{"id":565,"date":"2012-09-22T13:16:22","date_gmt":"2012-09-22T12:16:22","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=565"},"modified":"2023-05-31T08:29:20","modified_gmt":"2023-05-31T07:29:20","slug":"source-code-review-grep-script","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=565","title":{"rendered":"Source Code Review Grep Script"},"content":{"rendered":"

Edit: This evolved over years, see the CRASS<\/a> project.<\/p>\n

As a pentester you sometimes get access to the source code of the application you are reviewing. Sometimes you can look manually through the files, but sometimes you get million lines of code and you don’t have time to spend sitting there, reading line after line.<\/p>\n

The first approach that came to my mind was to use static code analysis tools. There are a lot of them out there, you can find lists of tools on the flawfinder<\/a> page or you can have a look at Wikipedia’s list of tools for static code analysis<\/a>. It definitely makes sense to use these tools, but it needs time to download\/compile them and most of them are written for one particular language.<\/p>\n

You will be reading a lot of code. If you want to do yourself a favour, use an IDE like eclipse to look at the code. Especially when looking at Java code you will find yourself quite often changing from one class to another and changing between files. With eclipse you only need one click for that. But still, you need different IDEs for different programming languages. So this is still not a universal approach.<\/p>\n

As a penetration tester you often want to find the interesting parts of the code. To name some interesting things: everything related to cryptography, encryption, SQL queries, file read and writes, URLs and sockets, obfuscation, passwords and so on. And there is one really universal tool that let us find these parts of the code: grep<\/a>.<\/p>\n

The script I wrote here is pretty focused on Java\/Android and Objective-C\/iOS. But I also got some JSP and spring java framework specific code. So here we go, no rocket science, but I hope it’s helpful for someone in the future.<\/p>\n

