A Beginners Guide to Code Review

00:00

welcome back to another video and today

00:02

we're going to get started with code

00:04

review to find vulnerabilities I'll

00:07

share with you how to get started a

00:09

general methodology ways to improve and

00:12

some useful resources and tools too just

00:16

before we dive in though I should

00:17

mention that we're going to be looking

00:19

at code review from a security

00:21

perspective to identify weaknesses and

00:24

vulnerabilities so this is a little bit

00:27

different to how code review is carried

00:29

out from a velopment standpoints by

00:31

software Engineers pardon the

00:33

interruption AI tools can be super handy

00:36

they can help you write a poem sve

00:38

captures and even write code but is that

00:42

code secure well AI is only as good as

00:45

the data it's trained on which means

00:47

vulnerabilities in code could be there

00:49

as it's generated or written but that's

00:52

where sneak comes in sneak makes it fast

00:55

and easy to secure code whether it's

00:57

being written by you or generated by Ai

01:01

and here's how it works you use your AI

01:03

tools to generate code and put it into

01:05

your IDE and sneak scans that code

01:07

flagging vulnerabilities in real time

01:10

you then get recommended fixes for those

01:12

vulnerabilities that you can apply with

01:14

just a single click and so whether

01:16

you're using AI or writing code yourself

01:19

you can give sneak a try for free today

01:22

by going to snak.io

01:24

slthe cyber Menor and of course there is

01:27

a link in the description below if you

01:30

enjoyed the video don't forget to like

01:32

And subscribe and let's dive in so first

01:35

up what is code review exactly well in

01:37

the context of security code review

01:39

helps us identify weaknesses and

01:42

vulnerabilities within applications and

01:44

you might be thinking why can't I just

01:47

fuzz and test the live application to

01:49

find issues well of course you can but

01:52

understanding the environment in which

01:54

the application is operating and looking

01:56

at how input flows from sources to syns

01:59

and the journey that it takes to get

02:01

there which can include things like

02:03

Security checks and going through

02:05

middleware could unveil the need for a

02:08

payload that is unique to the

02:09

application or a variation on a pattern

02:12

that hasn't been seen before it might be

02:15

that multiple inputs are needed or the

02:17

attack is a second order attack and

02:19

therefore scanners struggle to find it

02:22

so code review is a useful skill to

02:25

develop especially if you're on the hunt

02:27

for cves or looking to contribute to

02:29

open-source projects so how do we get

02:32

started well let's talk about the

02:34

methodology first most of the time we

02:37

have an application and we want to look

02:39

for sources and syncs sources are things

02:42

like user input and syncs are things

02:45

like dangerous functions that can

02:47

execute the input as code most famously

02:51

we have the eval function if you're just

02:53

starting out though what I'd recommend

02:55

doing is two things to prepare first try

02:58

to understand the structure of the

03:00

application and its source code for

03:02

example how is the routing handled what

03:05

does the input look like and the general

03:07

structure of the

03:09

application second what dangerous

03:11

functions exist within the technology

03:14

that you're working with with PHP for

03:16

example we can find a list to get

03:18

started with here and start to learn

03:20

about what these functions do and how we

03:22

can exploit an application that is using

03:25

them it is also worth mentioning at this

03:27

point that these are not the only things

03:29

we're on the lookout for as we're trying

03:31

to understand the application Behavior

03:33

we also want to look for risky things

03:35

that the developer might have done maybe

03:38

there is some hard-coded back door for

03:40

admins or input that's stored in the DB

03:42

and then saved to a to PHP file which

03:45

can then be executed later when the page

03:47

is called so really our goal is to

03:51

understand the application and once we

03:54

understand it vulnerabilities are

03:55

relatively easy to find later on in our

03:58

journey we can can dive more into

04:00

different vulnerabilities their patterns

04:02

or signatures and deeper behavior of the

04:05

application but I think this is enough

04:07

for us to get started so let's find a

04:10

nice snippet of code to take a look at

04:13

so here we are and I have some code that

04:15

I got chat GPT to write for me and then

04:18

we're just going to review it and what

04:22

I'm going to do is I'm going to step

04:23

through it and of course in larger

04:25

applications you probably want to break

04:26

it down into subsets of functionality or

04:29

into some logical sections um but we're

04:32

just going to review this whole code and

04:35

as we step through we have a few things

04:37

that we want to achieve we want to

04:39

identify all of these sources or inputs

04:42

we want to identify all of the syncs or

04:45

outputs and then identify any middleware

04:48

or the rout that sources take to their

04:50

syns so I think up here we can ignore

04:54

these includes and we can ignore the

04:57

express information and here we come

05:01

down to mySQL connection setup this is

05:04

probably our first finding something

05:06

that you'll run into a lot and that is

05:08

hardcoded credentials so we don't really

05:11

want to see this in our source code

05:12

although it's fairly common to see

05:14

usernames and passwords and other

05:16

sensitive information like Secrets or

05:18

tokens or keys hardcoded so this is

05:22

something that we would note down

05:23

straight away as we keep going down we

05:25

have our connection to mySQL and then we

05:28

have a s ize input function and when I

05:32

see this function I think ah this is to

05:34

do with security this could impact the

05:36

application and how it behaves so

05:39

probably what I'd do is I'd add this to

05:40

my notes to review later on as a general

05:43

rule especially on my first pass I try

05:46

not to dive into anything too deeply

05:48

otherwise I find that I'll lose all of

05:50

my time going into a rabbit hole I want

05:52

to review the whole application first

05:54

and then get a better understanding of

05:56

what areas I need to put my time into so

05:59

so we'd note this down to come back to

06:02

later on as we come further down we can

06:05

see some of our first sources so here we

06:08

have username and this is the request.

