CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Notes from OWASP DevSlop video
  • How to prep
  • Quick start hunting
  • More comprehensive review
  • Use automation with manual analysis
  • Notes from my practice
  • General Methodology
  • Dangerous functions in java
  • File upload - check
  • Enumerate entry points
  • Tools
  • List of weaknesses to look for
  • Useful linux commands
  • Misc Tips from pentesterlab code review training
  • Useful tools
  • Zeal
  • devdocs
  • Resources
  1. Secure Code Review

Secure code review

PreviousIoTNextJava notes for Secure Code Review

Last updated 7 months ago

Secure code review is a systematic process that involves examining an application’s source code to identify and address security vulnerabilities.

Notes from my practice and the video of OWASP devslop with Vickie Lee . I definietely recommend to check it out. It is really well explained.

Notes from OWASP DevSlop video

Tips from Vickie Lee. Watch the full video . Examples will be taken from

How to prep

Tools needed for manual code review

  • A good code editor or IDE. It is better if this tools:

    • Allows global searches across the code base

    • Allow regex searches

  • Scripting tools and a terminal (to create test and run experiments)

Prereqs

  • High level overview of how the app works

  • Where the important functionalities are

  • Who are the users

  • Who should be able to do what

  • Major frameworks and libraries

  • Add-ons and plugins used

  • What can go wrong (common vulns)

Code

Where to find code:

  • Client-side code

  • Desktop or mobile app source code

  • Leak code through a vulnerability (path traversal, etc)

  • OSINT: Github, pastebin, ...

  • Reverse the binary

Concepts

  • Source = Code that allows a vulnerability to happen

  • Sink = where the vulnerability actually happen

Example: Code injection. Source is where the user input is taken, sink is functions that execute arbitrary system commands.

IMG Source: Video from OWASP Devslop

Quick start hunting

How to find the most critical vulnerabilities fast

  • Search for known dangerous functions used on user-supplied input.

  • Search for harcoded credentials such as API keys, encryption keys, and db password.

    • Regex for AWS Access key ID "AKIA[0-9A-Z]{16}"

  • Search for weak cryptography or hasing algotrithm (grep on weak algorithm name)

  • Search for outdated dependencies (lots of vulnerabilities are introduced by 3rd party code)

  • Search for revealing developer comments (might contains sensitive infos)

Example Command injection

  • Look for a dangerous function such as eval(). In your code editor or with grep search for the string "eval("

For example in Tarpit-java:

It gets the user input from the request and use eval on it directly.

Example regex search on code base for hardcoded creds

In tarpit-java search for the following regex: "AKIA[0-9A-Z]{16}" (it will identify strings that start with AKIA that has 16 chars with the set we mentioned in the [] so from 0 to 9 and A to Z). This is actually what an AWS Access key would look like.

So in my Codium the search looks like this.

And we actually found a result:

More comprehensive review

  • Focus on critical functions first (authentication, Authorization, PII, etc)

    • anything that deals with sentitive data, payments shipping etc

  • Follow any code that deals with user input (see if they reach dangerous functionality)

    • Tracing the data flow

Example SQL Injection

In the file OrderStatus.java, we can see that a user input is taken for the variable orderId

String orderId = request.getParameter("orderId");

Later this string is used as is to request the database. So this is a SQL Injection.

String sql = "SELECT * FROM ORDER WHERE ORDERID = '" + orderId;

Use automation with manual analysis

  • Use tools and then manually verify the results.

Notes from my practice

General Methodology

Dangerous functions in java

To avoid vulnerabilities like command injection or code injection exec(), eval()

File upload - check

  • Always check for unauthenticated file uploads

Enumerate entry points

thanks to my colleague Marc André for this one liner

  • grep -r -A2 -E '@(Get|Post|Put|Delete)Mapping' *

Tools

Spotbugs

On a Unix, Linux, or macOS system, run the $SPOTBUGS_HOME/bin/spotbugs script, or run the command java -jar $SPOTBUGS_HOME/lib/spotbugs.jar to run the SpotBugs GUI.

Other tools

  • SemGrep

  • FindSecBugd (dynamique analysis)

  • EsPReSSO plugin burp for oAuth: will analyze and describe communitcation with oAuth

List of weaknesses to look for

  • Hardcoded credentials or secrets (grep on "password", "key", "secret")

  • Information leak

  • Missing security flags

  • Weak password hashing mechanism

  • Cross-Site Scripting

  • No CSRF protection

  • Directory listing

  • Crypto issue

  • Signature bypass

  • Authentication bypass

  • Authorization bypass

  • Remote Code Execution

  • Grep on comments

  • Grep for file upload functionalities "upload"

Useful linux commands

  • curl "https://target.com/" | grep -oP '(https*://|www\.)[^ ]*' Extract all URL from Source Code (thanks Savan Patel on Linkedin for this command)

  • send curl to proxy export https_proxy=http://127.0.0.1:8080

Misc Tips from pentesterlab code review training

This training is definitely worth it's price.

  • Syntax highlighting

  • Browse source tree

  • Brainsto with a rubber duck or willing person

  • use find

  • use find with grep

  • check comments

  • check test cases

  • Add your tests in the test cases

  • Take notes (project and meta)

    • related to the project: notes on code, modelisation of code with uml etc

    • Meta: about a specific language (everytine a note is taking on a specific language add the version)

  • Testing behavior

    • Read-Eval-Print-Loop (REPL)

      • Ruby shell: IRB

      • PHP: - php -a

      • Java jshell

      • Go:

        • https://go.dev/play/ (online)

        • https://github.com/traefik/yaegi

  • Test Process

    1. Make a hypothesis

    2. Conduct experiments to test it

    3. Analyze the data

    4. Conclude whether the results support or refute your initial guess

Useful tools

Zeal

Offline documentation for various languages.

  • sudo apt install zeal to install

  • zeal to launch

  • Click on Docsets > Available and download the documentationf or the language you need.

devdocs

Online documentation for various languages

Resources

To turn on regex search on Codium (visual studio code or sublime text) click here:

It is possible to do manual grep for some classes. If the codebase is small you can read everything. It is wiser to install an ide. Usually in code review, you look for the sources first and see if there are sinks that are reachable, but often there is more code than time, so I prefer to cherry pick some sink that would be critical and look if there is a corresponding source. You can exclude the tests from a code review after checking if sensitive data like production secrets (password etc) are not stored in it.) When you don't have enough time it is interesting to review in 1 or 2 hours the summary of the to make corresponding greps. In general it is always important to follow the inputs and see where they go. We can also review bug patterns.

Grep is a very convernient linux command to search for string. Learn more about it

here
here
Tarpit-java
ASVS (owasp appsec verification standard)
Documentation
Curl for multipart form data
here
devdocs
How to Analyze code for Vulnerabilities - Vickie Lee - OWASP DevSlop
Tarpit Java - ShiftLeftSecurity
Vickie Li's Security Blog
Bugs Patterns
Cheat Sheet de Snyk 10 Java security best practices
OWASP Top 10: How to Find Vulnerabilities in Your Java Applications
OWASP Code Review guide
Best practice angular
Code review & Regular Expression commands - trojand
Secure Code Review checklist by Dr. Michaela Greiler
Regex cheatsheet - Trustedsec
Code review - Pentest book
Secure Coding Handbook - vladtoie
Absolute Appsec
Source and sink
eval in Tarpit-java
AWS key in tarpit-java
AWS secret key in tarpit-java