wh1t3p1g
diff --git a/‎.gitignore
+10-6 b/‎.gitignore
+10-6
diff --git a/‎LICENSE
+21 b/‎LICENSE
+21
diff --git a/‎README.md
+76 b/‎README.md
+76
diff --git a/‎README_EN.md
+76 b/‎README_EN.md
+76
diff --git a/‎config/settings.properties
+54 b/‎config/settings.properties
+54
diff --git a/‎logo.png
149 KB b/‎logo.png
149 KB
diff --git a/‎papers/Tabby Simplifying the Art of Java Vulnerability Hunting.pdf
3.96 MB b/‎papers/Tabby Simplifying the Art of Java Vulnerability Hunting.pdf
3.96 MB
diff --git a/‎papers/tabby java code review like a pro.pdf
44 MB b/‎papers/tabby java code review like a pro.pdf
44 MB
diff --git a/‎pom.xml
+103 b/‎pom.xml
+103
diff --git a/‎rules/basicClasses.json
+23 b/‎rules/basicClasses.json
+23
@@ -1,7 +1,7 @@
 HELP.md
 .gradle
 build/
-!gradle/wrapper/gradle-wrapper.jar
+
 !**/src/main/**/build/
 !**/src/test/**/build/
 
@@ -52,9 +52,13 @@ runtime.json
 *.db
 ignores.json
 cql.txt
-env/data
-env/import
-.DS_Store
-jre_libs
 *.jar
-db.properties
+
+.DS_Store
+*.tar.gz
+config/db.properties
+rules/cyphers.yml
+target/
+release
+**/src/test/**
+output
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 wh1t3P1g
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,76 @@
+![img.png](logo.png)
+# 
+![Java version](https://img.shields.io/badge/Java-17-blue.svg)
+![License](https://img.shields.io/badge/License-MIT-green.svg)
+![Blackhat](https://img.shields.io/badge/Blackhat-Arsenal%202024-red.svg)
+
+TABBY 是一款针对 Java 语言的静态代码分析工具，可用于快速发现多种类型的 Java 语言相关的漏洞。
+
+TABBY 使用静态分析框架 [Soot](https://github.com/soot-oss/soot) 作为语义提取工具，将JAR/WAR/CLASS文件转化为代码属性图，
+并使用 [Neo4j](https://neo4j.com/) 图数据库来存储生成的代码属性图CPG。
+
+此外，通过扩展 Neo4j 的[路径遍历逻辑](https://github.com/wh1t3p1g/tabby-path-finder)，TABBY 可以使用简单的 cypher 语句即可完成复杂污点分析输出潜在的漏洞调用链路。
+
+## #1 使用方法
+
+使用 Tabby 需要有以下环境：
+- JAVA 环境
+- 可用的 Neo4j 图数据库
+- Neo4j Browser 或者其他 Neo4j 可视化的工具或者 Tabby 的 IDEA [插件](https://github.com/wh1t3p1g/tabby-intellij-plugin)
+
+具体的使用方法参见： [Tabby Quick Start](https://www.yuque.com/wh1t3p1g/tp0c1t/lf12lg69ngh47akx)
+
+## #2 Tabby的适用人群
+
+开发 Tabby 的初衷是想要提高代码审计的效率，尽可能的减少人工检索的工作量
+
+使用 tabby 生成的代码属性图可以完成以下的工作场景：
+
+- 挖掘目标项目中的反序列化利用链，支持大多数序列化机制，包括 Java 原生序列化机制、Hessian、XStream 等
+- 挖掘目标项目中的常见 Web 漏洞，支持分析 WAR/JAR/FATJAR/JSP/CLASS 文件
+- 搜索符合特定条件的函数、类，譬如检索调用了危险函数的静态函数
+
+利用 tabby 生成后的代码属性图，在 Neo4j 图数据库中进行动态自定义漏洞挖掘/利用链挖掘。
+
+## #3 成果
+
+- [现有利用链覆盖](https://github.com/wh1t3p1g/tabby/wiki/%E7%8E%B0%E6%9C%89%E5%88%A9%E7%94%A8%E9%93%BE%E8%A6%86%E7%9B%96)
+- papers && slides
+    - KCon 2022 [Tabby: Java Code Review Like A Pro](https://github.com/wh1t3p1g/tabby/blob/v2/papers/tabby%20java%20code%20review%20like%20a%20pro.pdf)
+    - KCon 议题补充 [基于代码属性图的自动化漏洞挖掘实践](https://blog.0kami.cn/blog/2023/%E5%9F%BA%E4%BA%8E%E4%BB%A3%E7%A0%81%E5%B1%9E%E6%80%A7%E5%9B%BE%E7%9A%84%E8%87%AA%E5%8A%A8%E5%8C%96%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E5%AE%9E%E8%B7%B5/)
