A Beginners Guide to Code Review
Summary
TLDRThis video offers a comprehensive guide on conducting a security-focused code review to identify vulnerabilities. It introduces a general methodology, emphasizing the importance of understanding application structure and behavior. The tutorial reviews a sample code snippet, highlighting the detection of sources, sinks, and middleware issues, and the need for secure coding practices. The presenter recommends using tools like 'Sneak' for real-time vulnerability scanning and suggests resources for further learning, such as Sourcecodes.com and Pentester Lab, to enhance one's code review skills.
Takeaways
- 🛠️ The video introduces a methodology for conducting a security-focused code review to identify weaknesses and vulnerabilities in code.
- 🤖 AI tools can assist in writing code, but they may also introduce security vulnerabilities due to the quality of the training data they were based on.
- 🔒 'Sneak' is a tool highlighted in the video that helps secure code by scanning for vulnerabilities and providing real-time fixes.
- 🔎 Code review from a security perspective is different from the typical development process and is crucial for identifying unique security issues.
- 👀 Understanding the application's environment and how input flows through it can reveal the need for unique security measures not found by automated testing.
- 📚 The script emphasizes the importance of learning about dangerous functions and their potential exploits in the technology being used.
- 🔍 During code review, it's essential to identify all sources of input and sinks where input is processed, as well as any middleware that influences the data flow.
- 🚫 The video points out the risk of hardcoded credentials in the source code and the need to avoid this practice for security reasons.
- ⚠️ The use of dynamic queries instead of parameterized statements can lead to vulnerabilities such as SQL injection.
- 🧐 The script discusses the importance of scrutinizing sanitization functions to ensure they are effectively removing or neutralizing harmful input.
- 🔄 Consistency in code review practices is key to mastering the skill and improving the ability to find vulnerabilities over time.
- 🌐 Resources like Sourcecodes.com and Pentester Lab are recommended for practicing code review and learning more about web application security.
Q & A
What is the primary focus of the video script?
-The video script focuses on code review from a security perspective, aiming to identify weaknesses and vulnerabilities in code, particularly when it is generated by AI tools.
What is the role of 'Sneak' as mentioned in the script?
-Sneak is a tool that scans code for vulnerabilities in real time, providing recommended fixes that can be applied with a single click. It is designed to secure code whether it is written by humans or generated by AI.
Why is code review important from a security standpoint?
-Code review is important from a security standpoint because it helps identify weaknesses and vulnerabilities within applications before they can be exploited, which is more proactive than finding issues through fuzz testing live applications.
What are 'sources' and 'sinks' in the context of code review for security?
-In the context of security, 'sources' are points where user input enters the application, and 'sinks' are functions that can execute or process this input, potentially leading to security issues if not handled correctly.
What is the recommended approach to understanding the application structure and its source code during code review?
-The recommended approach is to first understand the routing, input structure, and general application layout. Then, identify the dangerous functions within the technology being used and learn about their potential exploits.
Why is it not advisable to dive too deeply into specific issues during the initial pass of code review?
-Diving too deeply into specific issues during the initial pass can lead to losing sight of the overall application structure and potentially wasting time on less critical issues. It's better to get a holistic understanding first before focusing on specific vulnerabilities.
What is the significance of identifying hardcoded credentials in the source code during code review?
-Identifying hardcoded credentials is significant because it is a common security flaw that can lead to unauthorized access to sensitive information. It's important to note such issues as they can be exploited by attackers.
What is the potential security risk associated with dynamic queries in the script?
-Dynamic queries, which are not parameterized or prepared statements, can lead to security risks such as SQL injection because they mix data and code, allowing for potential manipulation of the query by an attacker.
What is the purpose of the 'sanitize' function mentioned in the script, and what are its limitations?
-The 'sanitize' function is meant to remove or modify potentially harmful keywords in the input to prevent SQL injection. However, its limitations include not being recursive, potentially missing certain keywords, and not handling special characters or case insensitivity effectively.
What is the recommended approach to dealing with input sanitization to follow best practices?
-The recommended approach is to use standard library functions for sanitizing input, such as 'MySQL real escape string', and to ensure that the sanitization is applied consistently and securely across the codebase.
What resources are suggested in the script for someone looking to improve their code review skills?
-The script suggests using code snippets from sites like Sourcecodes.com and resources like Pentester Lab, which offers a free introduction to code review and further exercises for a subscription fee.
