A Beginners Guide to Code Review

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·2y ago

Key Takeaways

This video provides a beginner's guide to code review, covering the basics of code review and how to get started with it, using tools like Snyk for vulnerability detection.

Full Transcript

welcome back to another video and today we're going to get started with code review to find vulnerabilities I'll share with you how to get started a general methodology ways to improve and some useful resources and tools too just before we dive in though I should mention that we're going to be looking at code review from a security perspective to identify weaknesses and vulnerabilities so this is a little bit different to how code review is carried out from a velopment standpoints by software Engineers pardon the interruption AI tools can be super handy they can help you write a poem sve captures and even write code but is that code secure well AI is only as good as the data it's trained on which means vulnerabilities in code could be there as it's generated or written but that's where sneak comes in sneak makes it fast and easy to secure code whether it's being written by you or generated by Ai and here's how it works you use your AI tools to generate code and put it into your IDE and sneak scans that code flagging vulnerabilities in real time you then get recommended fixes for those vulnerabilities that you can apply with just a single click and so whether you're using AI or writing code yourself you can give sneak a try for free today by going to snak.io slthe cyber Menor and of course there is a link in the description below if you enjoyed the video don't forget to like And subscribe and let's dive in so first up what is code review exactly well in the context of security code review helps us identify weaknesses and vulnerabilities within applications and you might be thinking why can't I just fuzz and test the live application to find issues well of course you can but understanding the environment in which the application is operating and looking at how input flows from sources to syns and the journey that it takes to get there which can include things like Security checks and going through middleware could unveil the need for a payload that is unique to the application or a variation on a pattern that hasn't been seen before it might be that multiple inputs are needed or the attack is a second order attack and therefore scanners struggle to find it so code review is a useful skill to develop especially if you're on the hunt for cves or looking to contribute to open-source projects so how do we get started well let's talk about the methodology first most of the time we have an application and we want to look for sources and syncs sources are things like user input and syncs are things like dangerous functions that can execute the input as code most famously we have the eval function if you're just starting out though what I'd recommend doing is two things to prepare first try to understand the structure of the application and its source code for example how is the routing handled what does the input look like and the general structure of the application second what dangerous functions exist within the technology that you're working with with PHP for example we can find a list to get started with here and start to learn about what these functions do and how we can exploit an application that is using them it is also worth mentioning at this point that these are not the only things we're on the lookout for as we're trying to understand the application Behavior we also want to look for risky things that the developer might have done maybe there is some hard-coded back door for admins or input that's stored in the DB and then saved to a to PHP file which can then be executed later when the page is called so really our goal is to understand the application and once we understand it vulnerabilities are relatively easy to find later on in our journey we can can dive more into different vulnerabilities their patterns or signatures and deeper behavior of the application but I think this is enough for us to get started so let's find a nice snippet of code to take a look at so here we are and I have some code that I got chat GPT to write for me and then we're just going to review it and what I'm going to do is I'm going to step through it and of course in larger applications you probably want to break it down into subsets of functionality or into some logical sections um but we're just going to review this whole code and as we step through we have a few things that we want to achieve we want to identify all of these sources or inputs we want to identify all of the syncs or outputs and then identify any middleware or the rout that sources take to their syns so I think up here we can ignore these includes and we can ignore the express information and here we come down to mySQL connection setup this is probably our first finding something that you'll run into a lot and that is hardcoded credentials so we don't really want to see this in our source code although it's fairly common to see usernames and passwords and other sensitive information like Secrets or tokens or keys hardcoded so this is something that we would note down straight away as we keep going down we have our connection to mySQL and then we have a s ize input function and when I see this function I think ah this is to do with security this could impact the application and how it behaves so probably what I'd do is I'd add this to my notes to review later on as a general rule especially on my first pass I try not to dive into anything too deeply otherwise I find that I'll lose all of my time going into a rabbit hole I want to review the whole application first and then get a better understanding of what areas I need to put my time into so so we'd note this down to come back to later on as we come further down we can see some of our first sources so here we have username and this is the request. body. username and then we have email request. body. email and of course the password request. body. password Here further down we can see that we're using bcrypt to Hash the password and then if there's an error we return error hashing password to the user otherwise the password becomes the out put hash and then here we're going to insert the data into the database by the looks of it and this is our first sync so for example here we have insert into users and we have username email and password and the first thing to notice is that this is a dynamic query so it's not parameterized it's not a prepared statement we're actually taking this variable and placing it straight into the code so mixing data and code is bad practice and that's something to be on the lookout for and there are a lots of vulnerabilities like SQL injection that arise from mixing data and code and we come back here and we also see another Sync here so we see this error. SQL message now we obviously didn't see any particular input that was SQL message maybe we have control over this or partial control over this or maybe we don't if our username input for example becomes part of this error. SQL message then maybe we can get cross-site scripting but we need to go back through and understand how this is formed and what inputs can be used to influence it so those are our two syncs all right so let's come back up and what we want to do is check to see whether this username and email is exploitable so we can see that they're both using this sanitize function as middleware so if we scroll up we can now scrutinize this function and take a look and see where whether it's effective so we're essentially doing data replace so it's checking for keywords like select insert delete update drop and alter and whenever we do this kind of function there are some things to think about so is it done recursively is everything in there that's needed to be in there is it case insensitive and there are generally just a lot of edge cases that can bypass this kind of thing so what this is going to do is when we pass in some data if it finds the select keyword it's going to Simply remove it and since we have the G flag here this is a global flag so if we have multiple instances of Select it's going to get removed and also we have the I flag as well so this is going to be case insensitive so for example select like this is not going to work because it's case insensitive or if we do something like select select it's going to find all of them notice that it's not removing things like special characters and also some keywords like Union for example are also missing something I would test for here is whether it's recursive so we know that the global flag is going to find all instances of the keyword select for example but I don't know whether it's going to find select here remove it and then the output will still be vulnerable something I would have to test and the key thing to remember here is that some scanners might be fooled by inadequate input sanitization and sometimes they might not but what we want to do is identify this as a weakness now even if this isn't exploitable if you're an aback engineer or if you're working as part of a development team maybe suggest that they follow the standard best practice or the normal way of sanitizing input and I can't remember off the top of my head exactly how to do this but I suspect we want something like return MySQL MySQL do Escape data and we probably want to trim this as well so something like this of course check the documentation check the best practice but again when we see something that is a little weird even if we can't exploit it think about what the right way or the standard way that's widely accepted to do things is and then try and Implement that instead and of course down here as well we'd want to update this statement and then maybe we would want to try and make sure that we escape this output as well so that we're not just putting raw data into this alert box but very quickly you can see that we've identified some issues and some sources and syncs and some middleware that might be faulty and this is the goal of code review understanding the application how it's behaving and how the data is Flowing between different branches of code so now when we are looking at code we can look at what middleware or functions are being used for security and determine if they are standard libraries or custom written are they applied consistently across the code base written securely and following the best practices and understand the context around how code is reaching the function and what's being returned now to start with of course you're going to be looking for lwh hanging fruits and a lot of tools can detect these issues automatically so what I recommend is instead of using vulnerabilities as a measure of success use understanding of the application instead think to yourself do I understand how this application works can I follow the code and the more you do that the more likely you are to find hidden weaknesses risky behavior and ultimately more vulnerabilities one more thing to think about is consistency code review is a skill that requires time to learn and eventually master so if you are consistent with it then over time you'll be able to reap the rewards I recommend you step through the code manually first and then add tools later on to see what you missed or if they help you find new areas of the application to explore so where do we go from here I usually recommend that you start out with code Snippets but actually this site Source codes to.com has a ton of projects and many of them have critical vulnerabilities waiting for you to find just be aware that when you're working with code from an untrusted Source you might be dealing with something that has a back door or something malicious inside so take precautions use a virtual machine etc etc another resource that I'd recommend to get started is pentester lab there is a free introduction here with some code for you to review and unfortunately the rest of the exercises for the code review badge require a subscription but if you can afford it it's definitely worthwhile in my op opinion pentester lab is a great platform in general if you're interested in taking more steps into web application security and web app pen testing and that's it for this video I hope it helps you get started on your journey into code review and I will catch you next time

