Read the Draft Design. Neither the

369 Jun 23, 2022

Super Java Vulnerability Scanner

XiuScan 不完善，正在开发中介绍一个纯Golang编写基于命令行的Java框架漏洞扫描工具致力于参考xray打造一款高效方便的漏扫神器计划支持Fastjson、Shiro、Struts2、Spring、WebLogic等框架 PS: 取名为XiuScan因为带我入安全的大哥是修君特点

116 Dec 30, 2021

Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

2 Apr 13, 2022

A vulnerability scanner for container images and filesystems

4k Jun 24, 2022

Grafana Arbitrary File Reading Vulnerability

GrafanaArbitraryFileRead Usage 1. show info ❯ go run main.go -s [INF] VulnInfo: { "Name": "Grafana Ar

25 Feb 2, 2022

Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

56 Jun 17, 2022

A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

9 Feb 6, 2022

A tool for checking log4shell vulnerability mitigations

log4shell-ldap A tool for checking log4shell vulnerability mitigations. Usage: Build a container image: docker build . -t log4shell Run it: docker run

26 Jan 25, 2022

Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

0 Dec 13, 2021

Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

11 Feb 27, 2022

Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

57 May 26, 2022

Ghec vulnerability alerts report for golang

ghec-vulnerability-alerts-report TODO Install $ go get github.com/stoe/ghec-vulnerability-alerts-report Usage $ ghec-vulnerability-alerts-report [opti

3 Jan 14, 2022