A Beginners Guide to Code Review
Skills:
AI-Assisted Code Review90%
Key Takeaways
This video provides a beginner's guide to code review, covering the basics of code review and how to get started with it, using tools like Snyk for vulnerability detection.
Full Transcript
welcome back to another video and today we're going to get started with code review to find vulnerabilities I'll share with you how to get started a general methodology ways to improve and some useful resources and tools too just before we dive in though I should mention that we're going to be looking at code review from a security perspective to identify weaknesses and vulnerabilities so this is a little bit different to how code review is carried out from a velopment standpoints by software Engineers pardon the interruption AI tools can be super handy they can help you write a poem sve captures and even write code but is that code secure well AI is only as good as the data it's trained on which means vulnerabilities in code could be there as it's generated or written but that's where sneak comes in sneak makes it fast and easy to secure code whether it's being written by you or generated by Ai and here's how it works you use your AI tools to generate code and put it into your IDE and sneak scans that code flagging vulnerabilities in real time you then get recommended fixes for those vulnerabilities that you can apply with just a single click and so whether you're using AI or writing code yourself you can give sneak a try for free today by going to snak.io slthe cyber Menor and of course there is a link in the description below if you enjoyed the video don't forget to like And subscribe and let's dive in so first up what is code review exactly well in the context of security code review helps us identify weaknesses and vulnerabilities within applications and you might be thinking why can't I just fuzz and test the live application to find issues well of course you can but understanding the environment in which the application is operating and looking at how input flows from sources to syns and the journey that it takes to get there which can include things like Security checks and going through middleware could unveil the need for a payload that is unique to the application or a variation on a pattern that hasn't been seen before it might be that multiple inputs are needed or the attack is a second order attack and therefore scanners struggle to find it so code review is a useful skill to develop especially if you're on the hunt for cves or looking to contribute to open-source projects so how do we get started well let's talk about the methodology first most of the time we have an application and we want to look for sources and syncs sources are things like user input and syncs are things like dangerous functions that can execute the input as code most famously we have the eval function if you're just starting out though what I'd recommend doing is two things to prepare first try to understand the structure of the application and its source code for example how is the routing handled what does the input look like and the general structure of the application second what dangerous functions exist within the technology that you're working with with PHP for example we can find a list to get started with here and start to learn about what these functions do and how we can exploit an application that is using them it is also worth mentioning at this point that these are not the only things we're on the lookout for as we're trying to understand the application Behavior we also want to look for risky things that the developer might have done maybe there is some hard-coded back door for admins or input that's stored in the DB and then saved to a to PHP file which can then be executed later when the page is called so really our goal is to understand the application and once we understand it vulnerabilities are relatively easy to find later on in our journey we can can dive more into different vulnerabilities their patterns or signatures and deeper behavior of the application but I think this is enough for us to get started so let's find a nice snippet of code to take a look at so here we are and I have some code that I got chat GPT to write for me and then we're just going to review it and what I'm going to do is I'm going to step through it and of course in larger applications you probably want to break it down into subsets of functionality or into some logical sections um but we're just going to review this whole code and as we step through we have a few things that we want to achieve we want to identify all of these sources or inputs we want to identify all of the syncs or outputs and then identify any middleware or the rout that sources take to their syns so I think up here we can ignore these includes and we can ignore the express information and here we come down to mySQL connection setup this is probably our first finding something that you'll run into a lot and that is hardcoded credentials so we don't really want to see this in our source code although it's fairly common to see usernames and passwords and other sensitive information like Secrets or tokens or keys hardcoded so this is something that we would note down straight away as we keep going down we have our connection to mySQL and then we have a s ize input function and when I see this function I think ah this is to do with security this could impact the application and how it behaves so probably what I'd do is I'd add this to my notes to review later on as a general rule especially on my first pass I try not to dive into anything too deeply otherwise I find that I'll lose all of my time going into a rabbit hole I want to review the whole application first and then get a better understanding of what areas I need to put my time into so so we'd note this down to come back to later on as we come further down we can see some of our first sources so here we have username and this is the request. body. username and then we have email request. body. email and of course the password request. body. password Here further down we can see that we're using bcrypt to Hash the password and then if there's an error we return error hashing password to the user otherwise the password becomes the out put hash and then here we're going to insert the data into the database by the looks of it and this is our first sync so for example here we have insert into users and we have username email and password and the first thing to notice is that this is a dynamic query so it's not parameterized it's not a prepared statement we're actually taking this variable and placing it straight into the code so mixing data and code is bad practice and that's something to be on the lookout for and there are a lots of vulnerabilities like SQL injection that arise from mixing data and code and we come back here and we also see another Sync here so we see this error. SQL message now we obviously didn't see any particular input that was SQL message maybe we have control over this or partial control over this or maybe we don't if our username input for example becomes part of this error. SQL message then maybe we can get cross-site scripting but we need to go back through and understand how this is formed and what inputs can be used to influence it so those are our two syncs all right so let's come back up and what we want to do is check to see whether this username