Outlines
🔍 Introduction to Code Review for Security
In this introductory paragraph, the speaker sets the stage for a video focused on code review from a security perspective. The goal is to identify vulnerabilities in code, whether written by humans or generated by AI. The speaker introduces 'Sneak', a tool that integrates with IDEs to scan code in real-time for vulnerabilities and provides fixes with a single click. The video aims to provide a general methodology, useful resources, and tools for improving code security. The importance of understanding the application's environment and the flow of inputs is highlighted as crucial for identifying unique security issues that automated testing might miss.
📝 Methodology for Conducting a Code Review
This paragraph delves into the methodology of conducting a code review with an emphasis on security. It begins by defining what a code review is in the context of security and why it's essential beyond just testing live applications. The speaker suggests starting with understanding the application's structure and identifying sources (like user input) and sinks (like dangerous functions). The paragraph also touches on the importance of recognizing risky developer behaviors, such as hardcoding credentials or creating backdoors. The speaker recommends learning about dangerous functions in the technology stack being used and understanding the application's behavior to find vulnerabilities more easily.
👀 Practical Code Review: Identifying Sources, Sinks, and Middleware
The speaker provides a practical example of a code review by analyzing a snippet of code written by an AI tool. The focus is on identifying all sources of input, such as 'username', 'email', and 'password', and all sinks, which are points where input is executed or stored, such as database queries. The paragraph discusses the importance of middleware that sanitizes input and the potential issues with inadequate sanitization methods. It also points out the risks associated with dynamic queries that are not parameterized, which can lead to SQL injection vulnerabilities. The speaker emphasizes the need to scrutinize functions for their effectiveness and to ensure they follow best practices for security.
🛠️ Tools and Resources for Enhancing Code Review Skills
In the final paragraph, the speaker wraps up the video by discussing the next steps in enhancing one's code review skills. They recommend starting with code snippets and using resources like Sourcecodes.com and Pentester Lab for practice. The speaker stresses the importance of consistency in code review to improve over time and suggests using tools to supplement manual code review. They also caution about the potential risks of working with untrusted code sources and the need for precautions like using virtual machines. The video concludes with a reminder to focus on understanding the application deeply to uncover hidden weaknesses and vulnerabilities.
Mindmap
Keywords
💡Code Review
💡Security Perspective
💡AI Tools
💡Sneak
💡Vulnerabilities
💡Hardcoded Credentials
💡Sources and Sinks
💡Input Sanitization
💡SQL Injection
💡Cross-Site Scripting (XSS)
💡Best Practices
Highlights
Introduction to code review from a security perspective to identify vulnerabilities.
AI tools can generate code, but the security of the code depends on the data it's trained on.
Sneak tool introduced for securing code, whether written by humans or AI, with real-time vulnerability scanning and fixes.
Code review is essential for understanding the application's environment and input flow for identifying unique vulnerabilities.
The importance of identifying sources and sinks in the code for security analysis.
Methodology for preparing to review code by understanding application structure and dangerous functions.
Risks associated with hard-coded credentials in source code.
Reviewing the MySQL connection setup for hardcoded credentials as a common finding.
The role of input functions in security and their potential impact on application behavior.
Identifying sources such as 'username', 'email', and 'password' from the request body in the code.
Use of bcrypt for hashing passwords and the importance of secure password handling.
Risks of dynamic queries without parameterization leading to vulnerabilities like SQL injection.
Analysis of the 'sanitize' function as middleware and its effectiveness in preventing SQL injection.
The importance of testing sanitization functions for recursion and case insensitivity.
Recommendation to follow standard best practices for input sanitization.
The need to understand the application's behavior to identify hidden weaknesses and risky behavior.
Consistency in code review as a skill that improves over time and leads to better vulnerability detection.
Use of manual code review followed by tools to find new areas of the application.
Resources like Sourcecodes.com and Pentester Lab for practicing code review with real vulnerabilities.
Final thoughts on the importance of code review in web application security.