+    - DSN 2023 [Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities](https://ieeexplore.ieee.org/document/10202660)
+    - BlackHat EU 2024 [Tabby: Simplifying the Art of Java Vulnerability Hunting](https://github.com/wh1t3p1g/tabby/blob/v2/papers/Tabby%20Simplifying%20the%20Art%20of%20Java%20Vulnerability%20Hunting.pdf)
+    - ICASSP 2025 [VulKiller: Java Web Vulnerability Detection with Code Property Graph and Large Language Models]()
+- CVEs
+  - CVE-2021-21346 [如何高效的挖掘 Java 反序列化利用链？](https://blog.0kami.cn/2021/03/14/java-how-to-find-gadget-chains/)
+  - CVE-2021-21351
+  - CVE-2021-39147 [如何高效地捡漏反序列化利用链？](https://www.anquanke.com/post/id/251814)
+  - CVE-2021-39148
+  - CVE-2021-39152 [m0d9](http://m0d9.me/2021/08/29/XStream%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%EF%BC%88%E4%B8%89%EF%BC%89%E2%80%94%E2%80%94Tabby%20CVE%E4%B9%8B%E6%97%85/)
+  - CVE-2021-43297
+  - CVE-2022-39198 [yemoli](https://yml-sec.top/2022/12/30/%E4%BB%8Ecve-2022-39198%E5%88%B0%E6%98%A5%E7%A7%8B%E6%9D%AFdubboapp/#CVE-2022-39198%E6%8C%96%E6%8E%98)
+  - CVE-2023-23638
+
+## #4 常见问题
+
+- [常见问题](https://www.yuque.com/wh1t3p1g/tp0c1t/ueduxuz6fmxhpoyb)
+
+如果使用中存在其他问题，欢迎在 [discussions](https://github.com/wh1t3p1g/tabby/discussions) 提问！
+
+如果使用中发现了 Tabby 实现上的 bug，欢迎在 [issues](https://github.com/wh1t3p1g/tabby-path-finder/issues) 提交相关错误详情！
+
+## #5 初衷&致谢
+
+当初，在进行利用链分析的过程中，深刻认识到这一过程是能被自动化所代替的（不管是 Java 还是 PHP）。但是，国内很少有这方面工具的开源。GI 工具实际的检测效果其实并不好，为此，依据我对程序分析的理解，开发了 tabby 工具。我对 tabby 工具期望不单单只是在利用链挖掘的应用，也希望后续能从漏洞分析的角度利用 tabby 的代码属性图进行分析。我希望 tabby 能给国内的 Java 安全研究人员带来新的工作模式。
+
+当然，当前版本的 tabby 仍然存在很多问题可以优化，希望有程序分析经验的师傅能一起加入 tabby 的建设当中，有啥问题可以直接联系我哦！
+
+如果 tabby 给你的工作带来了便利，请不要吝啬你的🌟哦！
+
+如果你使用 tabby 并挖到了漏洞，非常欢迎提供相关的成功案例 XD
+
+如果你有能力一起建设，也可以一起交流，或直接 PR，或直接 issue
+
+- 优秀的静态分析框架 [soot](https://github.com/soot-oss/soot)
+- [gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector)
+- [ysoserial](https://github.com/frohoff/ysoserial) 和 [marshalsec](https://github.com/mbechler/marshalsec)
@@ -0,0 +1,76 @@
+![img.png](logo.png)
+# 
+![Java version](https://img.shields.io/badge/Java-17-blue.svg)
+![License](https://img.shields.io/badge/License-MIT-green.svg)
+![Blackhat](https://img.shields.io/badge/Blackhat-Arsenal%202024-red.svg)
+
+TABBY is a static code analysis tool tailored for the Java language, designed to swiftly uncover a multitude of vulnerabilities specific to Java.
+
+TABBY leverages the [Soot](https://github.com/soot-oss/soot) static analysis framework as its semantic extraction engine to convert JAR/WAR/CLASS files into Code Property Graphs (CPGs). It then employs the [Neo4j](https://neo4j.com/) graph database to store these generated CPGs.
+
+Furthermore, by extending Neo4j's [path traversal logic](https://github.com/wh1t3p1g/tabby-path-finder), TABBY can perform complex taint analysis and output potential vulnerability call chains with straightforward Cypher queries.