Original Description

If you want to see what vulnerabilities are hiding in your code, sign up for Snyk for free using the code https://snyk.co/thecybermentor 00:00 Introduction to Code Review 00:33 Snyk Sponsor Message 01:34 What is Code Review? 02:34 Get started with Code Review 04:13 Code Review Labs 11:00 How to Practice Code Review 12:16 Where to Find Code to Review 13:08 Outro Sponsor a Video: https://www.tcm.rocks/Sponsors Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com 📱Social Media📱 ___________________________________________ Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Instagram: https://instagram.com/thecybermentor LinkedIn: https://www.linkedin.com/in/heathadams TikTok: https://tiktok.com/@thecybermentor Discord: https://discord.gg/tcm 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor Hacker Books: Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX The Hacker Playbook 3: https://amzn.to/34XkIY2 Hacking: The Art of Exploitation: https://amzn.to/2VchDyL The Web Application Hacker's Handbook: https://amzn.to/30Fj21S Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx Linux Basics for Hackers: https://amzn.to/34WvcXP Python Crash Course, 2nd Edition: https://amzn.to/30gINu0 Violent Python: https://amzn.to/2QoGoJn Black Hat Python: https://amzn.to/2V9GpQk My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches the basics of code review and how to get started with it, including using tools like Snyk for vulnerability detection. It covers the importance of code review in cybersecurity and provides labs and practice exercises for hands-on learning.

Key Takeaways
  1. Sign up for Snyk
  2. Get started with code review
  3. Practice code review using labs
  4. Find code to review
  5. Conduct code reviews
💡 Code review is an essential step in cybersecurity to detect vulnerabilities in code

Related Reads

📰
mcp-bastion v0.3.0: Teaching an MCP Security Proxy to Defend More of the Attack Surface
Improve your security proxy's attack surface coverage using benchmarking and iterative development
Medium · Cybersecurity
📰
mcp-bastion v0.3.0: Teaching an MCP Security Proxy to Defend More of the Attack Surface
Improve your MCP security proxy's attack surface coverage from 9% to 34% using an independent benchmark
Medium · LLM
📰
Web3 Navigates Cyber Threats Amidst Bearish Sentiment and Core Development Growth
Web3 faces cyber threats amidst bearish market sentiment, but core development continues to grow, offering opportunities for innovation and security improvements
Dev.to AI
📰
How I Built a Log Analysis Tool to Detect Network Anomalies
Learn how to build a log analysis tool to detect network anomalies using Python and Flask
Dev.to · Atena

Chapters (8)

Introduction to Code Review
0:33 Snyk Sponsor Message
1:34 What is Code Review?
2:34 Get started with Code Review
4:13 Code Review Labs
11:00 How to Practice Code Review
12:16 Where to Find Code to Review
13:08 Outro
Up next
8-Step Cybersecurity Engineer Roadmap 2026 | GenAI Era | #shorts
SCALER
Watch →