Flag potentially dangerous API calls in source code, a.k.a. lines containing scary strings from a security perspective!
Use this tool as a first step during a security audit on your web application's source code!
Flagged lines of code are written to a CSV file so you can track your audit progress!
The list of potentially dangerous API calls comes primarily from the Web Application Hacker's Handbook.
The basic lists from this book have been modified and augmented by adding function calls and other scary strings that I've found in my experience as well as from blog posts.
Make sure pipenv
is installed.
pipenv run ./scary-strings php wordlists/php/all /path/to/php/project
pipenv run ./scary-strings python wordlists/python/object_serialization /path/to/python/project
pipenv run ./scary_strings.py python wordlists/python/all --scan-comments=True --comment-wordlist=wordlists/comments/derogatory /path/to/python/project
- PHP
- Python (limited wordlists)