search

johnsaigle / scary-strings

Collection of wordlists containing dangerous function calls in many languages
GNU General Public License v3.0
22 stars 4 forks source link

Add more scary strings based on useful blog posts #10

Open johnsaigle opened 3 years ago

johnsaigle commented 3 years ago

e.g. https://btlr.dev/blog/how-to-find-vulnerabilities-in-code-bad-words

johnsaigle commented 3 years ago

Added some python function calls based on https://medium.com/swlh/hacking-python-applications-5d4cd541b3f1

johnsaigle commented 3 years ago

Could add JS functionality and use well known sources and sinks for DOM based XSS, at minimum

johnsaigle commented 3 years ago

https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

johnsaigle commented 3 years ago

https://portswigger.net/web-security/cross-site-scripting/dom-based, sources and sinks

UPDATE: added the sinks from the bottom of this page edefc67a08da094f71bd91e0c235f5df00cce69e

johnsaigle commented 3 years ago

https://cwe.mitre.org/data/definitions/546.html --> more suspicious comment values to search for

johnsaigle commented 2 years ago

http://blog.blueclosure.com/2017/10/javascript-dangerous-functions-part-2_29.html --> JS functions

johnsaigle commented 2 years ago

Compare also with existing work from here: https://github.com/danielmiessler/SecLists/tree/master/Pattern-Matching

johnsaigle commented 2 years ago

Some calls to dangerous C functions https://github.com/joernio/joern/blob/master/querydb/src/main/scala/io/joern/scanners/c/DangerousFunctions.scala

johnsaigle commented 2 years ago

Go unsafe functions https://github.com/jlauinger/go-geiger

johnsaigle commented 2 years ago

https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/php.yar

Extra PHP dangerous functions plus some other common tricks used by malware