Code Review

Methodologies

String Matching

Fastest way for finding low-hanging fruits (check graudit).

User Inputs

Review all the user-controlled inputs and ways to access the application.

Read Everything

Review one file at a time. Check for:

Hardcoded credentials
Information leak
- The webroot of the application in the main directory of the source code, so any files there will be publicly available.
Security flags on cookies
Weak password hashing mechanism

By Functionality

Review one functionality at a time.

Example

Small code base - Read Everything approach

$ tree
.
├── classes
│   ├── db.php
│   ├── jwt.php
│   ├── phpfix.php
│   └── user.php
├── css
│   ├── bootstrap.css
│   └── pentesterlab.css
├── deploy.sql
├── footer.php
├── header.php
├── index.php
├── login.php
├── logout.php
├── README
└── register.php

3 directories, 14 files

┌──(kali㉿CSpanias)-[~/pentester_lab/cr]
└─$ cloc .
      14 text files.
      13 unique files.
       2 files ignored.

github.com/AlDanial/cloc v 1.98  T=0.01 s (1161.9 files/s, 447851.2 lines/s)
-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
CSS                              2            676             11           3973
PHP                             10             48              4            289
SQL                              1              5              0              5
-------------------------------------------------------------------------------
SUM:                            13            729             15           4267
-------------------------------------------------------------------------------

Resources

PreviousRecon NextWeb

Last updated 1 year ago

Was this helpful?