Transcripts
welcome back to another video and today
we're going to get started with code
review to find vulnerabilities I'll
share with you how to get started a
general methodology ways to improve and
some useful resources and tools too just
before we dive in though I should
mention that we're going to be looking
at code review from a security
perspective to identify weaknesses and
vulnerabilities so this is a little bit
different to how code review is carried
out from a velopment standpoints by
software Engineers pardon the
interruption AI tools can be super handy
they can help you write a poem sve
captures and even write code but is that
code secure well AI is only as good as
the data it's trained on which means
vulnerabilities in code could be there
as it's generated or written but that's
where sneak comes in sneak makes it fast
and easy to secure code whether it's
being written by you or generated by Ai
and here's how it works you use your AI
tools to generate code and put it into
your IDE and sneak scans that code
flagging vulnerabilities in real time
you then get recommended fixes for those
vulnerabilities that you can apply with
just a single click and so whether
you're using AI or writing code yourself
you can give sneak a try for free today
by going to snak.io
slthe cyber Menor and of course there is
a link in the description below if you
enjoyed the video don't forget to like
And subscribe and let's dive in so first
up what is code review exactly well in
the context of security code review
helps us identify weaknesses and
vulnerabilities within applications and
you might be thinking why can't I just
fuzz and test the live application to
find issues well of course you can but
understanding the environment in which
the application is operating and looking
at how input flows from sources to syns
and the journey that it takes to get
there which can include things like
Security checks and going through
middleware could unveil the need for a
payload that is unique to the
application or a variation on a pattern
that hasn't been seen before it might be
that multiple inputs are needed or the
attack is a second order attack and
therefore scanners struggle to find it
so code review is a useful skill to
develop especially if you're on the hunt
for cves or looking to contribute to
open-source projects so how do we get
started well let's talk about the
methodology first most of the time we
have an application and we want to look
for sources and syncs sources are things
like user input and syncs are things
like dangerous functions that can
execute the input as code most famously
we have the eval function if you're just
starting out though what I'd recommend
doing is two things to prepare first try
to understand the structure of the
application and its source code for
example how is the routing handled what
does the input look like and the general
structure of the
application second what dangerous
functions exist within the technology
that you're working with with PHP for
example we can find a list to get
started with here and start to learn
about what these functions do and how we
can exploit an application that is using
them it is also worth mentioning at this
point that these are not the only things
we're on the lookout for as we're trying
to understand the application Behavior
we also want to look for risky things
that the developer might have done maybe
there is some hard-coded back door for
admins or input that's stored in the DB
and then saved to a to PHP file which
can then be executed later when the page
is called so really our goal is to
understand the application and once we
understand it vulnerabilities are
relatively easy to find later on in our
journey we can can dive more into
different vulnerabilities their patterns
or signatures and deeper behavior of the
application but I think this is enough
for us to get started so let's find a
nice snippet of code to take a look at
so here we are and I have some code that
I got chat GPT to write for me and then
we're just going to review it and what
I'm going to do is I'm going to step
through it and of course in larger
applications you probably want to break
it down into subsets of functionality or
into some logical sections um but we're
just going to review this whole code and
as we step through we have a few things
that we want to achieve we want to
identify all of these sources or inputs
we want to identify all of the syncs or
outputs and then identify any middleware
or the rout that sources take to their
syns so I think up here we can ignore
these includes and we can ignore the
express information and here we come
down to mySQL connection setup this is
probably our first finding something
that you'll run into a lot and that is
hardcoded credentials so we don't really
want to see this in our source code
although it's fairly common to see
usernames and passwords and other
sensitive information like Secrets or
tokens or keys hardcoded so this is
something that we would note down
straight away as we keep going down we
have our connection to mySQL and then we
have a s ize input function and when I
see this function I think ah this is to
do with security this could impact the
application and how it behaves so
probably what I'd do is I'd add this to
my notes to review later on as a general
rule especially on my first pass I try
not to dive into anything too deeply
otherwise I find that I'll lose all of
my time going into a rabbit hole I want
to review the whole application first
and then get a better understanding of
what areas I need to put my time into so
so we'd note this down to come back to
later on as we come further down we can
see some of our first sources so here we
have username and this is the request.
