Bughound is an open-source static code analysis tool that analyzes your code and sends the results to Elasticsearch and Kibana to get useful insights about the potential vulnerabilities in your code.
Bughound has its own Elasticsearch and Kibana Docker image that is preconfigured with dashboards to give you a strong visualization for the findings.
You can detect various types of vulnerabilities such as:
- Command Injection.
- XXE.
- Unsafe Deserialization.
- And more!
Bughound can analyze PHP
and JAVA
code for now, and it contains a group of unsafe functions for these languages.
I will make sure to add more and more functions/languages coverage with time, but for now the main focus is for the project stability itself.
Please note that Bughound results are not 100% accurate, it built to help you identify potential weaknesses during your analysis to investigate.
First of all, Bughound will build a list of all the files inside your project based on the extension of the files you want to audit, then it will read each file and try to find any pre-defined unsafe functions for your project's language.
The analysis phase depends on pre-configured regex and some custom text matching to detect the potential vulnerabilities, so again, you need to do the manual analysis so you can check if these findings are exploitable.
Finally, it will send the results to the Bughound docker image which has a pre-configured Elasticsearch and Kibana that contain the customized dashboards for your findings.
The dashboards will give you details about the findings such:
- Function name.
- Category of the vulnerability.
- Line number.
- And much more!
Also using Kibana, you will be able to view the potentially vulnerable code snippet to start doing your analysis and tracing phase to check if it's exploitable or not.
Of course, you can use your own ELK stack if you want, and Bughound will do the initial configuration for you, but you will not have the pre-configured dashboards in this case.
You can install all the requirements to run Bughound code using the following command:
pip3 install -r requirements.txt
That will make sure all the requirements are installed for the code.
Also, you need to install Docker in order to run the Bughound image, more regarding this in the next section!
If you want to use your own Elasticsearch and Kibana instances, skip the docker installation step
Make sure to get the latest version of Bughound using the following command:
git clone https://github.com/mhaskar/Bughound
And after installing the requirements in the previous step you can run Bughound using the following command:
./bughound.py
You will get the main screen of Bughound.
┌─[askar@hackbook]─[/opt/bughound]
└──╼ $./bughound.py
.______ __ __ _______ __ __ ______ __ __ .__ __. _______
| _ \ | | | | / _____|| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | | __ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | | |_ | | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | |__| | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ \______| |__| |__| \______/ \______/ |__| \__| |_______/
\ /
oVo
\___XXX___/
__XXXXX__
/__XXXXX__\
/ XXX \
V V1.0 Beta
[+] Example: ./bughound3.py --path vulnerable_code/ --language php --extension .php --name testproject
usage: bughound.py [-h] [--path PATH] [--git GIT] --language LANGUAGE
--extension EXTENSION --name NAME [--verbose [VERBOSE]]
bughound.py: error: argument --language is required
┌─[✗]─[askar@hackbook]─[/opt/bughound]
└──╼ $
To install the Bughound docker image, you can simply do the following:
docker pull bughound/bughound
And that will pull the latest version of the image and save it to your machine.
Once we pulled the image, we can run it using the following command:
docker run --name bughound -p5601:5601 -p 9200:9200 bughound/bughound
That will run the image under a new container called bughound
and expose the ports that are needed by Bughound to communicate Elasticsearch and Kibana to your host.
You may need to increase the max virtual memory in order to use the image, so please make sure to run this command:
sysctl -w vm.max_map_count=262144
After getting two things done, you are ready now to use Bughound!
To start the analysis process for your code, you should use Bughound.py
file which has some options, to see these options via the help banner, you can use the following command:
┌─[✗]─[askar@hackbook]─[/opt/bughound]
└──╼ $./bughound.py -h
.______ __ __ _______ __ __ ______ __ __ .__ __. _______
| _ \ | | | | / _____|| | | | / __ \ | | | | | \ | | | \
| |_) | | | | | | | __ | |__| | | | | | | | | | | \| | | .--. |
| _ < | | | | | | |_ | | __ | | | | | | | | | | . ` | | | | |
| |_) | | `--' | | |__| | | | | | | `--' | | `--' | | |\ | | '--' |
|______/ \______/ \______| |__| |__| \______/ \______/ |__| \__| |_______/
\ /
oVo
\___XXX___/
__XXXXX__
/__XXXXX__\
/ XXX \
V V1.0 Beta
[+] Example: ./bughound3.py --path vulnerable_code/ --language php --extension .php --name testproject
usage: bughound.py [-h] [--path PATH] [--git GIT] --language LANGUAGE
--extension EXTENSION --name NAME [--verbose [VERBOSE]]
optional arguments:
-h, --help show this help message and exit
--path PATH local path of the source code
--git GIT git repository URL
--language LANGUAGE the used programming language
--extension EXTENSION
extension to search for
--name NAME project name to use
--verbose [VERBOSE] show debugging messages
┌─[askar@hackbook]─[/opt/bughound]
└──╼ $
For example, to scan a local php project, you can use the following command:
./bughound.py --path /opt/dummyproject --language php --extension .php --name dummyproject
This command will create a new project called "dummyproject" in the Elasticsearch index, and crawl all the local files with the extension ".php" in the local path "/opt/dummyproject" and ship the results to Elasticsearch.
Also, you can pull a remote project from git repository using --git
switch like the following:
./bughound.py --git https://github.com/DummyCode/DummyProject --language php --extension .php --name dummyproject
Bughound will clone the code for you and save it in projects
directory, then will scan it.
If you decided to use the official Bughound docker image, you will get a couple of ready to use dashboards that will help you to do your analysis.
The following dashboards are available so far:
- Bughound main dashboard
- Command injection dashboard
- Deserialization dashboard
- XXE dashboard
These dashboards will give you statistics about the functions and code snippets that was found in the code so you can start your analysis process.
For more information about Bughound check the following articles:
This project is licensed under the GPL-3.0 License - see the LICENSE file for details