+
+## #1 Usage
+
+To use Tabby, the following environment requirements must be met:
+
+- JAVA Environment
+- An available Neo4j graph database
+- Neo4j Browser or another visualization tool for Neo4j, or the [Tabby IDEA Plugin](https://github.com/wh1t3p1g/tabby-intellij-plugin)
+
+For detailed instructions on how to use Tabby, please refer to the [Tabby Quick Start Guide](https://www.yuque.com/wh1t3p1g/tp0c1t/lf12lg69ngh47akx).
+
+## #2 Target Audience for Tabby
+
+The development of Tabby was initiated with the aim of enhancing the efficiency of code audits and minimizing the workload associated with manual searches.
+
+With the Code Property Graphs generated by Tabby , the following scenarios can be addressed:
+
+- Identifying deserialization exploitation chains within target projects, supporting a wide range of serialization mechanisms, including Java's native serialization, Hessian, XStream, and others.
+- Uncovering common web vulnerabilities within target projects, capable of analyzing WAR/JAR/FATJAR/JSP/CLASS files.
+- Searching for functions or classes that meet specific criteria, such as static methods that invoke dangerous functions.
+
+By leveraging the Code Property Graphs generated by Tabby, users can conduct dynamic, custom vulnerability mining and exploitation chain analysis within the Neo4j graph database.
+
+## #3 Achievements
+
+- [Existing Exploit Chain Coverage](https://github.com/wh1t3p1g/tabby/wiki/%E7%8E%B0%E6%9C%89%E5%88%A9%E7%94%A8%E9%93%BE%E8%A6%86%E7%9B%96)
+- Papers && Slides
+  - KCon 2022 [Tabby: Java Code Review Like A Pro](https://github.com/knownsec/KCon/blob/master/2022/tabby%20java%20code%20review%20like%20a%20pro%E3%80%90KCon2022%E3%80%91.pdf)
+  - KCon Topic Supplement [Automated Vulnerability Mining Practice Based on Code Property Graphs](https://blog.0kami.cn/blog/2023/%E5%9F%BA%E4%BA%8E%E4%BB%A3%E7%A0%81%E5%B1%9E%E6%80%A7%E5%9B%BE%E7%9A%84%E8%87%AA%E5%8A%A8%E5%8C%96%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E5%AE%9E%E8%B7%B5/)
+  - DSN 2023 [Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities](https://ieeexplore.ieee.org/document/10202660)
+  - BlackHat EU 2024 [Tabby: Simplifying the Art of Java Vulnerability Hunting](https://github.com/wh1t3p1g/tabby/blob/v2/papers/Tabby%20Simplifying%20the%20Art%20of%20Java%20Vulnerability%20Hunting.pdf)
+  - ICASSP 2025 [VulKiller: Java Web Vulnerability Detection with Code Property Graph and Large Language Models]() 
+- CVEs
+  - CVE-2021-21346
+  - CVE-2021-21351
+  - CVE-2021-39147
+  - CVE-2021-39148
+  - CVE-2021-39152 m0d9
+  - CVE-2021-43297
+  - CVE-2022-39198 yemoli
+  - CVE-2023-23638
+
+## #4 Frequently Asked Questions
+
+- [FAQ](https://www.yuque.com/wh1t3p1g/tp0c1t/ueduxuz6fmxhpoyb)
+
+If you encounter any other issues while using Tabby, feel free to ask in the [discussions](https://github.com/wh1t3p1g/tabby/discussions)!
+
+If you discover any bugs in the implementation of Tabby, please submit the relevant error details in the [issues](https://github.com/wh1t3p1g/tabby-path-finder/issues) section.
+
+## #5 Motivation & Acknowledgments
+
+Initially, during the process of exploit chain analysis, it became clear that this process could be automated (whether for Java or PHP). However, there was a noticeable lack of open-source tools in this area within China. Existing GI tools did not perform well in practical detection scenarios. Based on my understanding of program analysis, I developed the Tabby tool. My vision for Tabby extends beyond just exploit chain mining; I also hope that it can be utilized from a vulnerability analysis perspective, leveraging its Code Property Graphs for deeper insights. It is my wish that Tabby introduces a new working model for Java security researchers.
+
+Of course, the current version of Tabby still has many areas for improvement, and I welcome developers with experience in program analysis to join in the development of Tabby. If you have any questions, feel free to contact me directly!
+
+If Tabby has facilitated your work, please do not hesitate to give it a star ⭐!
+
+If you discover vulnerabilities using Tabby, we warmly welcome you to share related success stories.
