Code Review CheatSheet

https://github.com/va1da5/manual-source-code-review

During a code review, it is important to check for a number of things. Of course, the logic behind an application is application specific so it requires the utmost attention especially on the following topics like authorization, authentication etc…

Most companies will probably use some kind of SAST solution, which will probably pick out all the easy to guess items off this list. So this list is mostly for the people who know their company and/or code doesn't use any type of SAST.

Global

Hardcoded Credentials

Checks for hardcoded passwords with a hit on the use of password or token variant

Note: 'Key' usually returns a lot of results as this is a basic functionality usually. Opt to leave it out and grep it separately in larger code bases

(passwords?)|(pwd)|(token)|(credentials)|(secret)

Check for any JWT's left in the codebase

Note: this one usually finds something juicy. However, there are some cases that it doesn't result in matching any JWT and it matches all kinds of regular code. In that case, just keep your eyes open.

^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)

Or, UUID's left in the codebase (think of clientId's)

^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$

SQL Queries

SQL Queries should be checked for proper parameterization. To quickly list (most) SQL queries use the following regex:

\b(?:SELECT|INSERT INTO|UPDATE|UNION|DELETE FROM)\b .* \b(?:FROM|WHERE|AS|CASE)\b\s.*

One thing that also helps sometimes is to look for the rawQuery call

rawQuery

Cryptography

C

Unsafe functions lack sufficient randomness or security for cryptographic operations.

regexCopy code

random\(\)|rand\(\)

Java

Unsafe Java functions do not provide secure randomness, making them unsuitable for cryptographic use.

regexCopy code

(Math|StrictMath)\.random\(\)|(java\.util\.(Random|SplittableRandom|concurrent\.ThreadLocalRandom))

PHP

PHP's listed unsafe functions fail to provide cryptographically secure randomness.

regexCopy code

array_rand\(\)|lcg_value\(\)|mt_rand\(\)|rand\(\)|uniqid\(\)

.NET/C#

The Random() class in .NET/C# does not offer cryptographically secure random numbers.

regexCopy code

\new\s+Random\(\)

Objective-C

Objective-C's unsafe functions, including arc4random() which uses RC4, are not suitable for cryptographic purposes.

regexCopy code

arc4random(_uniform)?\(\)|(GKRandomSource|rand\(\)|random\(\))

Python

Python's random() function is not designed for cryptographic applications due to predictable output.

regexCopy code

random\.random\(\)

Ruby

Ruby's rand() and Random class do not provide secure randomness needed for cryptographic operations.

regexCopy code

rand\(\)|Random\.

Go

Go's math/rand package lacks the cryptographic security required for generating random numbers.

regexCopy code

math\/rand\.

Rust

The rand::prng::XorShiftRng function in Rust is not considered cryptographically secure.

regexCopy code

rand::prng::XorShiftRng

Node.js

Node.js's Math.random() does not offer the cryptographic security necessary for generating random values.

regexCopy code

Math\.random\(\)

PowerShell

Powershell's Get-Random is not secure. Make use of Get-SecureRandom

Get-Random

Java

Deserialization

Check for API's which are (potentially) vulnerable to Deserialization attacks.

(XMLdecoder|Xstream|fromXML|ObjectInputStream|readObject|readResolve|readExternal|Serializable)

Process Injection

Something I don't necessarily find a whole lot but there is a possibility it exists. Search for java functions which run commands on the OS

(exec\(|Processbuilder)

File creation

Search for any possible creation of files and/or retrieval of files. Make sure that no folder bypasses can be used. E.g. ../../../../etc/passwd

(new File\(|getAbsolutePath\()

Xpath Injection

Look for user input in the .compile function on any regex function

(.compile\()

Golang

Process Injection

Something I don't necessarily find a whole lot but there is a possibility it exists. Search for Golang functions which run commands on the OS

(exec.Command|exec.CommandContext|syscall.Exec)

Sensitive Data Exposure

The net/http/pprof package will expose the /debug/pprof endpoint to the internet. This endpoint will disclose sensitive server information, such as the heap and CPU profiles.

(net/http/pprof)

File Path Traversal

(os.Open\()

Buffer Overflow

The function io.Copy copies from src to dst until EOF is reached so we have to prevent this behavior by using io.CopyN with buffer size limitation.

(io.Copy\()

SSRF

If there is user-controlled data coming into the url parameters of the client.{make request} functionality, it can lead to SSRF. Make sure it is properly sanitized.

(client.Do|client.Get)

Node

Process Injection

unserialize\s*\(|eval\s*\(|\bchild_process\b|exec\s*\(|spawn\s*\(|execFile\s*\(|\bfork\s*\(

Angular

XSS

(InnerHtml|BypassSecurity)

PHP/Laravel

Deserialization

Converts a serialized string back into a PHP value. It's potentially vulnerable when untrusted data is unserialized, as it can lead to object injection attacks if the serialized data contains objects that trigger harmful actions when instantiated or used.

unserialize\s?\(|unserialize_callback_func

RCE

  1. Shell Execution Functions (exec, passthru, popen, shell_exec, system): These functions execute shell commands. They are potentially vulnerable when user input is incorporated without proper sanitization, leading to command injection risks.

  1. eval: Executes a string as PHP code. Extremely risky if user input influences the input to eval, potentially leading to remote code execution.