and email is exploitable so we can see that they're both using this sanitize function as middleware so if we scroll up we can now scrutinize this function and take a look and see where whether it's effective so we're essentially doing data replace so it's checking for keywords like select insert delete update drop and alter and whenever we do this kind of function there are some things to think about so is it done recursively is everything in there that's needed to be in there is it case insensitive and there are generally just a lot of edge cases that can bypass this kind of thing so what this is going to do is when we pass in some data if it finds the select keyword it's going to Simply remove it and since we have the G flag here this is a global flag so if we have multiple instances of Select it's going to get removed and also we have the I flag as well so this is going to be case insensitive so for example select like this is not going to work because it's case insensitive or if we do something like select select it's going to find all of them notice that it's not removing things like special characters and also some keywords like Union for example are also missing something I would test for here is whether it's recursive so we know that the global flag is going to find all instances of the keyword select for example but I don't know whether it's going to find select here remove it and then the output will still be vulnerable something I would have to test and the key thing to remember here is that some scanners might be fooled by inadequate input sanitization and sometimes they might not but what we want to do is identify this as a weakness now even if this isn't exploitable if you're an aback engineer or if you're working as part of a development team maybe suggest that they follow the standard best practice or the normal way of sanitizing input and I can't remember off the top of my head exactly how to do this but I suspect we want something like return MySQL MySQL do Escape data and we probably want to trim this as well so something like this of course check the documentation check the best practice but again when we see something that is a little weird even if we can't exploit it think about what the right way or the standard way that's widely accepted to do things is and then try and Implement that instead and of course down here as well we'd want to update this statement and then maybe we would want to try and make sure that we escape this output as well so that we're not just putting raw data into this alert box but very quickly you can see that we've identified some issues and some sources and syncs and some middleware that might be faulty and this is the goal of code review understanding the application how it's behaving and how the data is Flowing between different branches of code so now when we are looking at code we can look at what middleware or functions are being used for security and determine if they are standard libraries or custom written are they applied consistently across the code base written securely and following the best practices and understand the context around how code is reaching the function and what's being returned now to start with of course you're going to be looking for lwh hanging fruits and a lot of tools can detect these issues automatically so what I recommend is instead of using vulnerabilities as a measure of success use understanding of the application instead think to yourself do I understand how this application works can I follow the code and the more you do that the more likely you are to find hidden weaknesses risky behavior and ultimately more vulnerabilities one more thing to think about is consistency code review is a skill that requires time to learn and eventually master so if you are consistent with it then over time you'll be able to reap the rewards I recommend you step through the code manually first and then add tools later on to see what you missed or if they help you find new areas of the application to explore so where do we go from here I usually recommend that you start out with code Snippets but actually this site Source codes to.com has a ton of projects and many of them have critical vulnerabilities waiting for you to find just be aware that when you're working with code from an untrusted Source you might be dealing with something that has a back door or something malicious inside so take precautions use a virtual machine etc etc another resource that I'd recommend to get started is pentester lab there is a free introduction here with some code for you to review and unfortunately the rest of the exercises for the code review badge require a subscription but if you can afford it it's definitely worthwhile in my op opinion pentester lab is a great platform in general if you're interested in taking more steps into web application security and web app pen testing and that's it for this video I hope it helps you get started on your journey into code review and I will catch you next time
Original Description
If you want to see what vulnerabilities are hiding in your code, sign up for Snyk for free using the code https://snyk.co/thecybermentor
00:00 Introduction to Code Review
00:33 Snyk Sponsor Message
01:34 What is Code Review?
02:34 Get started with Code Review
04:13 Code Review Labs
11:00 How to Practice Code Review
12:16 Where to Find Code to Review
13:08 Outro
Sponsor a Video: https://www.tcm.rocks/Sponsors
Pentests & Security Consulting: https://tcm-sec.com
Get Trained: https://academy.tcm-sec.com
Get Certified: https://certifications.tcm-sec.com
Merch: https://merch.tcm-sec.com
📱Social Media📱
___________________________________________
Twitter: https://twitter.com/thecybermentor
Twitch: https://www.twitch.tv/thecybermentor
Instagram: https://instagram.com/thecybermentor
LinkedIn: https://www.linkedin.com/in/heathadams
TikTok: https://tiktok.com/@thecybermentor
Discord: https://discord.gg/tcm
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
https://www.patreon.com/thecybermentor
Support the stream (one-time): https://streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX
The Hacker Playbook 3: https://amzn.to/34XkIY2
Hacking: The Art of Exploitation: https://amzn.to/2VchDyL
The Web Application Hacker's Handbook: https://amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx
Linux Basics for Hackers: https://amzn.to/34WvcXP
Python Crash Course, 2nd Edition: https://amzn.to/30gINu0
Violent Python: https://amzn.to/2QoGoJn
Black Hat Python: https://amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1
EVGA 2080TI: https://amzn.to/30d2lj7
MSI Z390 MotherBoard: https://amzn.to/30eu5TL
Intel 9700K: https://amzn.to/2M7hM2p
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: AI-Assisted Code Review
View skill →Related Reads
📰
📰
📰
📰
mcp-bastion v0.3.0: Teaching an MCP Security Proxy to Defend More of the Attack Surface
Medium · Cybersecurity
mcp-bastion v0.3.0: Teaching an MCP Security Proxy to Defend More of the Attack Surface
Medium · LLM
Web3 Navigates Cyber Threats Amidst Bearish Sentiment and Core Development Growth
Dev.to AI
How I Built a Log Analysis Tool to Detect Network Anomalies
Dev.to · Atena
Chapters (8)
Introduction to Code Review
0:33
Snyk Sponsor Message
1:34
What is Code Review?
2:34
Get started with Code Review
4:13
Code Review Labs
11:00
How to Practice Code Review
12:16
Where to Find Code to Review
13:08
Outro
🎓
Tutor Explanation
DeepCamp AI