๐Ÿ”Ž Help find Trojan Source vulnerability in code ๐Ÿ‘€ . Useful for code review in project with multiple collaborators

Overview

TrojanSourceFinder

TrojanSourceFinder helps developers detect "Trojan Source" vulnerability in source code.

Trojan Source vulnerability allows an attacker to make malicious code appear innocent. In general, the attacker tries to lure by passing his code off as a comment (visually). It is a serious threat because it concerns many languages. Projects with multiple "untrusted" sources could be concerned

Detect evil ๐Ÿ”Ž ยท Track evil ๐Ÿ‘€ ยท Trojan Source โ“

Detect Trojan Source

> Help the detection of Trojan source for manual code review or with CI/CD pipelines

To detect Trojan source in file :

tsFinder <filename>

Visualize Trojan Source

> Visualize how the code is really interpreted by machines/compiler

tsFinder is deliberately not very verbose. By default, it will only output if Trojan Source code has been detected. To have more verbosity and visualize the dangerous line add the flag -v

You might also like...
Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.

CVE-2021-29156 Proof-of-Concept (c) 2021 GuidePoint Security Charlton Trezevant [email protected] Background Today GuidePoint

A vulnerability scanner for container images and filesystems
A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems

Grafana Arbitrary File Reading Vulnerability

GrafanaArbitraryFileRead Usage 1. show info โฏ go run main.go -s [INF] VulnInfo: { "Name": "Grafana Ar

Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.
Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers.

Log4ShellScanner Scans and catches callbacks of systems that are impacted by Log4J Log4Shell vulnerability across specific headers. Very Beta Warning!

A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

A tool for checking log4shell vulnerability mitigations

log4shell-ldap A tool for checking log4shell vulnerability mitigations. Usage: Build a container image: docker build . -t log4shell Run it: docker run

Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability (CVE-2021-44228)

scan4log4shell Scanner to send specially crafted requests and catch callbacks of systems that are impacted by Log4J Log4Shell vulnerability CVE-2021-4

Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Comments
  • Feature: provide a simple

    Feature: provide a simple "baseline" functionality

    Sometimes it can be useful to have a list of files/directories that should not be scanned.

    Proposal: with -b FILENAME you can specify a text file that contains one file/directory per line to be excluded from scanning.

    (Iโ€™m on it)

    enhancement 
    opened by jensschulze 9
  • Dependency update?

    Dependency update?

    Would it be possible to upgrade the dependencies? At least one has a CVE...

    usr/bin/tsfinder (gobinary)
    ===========================
    Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚      Library      โ”‚ Vulnerability  โ”‚ Severity โ”‚ Installed Version โ”‚ Fixed Version โ”‚                            Title                            โ”‚
    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
    โ”‚ golang.org/x/text โ”‚ CVE-2021-38561 โ”‚ UNKNOWN  โ”‚ v0.3.5            โ”‚ 0.3.7         โ”‚ Due to improper index calculation, an incorrectly formatted โ”‚
    โ”‚                   โ”‚                โ”‚          โ”‚                   โ”‚               โ”‚ language tag can cause...                                   โ”‚
    โ”‚                   โ”‚                โ”‚          โ”‚                   โ”‚               โ”‚ https://avd.aquasec.com/nvd/cve-2021-38561                  โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    
    opened by temp 3
  • New release?

    New release?

    There are several commits that haven't been released yet (since about 6 months), would it be possible to create a new release 1.1.2 oder 1.2.0?

    Thanks!

    opened by temp 2
  • Feature: implement a

    Feature: implement a "sparse output" option

    Sometimes (CI/CD pipeline) it would be convenient to yield the file paths of the detected files without any surrounding text, coloring etc.

    I suppose a -q (--quiet) flag. If this flag is set, the color flag is being ignored. If the verbose flag is set, quiet will be ignored.

    enhancement 
    opened by jensschulze 2
Releases(v1.1.3)
Owner
Ariary
Security Engineer naively hoping that his technical background will one day be more effective than social engineering
Ariary
A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are n

Have you debugged.it? 5 Jan 6, 2022
Go-sec-code is a project for learning Go vulnerability code.

Welcome to go-sec-code ?? Go-sec-code is a project for learning Go vulnerability code. ?? Homepage Introduction ็”จbeegoไฝœไธบๅŽ็ซฏๆก†ๆžถๅผ€ๅ‘็š„go่ฏญ่จ€้ถๅœบ๏ผŒ็›ฎๅ‰ๅทฒ็ปๅฎŒๆˆ commandIn

null 7 Nov 23, 2022
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

r2c 7.5k Dec 6, 2022
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.6k Dec 3, 2022
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

dw1 142 Nov 10, 2022
A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

dw1 868 Nov 27, 2022
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 9.7k Nov 29, 2022
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How โ€ข Install โ€ข For Security Engineers โ€ข For Developers โ€ข Documentation โ€ข

ProjectDiscovery 10.7k Nov 29, 2022
The Go Vulnerability Database

The Go Vulnerability Database golang.org/x/vulndb This repository is a prototype of the Go Vulnerability Database. Read the Draft Design. Neither the

Go 452 Nov 19, 2022
Super Java Vulnerability Scanner

XiuScan ไธๅฎŒๅ–„๏ผŒๆญฃๅœจๅผ€ๅ‘ไธญ ไป‹็ป ไธ€ไธช็บฏGolang็ผ–ๅ†™ๅŸบไบŽๅ‘ฝไปค่กŒ็š„Javaๆก†ๆžถๆผๆดžๆ‰ซๆๅทฅๅ…ท ่‡ดๅŠ›ไบŽๅ‚่€ƒxrayๆ‰“้€ ไธ€ๆฌพ้ซ˜ๆ•ˆๆ–นไพฟ็š„ๆผๆ‰ซ็ฅžๅ™จ ่ฎกๅˆ’ๆ”ฏๆŒFastjsonใ€Shiroใ€Struts2ใ€Springใ€WebLogic็ญ‰ๆก†ๆžถ PS: ๅ–ๅไธบXiuScanๅ› ไธบๅธฆๆˆ‘ๅ…ฅๅฎ‰ๅ…จ็š„ๅคงๅ“ฅๆ˜ฏไฟฎๅ› ็‰น็‚น

4ra1n 116 Dec 30, 2021