scary-strings
scary-strings copied to clipboard
johnsaigle
Collection of wordlists containing dangerous function calls in many languages
https://boostsecurityio.github.io/lotp/ https://github.com/boostsecurityio/lotp Basically these can cause RCE in specific contexts. Could be interesting and simple to add the Go/Python examples here
https://github.com/semgrep/semgrep-rules/pull/2601/files
Ideas: * selfdestruct * anything that moves assets, e.g. ERC20 and NFT functions to approve/send/transfer * transfer vs call * delegatecall It would also be a good idea to check...
Ideas: * invoke_signed (e.g. https://blog.neodyme.io/posts/solana_common_pitfalls/#arbitrary-signed-program-invocation) * anything to do with calling external programs * anything to do transferring funds or assets
- [x] JavaScript - Math.random d7b097b191632d68c25ce41d5e7507b834aed6d8 - [x] Go - math/rand d7b097b191632d68c25ce41d5e7507b834aed6d8 - [ ] PHP - [ ] Perl - [x] Rust (28a0912) - [ ] Python - [...
Ideas * BeginBlocker and EndBlocker -- should be reviewed for code that can panic * Any module function from the SDK that involves transferring funds * UNIX time functions *...
à la this file in SecLists: https://github.com/danielmiessler/SecLists/blob/master/Pattern-Matching/errors.txt Most of this repo is intended to be used in white-box source code analysis but a list of error messages like this would...
https://snyk.io/blog/top-5-c-security-risks/ https://snyk.io/blog/unintimidating-intro-to-c-cpp-vulnerabilities/ https://snyk.io/blog/exploring-3-types-of-directory-traversal-vulnerabilities-in-c-c/ e.g. printf gets ... and more classics It might be good to structure this to be non-overlapping with the C wordlist. It would be possible to audit...
Here's an example of some stuff: https://github.com/tomnomnom/gf/blob/master/examples/sec.json asymmetric key pairs would be a good example, e.g. RSA PRIVATE and equivalents for other algorithms If there are common patterns for API...
Extract SQL function calls from popular Go libraries, like https://github.com/stripe-archive/safesql#how-does-it-work but without the SAST component Packages listed in the above link: https://pkg.go.dev/database/sql#DB https://github.com/jinzhu/gorm https://github.com/jmoiron/sqlx Any others? That repo has not...
Metadata
Owner
Metadata
Collection of wordlists containing dangerous function calls in many languages