\r\n#!\/bin\/bash\r\n#\r\n# A simple code greper...\r\n#\r\n# ----------------------------------------------------------------------------\r\n# "THE BEER-WARE LICENSE" (Revision 42):\r\n# <floyd at floyd dot ch> wrote this file. As long as you retain this notice you\r\n# can do whatever you want with this stuff. If we meet some day, and you think\r\n# this stuff is worth it, you can buy me a beer in return\r\n# floyd http:\/\/floyd.ch @floyd_ch <floyd at floyd dot ch>\r\n# August 2012\r\n# ----------------------------------------------------------------------------\r\n#\r\n# Tested under MAC OSX ONLY!\r\n#\r\n# This script isn't very advanced - exactly what's needed if you don't know where to start.\r\n# It is not a real static analysis tool and it's not in any way a replacement for all the cool\r\n# tools out there (checkstyle, jlint, etc.)\r\n#\r\n \r\n \r\nif [ $# -ne 1 ]\r\nthen\r\n  echo "Usage: `basename $0` directory-to-grep-through"\r\n  exit 0\r\nfi\r\n###\r\n#OPTIONS\r\n###\r\n#Open the colored outputs with "less -R" or cat, otherwise remove --color=always\r\nADDITIONAL_GREP_ARGUMENTS="-A 1 -B 3 --color=always"\r\nTARGET=".\/grep-output"\r\n#In my opinion I would always leave all the options below here on true,\r\n#because I did find strange android code in iphone apps and vice versa. I would only\r\n#change it if the greping needs very long, you are greping a couple of hundret apps\r\n#or if you have any other performance issues with this script.\r\nDO_JAVA=true\r\nDO_SPRING=true\r\nDO_JSP=true\r\nDO_ANDROID=true\r\nDO_IOS=true\r\nDO_PHP=true\r\nDO_GENERAL=true\r\n###\r\n#END OPTIONS\r\n#Normally you don't have to change anything below here...\r\n###\r\n \r\nGREP_ARGUMENTS="-nrP"\r\nSTANDARD_GREP_ARGUMENTS=$ADDITIONAL_GREP_ARGUMENTS" "$GREP_ARGUMENTS\r\nSEARCH_FOLDER=$1\r\nmkdir $TARGET\r\n \r\necho "Your standard grep arguments: $STANDARD_GREP_ARGUMENTS"\r\necho "Output will be put into this folder: $TARGET"\r\necho "You are currently greping through folder: $SEARCH_FOLDER"\r\nsleep 2\r\n \r\n#The Java stuff\r\nif [ $DO_JAVA ]; then\r\n    SEARCH_STRING='javax.crypto|bouncy.*?castle|new\\sSecretKeySpec\\(|messagedigest'\r\n    OUTFILE="java_general_crypto.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n     \r\n    SEARCH_STRING='toString\\(\\) *==|== *toString\\(\\)|" *==|== *"'\r\n    OUTFILE="java_general_wrong_string_comparison.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #String comparison has to be done with .equals() in Java, not with ==\r\n     \r\n    SEARCH_STRING='\\.exec\\('\r\n    OUTFILE="java_general_exec.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n     \r\n    SEARCH_STRING='java\\.net\\.|java\\.io\\.|javax\\.servlet|org\\.apache\\.http'\r\n    OUTFILE="java_general_io.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n     \r\n    SEARCH_STRING='@Entity|@ManyToOne|@OneToMany|@OneToOne|@Table|@Column'\r\n    OUTFILE="java_persistent_beans.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #Special case, we only want to know matching files to know which beans get persisted, therefore -l to output matching files\r\n    grep -l $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Find out which Java Beans get persisted with javax.persistence\r\n     \r\n    SEARCH_STRING='@Table\\(|@Column\\('\r\n    OUTFILE="java_persistent_tables_and_columns_in_database.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #Case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #The source code shows the database table\/column names... e.g. if you find a sql injection later on\r\n     \r\n    SEARCH_STRING='string .{0,10}password|string .{0,10}secret|string .{0,10}key|string .{0,10}cvv|string .{0,10}user|string .{0,10}hash(?!(table|map|set|code))|string .{0,10}passcode|string .{0,10}passphrase|string .{0,10}user|string .{0,10}pin|string .{0,10}credit'\r\n    OUTFILE="java_confidential_data_in_strings.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #http:\/\/docs.oracle.com\/javase\/1.5.0\/docs\/guide\/security\/jce\/JCERefGuide.html#PBEEx\r\nfi\r\n \r\n#The Java Spring specific stuff\r\nif [ $DO_SPRING ]; then\r\n    SEARCH_STRING="DataBinder\\.setAllowedFields"\r\n    OUTFILE="java_spring_mass_assignment.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #see e.g. http:\/\/blog.fortify.com\/blog\/2012\/03\/23\/Mass-Assignment-Its-Not-Just-For-Rails-Anymore\r\nfi\r\n \r\n#The JSP specific stuff\r\nif [ $DO_JSP ]; then\r\n    SEARCH_STRING="escape\\s*=\\s*\\"?\\s*false|escape\\s*=\\s*\\'?\\s*false"\r\n    OUTFILE="java_jsp_xss.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #can introduce XSS when using escape=false\r\n     \r\n    SEARCH_STRING="<s:file "\r\n    OUTFILE="java_jsp_file_upload.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\nfi\r\n \r\n#The Android specific stuff\r\nif [ $DO_ANDROID ]; then\r\n \r\n    SEARCH_STRING='\\.printStackTrace\\(|Log\\.(e|w|i|d|v)\\('\r\n    OUTFILE="android_logging.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #printStackTrace Logs to Android log, information leakage, etc.\r\n     \r\n    SEARCH_STRING='MODE_|\\.openFile\\(|\\.openOrCreate|\\.getDatabase\\(|\\.openDatabase\\(|\\.getShared|\\.getCache|\\.getExternalCache|query\\(|rawQuery\\(|compileStatement\\('\r\n    OUTFILE="android_access.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Android file io and access things\r\n     \r\n    SEARCH_STRING='<intent-filter>|\\.getIntent\\(\\)\\.getData\\(\\)|RunningAppProcessInfo'\r\n    OUTFILE="android_intents.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n     \r\nfi\r\n \r\n#The iOS specific stuff\r\n \r\nif [ $DO_IOS ]; then\r\n    SEARCH_STRING='NSFileProtection|NSFileManager|NSPersistantStoreCoordinator|NSData' #sqlite, see sql.txt\r\n    OUTFILE="ios_file_access.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #File protection APIs\r\n \r\n    SEARCH_STRING='kSecAttrAccessible|SecItemAdd|KeychainItemWrapper|Security\\.h'\r\n    OUTFILE="ios_keychain.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Keychain stuff\r\n \r\n    SEARCH_STRING='CFBundleURLSchemes|kCFStream|CFFTPStream|CFHTTP|CFNetServices|FTPURL|IOBluetooth'\r\n    OUTFILE="ios_network.