  2. Process Control Functions (proc_open, proc_close, proc_get_status, proc_nice, proc_terminate): These functions manage and manipulate processes. Vulnerabilities arise when user inputs are used without validation, leading to command injection or process manipulation issues.

exec\s*\(|passthru\s*\(|popen\s*\(|shell_exec\s*\(|system\s*\(|eval\s*\(|proc_open\s*\(|proc_close\s*\(|proc_get_status\s*\(|proc_nice\s*\(|proc_terminate\s*\(

SQLi

  1. SQL Injection: Functions like mysql_query, pg_query, sqlite_query, etc., are vulnerable to SQL injection if they execute queries with unescaped or unsanitized user input. An attacker can manipulate the query to access or modify unauthorized data, perform administrative operations on the database, or even execute commands on the host operating system.
  2. Insecure Database Connection: Functions like mysql_connect, pg_connect, sqlite_open, etc., are used to establish database connections. If these connections are improperly configured (e.g., using default credentials, no encryption), they can be exploited to gain unauthorized access to the database.
  3. Error Handling: Functions like mysql_error, sqlite_fetch_*, etc., if improperly used, can reveal detailed error messages to the user, potentially exposing underlying database structure or sensitive information.
  4. Outdated Functions: Some functions listed (e.g., mysql_*, msql_*, mssql_*) are outdated and have been deprecated. Using these functions can result in insecure applications as they lack the security features and improvements found in newer functions.
mysql_query\s*\(|WHERE\s+.*=.*|mysql_connect\s*\(|mysql_pconnect\s*\(|mysqli\s*\(|(mysqli::[^ ]*|mysqli_[^ ]*)|mysql_query\s*\(|mysql_error\s*\(|pg_connect\s*\(|pg_pconnect\s*\(|pg_execute\s*\(|pg_insert\s*\(|pg_put_line\s*\(|pg_query\s*\(|pg_select\s*\(|pg_send_query\s*\(|pg_update\s*\(|sqlite_open\s*\(|sqlite_query\s*\(|sqlite_array_query\s*\(|sqlite_create_function\s*\(|sqlite_create_aggregate\s*\(|sqlite_exec\s*\(|sqlite_fetch_.*|msql_.*|mssql_.*|odbc_.*|fbsql_.*|db2_.*|sqlsrv_.*|sybase_.*|ibase_.*|dbx_.*|ingres_.*|ifx_.*|oci_.*|px_.*|ovrimos_.*|maxdb_.*

Mass Assignment

How to Exploit Mass Assignment Vulnerabilities:

  1. Identifying Editable Fields: An attacker first identifies the fields of a model that can be manipulated. This can be done through API documentation, form fields in a web application, or guessing common field names.
  2. Crafting a Malicious Request: The attacker then crafts a request (often a POST or PUT request) including fields that they should not have access to modify. For example, changing a user's role, permissions, or other sensitive data.
  3. Submitting the Request: The crafted request is submitted to the server. If the application is vulnerable, the server processes the request and updates the model with all provided fields, including those that should be protected.

Recognizing the Vulnerability:

  1. Lack of Guarding: In Laravel, you should look for models that do not use guarded or fillable properties to restrict which attributes can be mass-assigned. A model without either protected $guarded = []; or protected $fillable = []; is a potential vulnerability.
  2. Direct Assignment from Request: Using $request->all() or similar methods to directly assign request data to a model instance is a red flag. It indicates that all request input is being blindly accepted.
  3. No Validation: If the code doesn't validate or sanitize input before mass assignment, it's vulnerable.
(create|update|fill)\s*\(\s*\$request->all\(\)\s*\)

C++/C

RCE

\b(system|execvp|execlp|popen|CreateProcess|std::system)\s*\(

Format String

\b(printf|sprintf|snprintf|fprintf)\b

Buffer Overflow

\b(strcpy|strncpy|sprintf|snprintf|memcpy|memmove)\b

Vue

XSS

1. Use of v-html

regexCopy code

v-html\s*=\s*["'][^"']*["']

This pattern matches instances of the v-html directive being used within an attribute, potentially leading to XSS if used with unsanitized user input.

2. Improper Use of v-bind or Shorthand : with Unsafe Attributes

regexCopy code

:v-bind:href|:href|v-bind:src|:src\s*=\s*["'][^"']*["']

This pattern matches dynamic bindings with href or src attributes, which can be risky if the values are not sanitized.

3. JavaScript Execution through Event Handlers

regexCopy code

v-on:click|@click\s*=\s*["'][^"']*["']

This pattern matches event handlers like v-on:click or @click that might execute JavaScript. Care must be taken to ensure that any data used here is not user-controlled or is properly sanitized.

4. Direct DOM Manipulation Indications

regexCopy code

innerHTML|document\.write

C-Sharp

Deserialization

(XmlReader\.Create|XamlReader\.Load|JsonConvert\.DeserializeObject|JSON\.ToObject|JsonSerializer|JavaScriptSerializer|SimpleTypeResolvers\s*\(|XmlSerializer\s*\(|DataContractSerializer\s*\(|DeserializerBuilder|\.Deserialize\s*\(|BinaryFormatter|ObjectStateFormatter|SoapFormatter|NetDataContractSerializer|LosFormatter|SerializationFormatter)

RCE

(Server\.Execute|\\bExecute\\b|\\bEval\\b|\\bProcess\\b|\\.StartInfo\\.FileName|\\.StartInfo\\.Arguments)

XXE

(\bXmlReaderSettings\b|\bXmlReader\b|\bXmlDocument\b)

React

XSS

dangerouslySetInnerHTML

eval/(