body. username and then we have email
request. body. email and of course the
password request. body. password Here
further down we can see that we're using
bcrypt to Hash the password and then if
there's an error we return error hashing
password to the user otherwise the
password becomes the out put hash and
then here we're going to insert the data
into the database by the looks of it and
this is our first sync so for example
here we have insert into users and we
have username email and password and the
first thing to notice is that this is a
dynamic query so it's not parameterized
it's not a prepared statement we're
actually taking this variable and
placing it straight into the code so
mixing data and code is bad practice and
that's something to be on the lookout
for and there are a lots of
vulnerabilities like SQL injection that
arise from mixing data and code and we
come back here and we also see another
Sync here so we see this error. SQL
message now we obviously didn't see any
particular input that was SQL message
maybe we have control over this or
partial control over this or maybe we
don't if our username input for example
becomes part of this error. SQL message
then maybe we can get cross-site
scripting but we need to go back through
and understand how this is formed and
what inputs can be used to influence it
so those are our two syncs all right so
let's come back up and what we want to
do is check to see whether this username
and email is exploitable so we can see
that they're both using this sanitize
function as middleware so if we scroll
up we can now scrutinize this function
and take a look and see where whether
it's effective so we're essentially
doing data replace so it's checking for
keywords like select insert delete
update drop and alter and whenever we do
this kind of function there are some
things to think about so is it done
recursively is everything in there
that's needed to be in there is it case
insensitive and there are generally just
a lot of edge cases that can bypass this
kind of thing so what this is going to
do is when we pass in some data if it
finds the select keyword it's going to
Simply remove it and since we have the G
flag here this is a global flag so if we
have multiple instances of Select it's
going to get removed and also we have
the I flag as well so this is going to
be case insensitive so for
example select like this is not going to
work because it's case insensitive or if
we do something like select select it's
going to find all of them notice that
it's not removing things like special
characters and also some keywords like
Union for example are also missing
something I would test for here is
whether it's recursive so we know that
the global flag is going to find all
instances of the keyword select for
example but I don't know whether it's
going to find select here remove it and
then the output will still be vulnerable
something I would have to test and the
key thing to remember here is that some
scanners might be fooled by inadequate
input sanitization and sometimes they
might not but what we want to do is
identify this as a weakness now even if
this isn't exploitable if you're an
aback engineer or if you're working as
part of a development team maybe suggest
that they follow the standard best
practice or the normal way of sanitizing
input and I can't remember off the top
of my head exactly how to do this but I
suspect we want something like return
MySQL MySQL do Escape data and we
probably want to trim this as well so
something like this of course check the
documentation check the best practice
but again when we see something that is
a little weird even if we can't exploit
it think about what the right way or the
standard way that's widely accepted to
do things is and then try and Implement
that instead and of course down here as
well we'd want to update this statement
and then maybe we would want to try and
make sure that we escape this output as
well so that we're not just putting raw
data into this alert box but very
quickly you can see that we've
identified some issues and some sources
and syncs and some middleware that might
be faulty and this is the goal of code
review understanding the application how
it's behaving and how the data is
Flowing between different branches of
code so now when we are looking at code
we can look at what middleware or
functions are being used for security
and determine if they are standard
libraries or custom written are they
applied consistently across the code
base written securely and following the
best practices and understand the
context around how code is reaching the
function and what's being returned now
to start with of course you're going to
be looking for lwh hanging fruits and a
lot of tools can detect these issues
automatically so what I recommend is
instead of using vulnerabilities as a
measure of success use understanding of
the application instead think to
yourself do I understand how this
application works can I follow the code
and the more you do that the more likely
you are to find hidden weaknesses risky
behavior and ultimately more
vulnerabilities one more thing to think
about is consistency code review is a
skill that requires time to learn and
eventually master so if you are
consistent with it then over time you'll
be able to reap the rewards I recommend
you step through the code manually first
and then add tools later on to see what
you missed or if they help you find new
areas of the application to explore so
where do we go from here I usually
recommend that you start out with code
Snippets but actually this site Source
codes to.com has a ton of projects and
many of them have critical
vulnerabilities waiting for you to find
just be aware that when you're working
with code from an untrusted Source you
might be dealing with something that has
a back door or something malicious
inside so take precautions use a virtual
machine etc etc another resource that
I'd recommend to get started is
pentester lab there is a free
introduction here with some code for you
to review and unfortunately the rest of
the exercises for the code review badge
require a subscription but if you can
afford it it's definitely worthwhile in
my op opinion pentester lab is a great
platform in general if you're interested
in taking more steps into web
application security and web app pen
testing and that's it for this video I
hope it helps you get started on your
journey into code review and I will
catch you next time
Посмотреть больше похожих видео
Используй ЭТО чтобы НЕ ОТСТАТЬ! Программирование меняется с ИИ инструментами?
How I Would Learn Data Science in 2022
How to Setup Visual Studio Code for Web Development | HTML, CSS, and JavaScript
All-In-One Open Source Security Scanner | Docker Image Analysis with Trivy
Como usar o VS CODE para programar? Guia COMPLETO e RÁPIDO!
#3 Prerequisite and Tools required for Spring
5.0 / 5 (0 votes)