+
+If you are able to contribute to its development, let's engage in discussions, or submit Pull Requests or Issues directly.
+
+- [soot](https://github.com/soot-oss/soot)
+- [gadgetinspector](https://github.com/JackOfMostTrades/gadgetinspector)
+- [ysoserial](https://github.com/frohoff/ysoserial) && [marshalsec](https://github.com/mbechler/marshalsec)
@@ -0,0 +1,54 @@
+# targets to analyse
+tabby.build.target                        = cases/java-sec-code-1.0.0.jar
+tabby.build.libraries                     = libs
+tabby.build.mode                          = web
+#tabby.build.mode                          = gadget
+tabby.output.directory                    = ./output/dev
+tabby.build.rules.directory               = ./rules
+tabby.build.thread.size                   = max
+
+# settings for jre environments
+tabby.build.useSettingJRE                 = false
+tabby.build.isJRE9Module                  = false
+#tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/graalvm-jdk-17.0.9+11.1/Contents/Home
+#tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home
+#tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/zulu-21.jdk/Contents/Home
+tabby.build.javaHome                      = /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home
+
+# debug
+tabby.debug.details                       = false
+tabby.debug.print.current.methods         = true
+
+# jdk settings
+tabby.build.isJDKProcess                  = false
+tabby.build.withAllJDK                    = false
+tabby.build.isJDKOnly                     = false
+
+# dealing fatjar
+tabby.build.checkFatJar                   = true
+
+# set false for debug
+tabby.build.removeNotPollutedCallSite     = true
+
+# pointed-to analysis types
+tabby.build.interProcedural               = true
+tabby.build.onDemandDrive                 = false
+
+# pointed-to analysis settings
+tabby.build.analysis.everything           = true
+tabby.build.isPrimTypeNeedToCreate        = false
+tabby.build.thread.timeout                = 2
+tabby.build.method.timeout                = 5
+tabby.build.alias.maxCount                = 5
+tabby.build.array.maxLength               = 25
+tabby.build.method.maxDepth               = 500
+tabby.build.method.maxBodyCount           = 8000
+tabby.build.object.maxTriggerTimes        = 300
+tabby.build.object.field.k.limit          = 10
+tabby.build.with.cache.enable             = false
+tabby.build.isNeedToCreateIgnoreList      = false
+tabby.build.isNeedToDealNewAddedMethod    = true
+tabby.build.timeout.forceStop             = true
+
+# plugin settings
+tabby.build.isNeedToProcessXml            = true
@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>3.3.0</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>org.tabby</groupId>
+    <artifactId>tabby</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <name>tabby</name>
+    <description>A CAT called Tabby</description>
+
+    <properties>
+        <java.version>17</java.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.soot-oss</groupId>
+            <artifactId>soot</artifactId>
+            <version>4.5.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jasper</artifactId>
+            <version>10.1.18</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+            <version>1.10.12</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.12.0</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>33.2.1-jre</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <version>2.11.0</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <finalName>tabby</finalName>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <configuration>
+                    <excludes>
+                        <exclude>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                        </exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <repositories>
+        <repository>
+            <id>jitpack.io</id>
+            <url>https://jitpack.io</url>
+        </repository>
+    </repositories>
+
+</project>
@@ -0,0 +1,23 @@
+[
+  "io.netty.channel.ChannelFutureListener",
+  "scala.runtime.java8.JFunction2$mcIII$sp",
+  "scala.runtime.java8.JFunction1$mcII$sp",
+  "scala.runtime.java8.JFunction0$mcV$sp",
+  "scala.runtime.java8.JFunction0$mcZ$sp",
+  "scala.runtime.java8.JFunction0$mcJ$sp",
+  "scala.runtime.java8.JFunction0$mcI$sp",
+  "scala.runtime.java8.JFunction1$mcZJ$sp",
+  "scala.runtime.java8.JFunction1$mcZI$sp",
+  "scala.runtime.java8.JFunction1$mcVI$sp",
+  "scala.runtime.java8.JFunction0$mcD$sp",
+  "scala.runtime.java8.JFunction0$mcF$sp",
+  "scala.runtime.java8.JFunction0$mcS$sp",
+  "scala.runtime.java8.JFunction0$mcB$sp",
+  "com.codahale.metrics.Gauge",
+  "java.net.URI",
+  "sun.reflect.generics.repository.ClassRepository",
+  "java.security.PermissionCollection",
+  "sun.reflect.generics.tree.ClassTypeSignature",
+  "java.net.URI$Parser",
+  "sun.reflect.generics.visitor.TypeTreeVisitor"
+]