Code Review Snippets

less than 1 minute read

Some notes regarding code reviews.

Common Weaknesses


  • Hardcoded credentials/secrets/keys
  • Information leakage/verbose errors
  • Missing security flags
  • Weak password hashing
  • XSS
  • No CSRF protection
  • SQLi
  • RCE
  • Directory listing
  • Local/Remote file inclusion
  • Cryptographic issues
  • Signature bypass
  • Authentication bypass


Resources



Suspicious Functions and Keywords


General Functions

system()
exec()
eval()
assert()
popen()
preg_replace()
passthru()
shell_exec()
proc_open()
include()
include_once()
require()
require_once()
mail()
serialize()
unserialize()
rand()
date()

Cryptographic Functions

encrypt()
decrypt()
decode()
encode()
digest()

Database Functions

querydb()
query_db()
mysql_query()
mysql_db_query()
db.cursor()
db.prepare()
MySQLdb.connect()
selectQueryString
Database.Open
db.Query()
db.Execute()


Hunting with Grep


Grep provides endless possibilities:

grep -iRl 'api\|key\|api_key\|apikey\|apitoken\|token'
grep -R '.*?(shell_exec|exec|passthru|system|popen|proc_open|eval)\(.*?'
grep -iRl '$_GET\|$_POST\|$_REQUEST\|$_COOKIE'
grep -iR '<pattern>' --exclude='*.css'

grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"   // IP
grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*"   // URLs
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"    // emails
grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}'   // mac

grep -e "[0-9a-f]\{32\}"   // md5
grep -o -E -e "[0-9a-f]{40}"   // sha1
grep -Ea '\$2[ayb]\$.{56}'   // bcrypt
grep -e "$2a\$\08\$(.){75}"   // blowfish