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Network stuff\r\n \r\n    SEARCH_STRING='NSLog\\('\r\n    OUTFILE="ios_logging.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='initWithFormat:|informativeTextWithFormat:|format:|stringWithFormat:|appendFormat:|predicateWithFormat:|NSRunAlertPanel'\r\n    OUTFILE="ios_string_format_functions.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #just check if the first argument to these functions are user controlled, that could be a format string vulnerability\r\n \r\n    SEARCH_STRING='handleOpenURL:|openURL:'\r\n    OUTFILE="ios_url_handler.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\nfi\r\n\r\n#The PHP stuff\r\n\r\nif [ $DO_PHP ]; then\r\n    SEARCH_STRING='\\$_GET|\\$_POST'\r\n    OUTFILE="php_get_post.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    \r\n    SEARCH_STRING='crypt\\('\r\n    OUTFILE="php_crypt_call.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\nfi\r\n\r\n#The general stuff\r\n \r\nif [ $DO_GENERAL ]; then\r\n    SEARCH_STRING='\\b[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,4}\\b'\r\n    OUTFILE="email.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Email addresses\r\n    \r\n    SEARCH_STRING='todo|workaround'\r\n    OUTFILE="todo_workaround.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='hack|crack|exploit|bypass|backdoor|backd00r'\r\n    OUTFILE="exploit.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" | grep -vE 'Ack|setCdrBackdoor' | grep -viE 'imageshack' > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='https?:\/\/'\r\n    OUTFILE="https_and_http_urls.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #All URIs\r\n \r\n    SEARCH_STRING='http:\/\/|ftp:\/\/|imap:\/\/|file:\/\/'\r\n    OUTFILE="no_ssl_uris.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Non-SSL URIs\r\n \r\n    SEARCH_STRING='malloc\\(|realloc\\('\r\n    OUTFILE="initialisation.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #rather rare bug, but see issues CVE-2010-0041 and CVE-2010-0042... could also happen in java\/android native code...\r\n \r\n    SEARCH_STRING='memcpy\\(|memset\\(|strcat\\(|strcpy\\(|strncat\\(|strncpy\\(|sprintf\\(|gets\\('\r\n    OUTFILE="insecure_c_functions.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #memcpy\r\n    #memset\r\n    #strcat --> strlcat\r\n    #strcpy --> strlcpy\r\n    #strncat --> strlcat\r\n    #strncpy --> strlcpy\r\n    #sprintf --> snprintf\r\n    #vsprintf --> vsnprintf\r\n    #gets --> fgets\r\n \r\n    SEARCH_STRING='default.?password|passwo?r?d|passcode|hash.?(?!(table|map|set|code))|pass.?phrase|salt|encryption.?key|encrypt.?key|BEGIN CERTIFICATE---|PRIVATE KEY---|Proxy-Authorization|pin'\r\n    OUTFILE="keys.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='root.*?detection|rooted.*?Device|is.*?rooted|detect.*?root|jail.*?break'\r\n    OUTFILE="root.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='sql.{0,10}injection|xss|click.{0,10}jacking|xsrf|directory.{0,10}listing|buffer.{0,10}overflow|obfuscate'\r\n    OUTFILE="hacking_techniques.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #e.g. find prevention techniques...\r\n \r\n    SEARCH_STRING='`.{2,100}`'\r\n    OUTFILE="backticks.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #-I for binaries=without-match\r\n    grep -I $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #anything between backticks is suspicious, thinking about command execution in perl scripts in cgi-bin directories...\r\n    SEARCH_STRING='location\\.hash|location\\.href|location\\.pathname|location\\.search|eval\\(|\\.appendChild\\(|document\\.write\\(|document\\.writeln\\(|\\.innerHTML\\s*?=|\\.outerHTML\\s*?='\r\n    OUTFILE="dom_xss.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    #case sensitive...\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='SELECT.*?FROM|INSERT.*?INTO|DELETE.*?WHERE|sqlite'\r\n    OUTFILE="sql.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n \r\n    SEARCH_STRING='^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$'\r\n    OUTFILE="base64.txt"\r\n    #case sensitive, the regex is insensitive anyway\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #Sometimes developers try to hide stuff in base64...\r\n \r\n    SEARCH_STRING='GNU\\sGPL|GPLv2|GPLv3|GPL\\sVersion|General\\sPublic\\sLicense'\r\n    OUTFILE="gpl.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\n    #GPL violation, not security related, but your customer might be happy to know such stuff...\r\n \r\n    SEARCH_STRING='stupid|fuck|shit|crap'\r\n    OUTFILE="swear.txt"\r\n    echo "Searching for $SEARCH_STRING --> writing to $OUTFILE"\r\n    grep -i $STANDARD_GREP_ARGUMENTS "$SEARCH_STRING" "$SEARCH_FOLDER" > $TARGET\/$OUTFILE\r\nfi\r\n \r\necho "Done grep. Results in $TARGET. Have a grepy day."\r\n<\/pre>\n
Of course the script produces a lot of false positives, but it should be a tool that supports you in your manual analysis. I’m sure there are a million more interesting strings we can add to the script. If you think something is missing, leave it in the comments and I’ll add it.<\/p>\n
Oh and if you already looked at one version of a source code and you get a new version, you better use the “diff” command line tool and first have a look at the parts that changed.<\/p>\n","protected":false},"excerpt":{"rendered":"
Edit: This evolved over years, see the CRASS project. As a pentester you sometimes get access to the source code of the application you are reviewing. Sometimes you can look manually through the files, but sometimes you get million lines … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[90,10],"tags":[158,93,91,92,94,95],"class_list":["post-565","post","type-post","status-publish","format-standard","hentry","category-code-review","category-mobile-security","tag-android","tag-code-review-2","tag-grep","tag-ios","tag-source-code","tag-static-analysis"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=565"}],"version-history":[{"count":18,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/565\/revisions"}],"predecessor-version":[{"id":1368,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/565\/revisions\/1368"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}