06:11

body. username and then we have email

06:13

request. body. email and of course the

06:16

password request. body. password Here

06:19

further down we can see that we're using

06:21

bcrypt to Hash the password and then if

06:23

there's an error we return error hashing

06:26

password to the user otherwise the

06:28

password becomes the out put hash and

06:30

then here we're going to insert the data

06:33

into the database by the looks of it and

06:36

this is our first sync so for example

06:39

here we have insert into users and we

06:42

have username email and password and the

06:45

first thing to notice is that this is a

06:47

dynamic query so it's not parameterized

06:50

it's not a prepared statement we're

06:51

actually taking this variable and

06:53

placing it straight into the code so

06:56

mixing data and code is bad practice and

06:58

that's something to be on the lookout

07:00

for and there are a lots of

07:01

vulnerabilities like SQL injection that

07:04

arise from mixing data and code and we

07:07

come back here and we also see another

07:10

Sync here so we see this error. SQL

07:13

message now we obviously didn't see any

07:16

particular input that was SQL message

07:18

maybe we have control over this or

07:20

partial control over this or maybe we

07:22

don't if our username input for example

07:25

becomes part of this error. SQL message

07:28

then maybe we can get cross-site

07:29

scripting but we need to go back through

07:32

and understand how this is formed and

07:35

what inputs can be used to influence it

07:38

so those are our two syncs all right so

07:41

let's come back up and what we want to

07:42

do is check to see whether this username

07:46

and email is exploitable so we can see

07:49

that they're both using this sanitize

07:51

function as middleware so if we scroll

07:54

up we can now scrutinize this function

07:58

and take a look and see where whether

07:59

it's effective so we're essentially

08:01

doing data replace so it's checking for

08:05

keywords like select insert delete

08:07

update drop and alter and whenever we do

08:11

this kind of function there are some

08:12

things to think about so is it done

08:15

recursively is everything in there

08:17

that's needed to be in there is it case

08:19

insensitive and there are generally just

08:22

a lot of edge cases that can bypass this

08:24

kind of thing so what this is going to

08:26

do is when we pass in some data if it

08:28

finds the select keyword it's going to

08:31

Simply remove it and since we have the G

08:34

flag here this is a global flag so if we

08:37

have multiple instances of Select it's

08:39

going to get removed and also we have

08:42

the I flag as well so this is going to

08:44

be case insensitive so for

08:47

example select like this is not going to

08:50

work because it's case insensitive or if

08:54

we do something like select select it's

08:57

going to find all of them notice that

09:00

it's not removing things like special

09:02

characters and also some keywords like

09:05

Union for example are also missing

09:07

something I would test for here is

09:10

whether it's recursive so we know that

09:12

the global flag is going to find all

09:14

instances of the keyword select for

09:17

example but I don't know whether it's

09:19

going to find select here remove it and

09:24

then the output will still be vulnerable

09:26

something I would have to test and the

09:28

key thing to remember here is that some

09:30

scanners might be fooled by inadequate

09:33

input sanitization and sometimes they

09:35

might not but what we want to do is

09:38

identify this as a weakness now even if

09:41

this isn't exploitable if you're an

09:42

aback engineer or if you're working as

09:44

part of a development team maybe suggest

