Joern Hunting Guide

Vulnerability techniques, organized for review.

Browse practical Joern CPGQL patterns for native code, web code, mobile wrappers, Cordova, Flutter native layers, and Electron applications. Start broad, confirm flows, and reduce false positives with context.

Explore techniques Open README Joern docs

1. Install Joern

Download Joern from the official project and make sure the CLI commands are in your PATH.

joern --version

2. Parse local code

Create a CPG from a source directory. Add a language when Joern cannot detect it automatically.

joern-parse ./target-app --output cpg.bin.zip

3. Open the CPG

Start Joern with the generated CPG and run quick discovery queries.

joern cpg.bin.zip

4. Run a first query

Start with simple call searches, then move into source-to-sink data-flow.

cpg.call.name("(?i)(system|popen|exec.*)").code.l

Native code

C/C++, Java, JVM bytecode and low-level bugs: memory corruption, UAF, integer issues, filesystem races.

Web services

Java/JVM and web-facing flows: SQL injection, XSS, TLS mistakes, weak crypto and unsafe output.

Mobile apps

Android, iOS, Cordova and Flutter native wrappers: WebView, bridge APIs, storage, manifests and plist review.

Electron apps

Main, preload and renderer review: IPC, Node integration, filesystem access, command execution and updates.

Supported languages: The rules are written as Joern CPGQL patterns for Joern-compatible code: C/C++, Java, JavaScript, JVM bytecode, Kotlin, Swift, PHP, Python, Go, Ruby, and C#. Dart/Flutter app logic and Objective-C require extra tooling, but native wrappers can still be reviewed.

No techniques matched your search.