Secure code review
Last updated
Last updated
Secure code review is a systematic process that involves examining an application’s source code to identify and address security vulnerabilities.
Notes from my practice and the video of OWASP devslop with Vickie Lee . I definietely recommend to check it out. It is really well explained.
Tips from Vickie Lee. Watch the full video . Examples will be taken from
A good code editor or IDE. It is better if this tools:
Allows global searches across the code base
Allow regex searches
Scripting tools and a terminal (to create test and run experiments)
High level overview of how the app works
Where the important functionalities are
Who are the users
Who should be able to do what
Major frameworks and libraries
Add-ons and plugins used
What can go wrong (common vulns)
Where to find code:
Client-side code
Desktop or mobile app source code
Leak code through a vulnerability (path traversal, etc)
OSINT: Github, pastebin, ...
Reverse the binary
Source = Code that allows a vulnerability to happen
Sink = where the vulnerability actually happen
Example: Code injection. Source is where the user input is taken, sink is functions that execute arbitrary system commands.
IMG Source: Video from OWASP Devslop
Search for known dangerous functions used on user-supplied input.
Search for harcoded credentials such as API keys, encryption keys, and db password.
Regex for AWS Access key ID "AKIA[0-9A-Z]{16}"
Search for weak cryptography or hasing algotrithm (grep on weak algorithm name)
Search for outdated dependencies (lots of vulnerabilities are introduced by 3rd party code)
Search for revealing developer comments (might contains sensitive infos)
Look for a dangerous function such as eval(). In your code editor or with grep search for the string "eval("
For example in Tarpit-java:
It gets the user input from the request and use eval on it directly.
In tarpit-java search for the following regex: "AKIA[0-9A-Z]{16}" (it will identify strings that start with AKIA that has 16 chars with the set we mentioned in the [] so from 0 to 9 and A to Z). This is actually what an AWS Access key would look like.
So in my Codium the search looks like this.
And we actually found a result:
Focus on critical functions first (authentication, Authorization, PII, etc)
anything that deals with sentitive data, payments shipping etc
Follow any code that deals with user input (see if they reach dangerous functionality)
Tracing the data flow
In the file OrderStatus.java, we can see that a user input is taken for the variable orderId
Later this string is used as is to request the database. So this is a SQL Injection.
Use tools and then manually verify the results.
To avoid vulnerabilities like command injection or code injection exec(), eval()
Always check for unauthenticated file uploads
thanks to my colleague Marc André for this one liner
grep -r -A2 -E '@(Get|Post|Put|Delete)Mapping' *
On a Unix, Linux, or macOS system, run the $SPOTBUGS_HOME/bin/spotbugs script, or run the command java -jar $SPOTBUGS_HOME/lib/spotbugs.jar to run the SpotBugs GUI.
SemGrep
FindSecBugd (dynamique analysis)
EsPReSSO plugin burp for oAuth: will analyze and describe communitcation with oAuth
Hardcoded credentials or secrets (grep on "password", "key", "secret")
Information leak
Missing security flags
Weak password hashing mechanism
Cross-Site Scripting
No CSRF protection
Directory listing
Crypto issue
Signature bypass
Authentication bypass
Authorization bypass
Remote Code Execution
Grep on comments
Grep for file upload functionalities "upload"
curl "https://target.com/" | grep -oP '(https*://|www\.)[^ ]*' Extract all URL from Source Code (thanks Savan Patel on Linkedin for this command)
send curl to proxy export https_proxy=http://127.0.0.1:8080
This training is definitely worth it's price.
Syntax highlighting
Browse source tree
Brainsto with a rubber duck or willing person
use find
use find with grep
check comments
check test cases
Add your tests in the test cases
Take notes (project and meta)
related to the project: notes on code, modelisation of code with uml etc
Meta: about a specific language (everytine a note is taking on a specific language add the version)
Testing behavior
Read-Eval-Print-Loop (REPL)
Ruby shell: IRB
PHP: - php -a
Java jshell
Go:
https://go.dev/play/ (online)
https://github.com/traefik/yaegi
Test Process
Make a hypothesis
Conduct experiments to test it
Analyze the data
Conclude whether the results support or refute your initial guess
Offline documentation for various languages.
sudo apt install zeal to install
zeal to launch
Click on Docsets > Available and download the documentationf or the language you need.
Online documentation for various languages
To turn on regex search on Codium (visual studio code or sublime text) click here:
It is possible to do manual grep for some classes. If the codebase is small you can read everything. It is wiser to install an ide. Usually in code review, you look for the sources first and see if there are sinks that are reachable, but often there is more code than time, so I prefer to cherry pick some sink that would be critical and look if there is a corresponding source. You can exclude the tests from a code review after checking if sensitive data like production secrets (password etc) are not stored in it.) When you don't have enough time it is interesting to review in 1 or 2 hours the summary of the to make corresponding greps. In general it is always important to follow the inputs and see where they go. We can also review bug patterns.
Grep is a very convernient linux command to search for string. Learn more about it