09:46

that they follow the standard best

09:48

practice or the normal way of sanitizing

09:51

input and I can't remember off the top

09:54

of my head exactly how to do this but I

09:56

suspect we want something like return

10:01

MySQL MySQL do Escape data and we

10:06

probably want to trim this as well so

10:10

something like this of course check the

10:12

documentation check the best practice

10:14

but again when we see something that is

10:17

a little weird even if we can't exploit

10:19

it think about what the right way or the

10:21

standard way that's widely accepted to

10:24

do things is and then try and Implement

10:26

that instead and of course down here as

10:29

well we'd want to update this statement

10:32

and then maybe we would want to try and

10:34

make sure that we escape this output as

10:37

well so that we're not just putting raw

10:39

data into this alert box but very

10:43

quickly you can see that we've

10:44

identified some issues and some sources

10:47

and syncs and some middleware that might

10:49

be faulty and this is the goal of code

10:52

review understanding the application how

10:55

it's behaving and how the data is

10:57

Flowing between different branches of

11:00

code so now when we are looking at code

11:02

we can look at what middleware or

11:04

functions are being used for security

11:07

and determine if they are standard

11:08

libraries or custom written are they

11:10

applied consistently across the code

11:12

base written securely and following the

11:15

best practices and understand the

11:17

context around how code is reaching the

11:20

function and what's being returned now

11:23

to start with of course you're going to

11:24

be looking for lwh hanging fruits and a

11:27

lot of tools can detect these issues

11:30

automatically so what I recommend is

11:32

instead of using vulnerabilities as a

11:34

measure of success use understanding of

11:37

the application instead think to

11:39

yourself do I understand how this

11:42

application works can I follow the code

11:45

and the more you do that the more likely

11:47

you are to find hidden weaknesses risky

11:49

behavior and ultimately more

11:51

vulnerabilities one more thing to think

11:53

about is consistency code review is a

11:56

skill that requires time to learn and

11:58

eventually master so if you are

12:01

consistent with it then over time you'll

12:03

be able to reap the rewards I recommend

12:06

you step through the code manually first

12:08

and then add tools later on to see what

12:10

you missed or if they help you find new

12:13

areas of the application to explore so

12:16

where do we go from here I usually

12:17

recommend that you start out with code

12:19

Snippets but actually this site Source

12:22

codes to.com has a ton of projects and

12:25

many of them have critical

12:27

vulnerabilities waiting for you to find

12:30

just be aware that when you're working

12:31

with code from an untrusted Source you

12:33

might be dealing with something that has

12:35

a back door or something malicious

12:36

inside so take precautions use a virtual

12:39

machine etc etc another resource that

12:42

I'd recommend to get started is

12:44

pentester lab there is a free

12:46

introduction here with some code for you

12:49

to review and unfortunately the rest of

12:51

the exercises for the code review badge

12:54

require a subscription but if you can

12:56

afford it it's definitely worthwhile in

12:58

my op opinion pentester lab is a great

13:00

platform in general if you're interested

13:03

in taking more steps into web

13:05

application security and web app pen

13:08

testing and that's it for this video I

13:10

hope it helps you get started on your

13:12

journey into code review and I will

13:14

catch you next time