Slide 1

Slide 1 text

Getting Started with Code Reviews BY PRATEEK THAKARE

Slide 2

Slide 2 text

Bug Bounty Hunter Security Consultant at Payatu Learner Part Time Full Time Life long ABOUT ME

Slide 3

Slide 3 text

Presentations are tools that can be used as lectures Presentations are tools that can be used as lectures Presentations are tools that can be used as lectures 01 - What, Why & How? 02 - Automated Code Review 03 - Manual Code Review AGENDA 04 - Understanding requests flow 05 - Routes 06 - Understanding Functions Presentations are tools that can be used as lectures 07 - Understanding Software Architecture Presentations are tools that can be used as lectures 08 - Examples

Slide 4

Slide 4 text

Helps uncover hidden issues Gives a more in-depth understanding of things happening under the hood Reveals not only flaws due to insecure coding practices, but also logical flaws. WHY CODE REVIEWS? Helps uncover hidden issues Helps in creating more test cases

Slide 5

Slide 5 text

Helps uncover hidden issues Code reviews should be part of development cycle to avoid any insecure coding practices to be deployed in production. WHAT ARE CODE REVIEWS? Code reviews are analysis of source code of an application to uncover vulnerabilities.

Slide 6

Slide 6 text

Code Reviews HOW TO DO A CODE REVIEW? Manual Automation

Slide 7

Slide 7 text

Involves use of tools like semgrep, checkmarx, sonarqube etc. Tools Use Dependabot GitHub dependabot provides you with alerts related to vulnerabilities in the dependencies you use. These tools can be integrated into the CI/CD (continuous integration and continuous development) pipeline to find bugs before deployment. AUTOMATION

Slide 8

Slide 8 text

These tools are built upon some static rulesets that search for patterns or regular expressions and specific keywords within the codebase. Any idea how these tools detect vulnerabilities? RULESETS

Slide 9

Slide 9 text

Helps uncover hidden issues You will miss logical issues. You might also miss bypasses for vulnerabilities which were found using scanners. As they work on rules, you can find only those vulnerabilities whose rules can be formulated. ANY DRAWBACKS?

Slide 10

Slide 10 text

MANUAL CODE REVIEW Reviewing code manually unleashes more hidden issues than automation can ever find. Why? How? Manual code review is efficient with IDEs which makes your flow through code easy. Manual code review involves analyzing code line by line. Tools

Slide 11

Slide 11 text

WHAT'S REQUIRED Programming fundamentals, Object Oriented Programming concepts (OOP), working of functions, use of variables, etc. Prerequisites Architecture The organizational level code base is very large, spread across different repositories. Large codebases are organized using software architectures like MVC, client-server, layered patterns, etc. Any roadblocks?

Slide 12

Slide 12 text

Let us understand first how applications handle your requests. But from where should we start reviewing code when the codebase is huge? GETTING STARTED

Slide 13

Slide 13 text

HOW REQUESTS ARE HANDLED? You visit an endpoint say /admin It hits the server you make connection with The application listening on the port handles your request. Response There is mapper written in application where this request falls. This request is passed on to the appropriate function or logic by this mapper The logic processes the request and the gives back the response to you

Slide 14

Slide 14 text

Helps uncover hidden issues Routes map the URL path with the functions which have the logic necessary for processing. In every application you can find a similar type of file which serve as request routers. ROUTES Those mappers discussed are often referred to as ROUTES. To start reviewing code in large code bases best way to start is either reviewing it from routes or starting from main function.*

Slide 15

Slide 15 text

Helps uncover hidden issues APPROACH Look for the routes file. Head towards the function associated with that route Analyse the function Validate the checks in the function for permissions and data sanitization Validate how the functions are handling failing conditions. Understand how data is processed and how is flows.

Slide 16

Slide 16 text

Helps uncover hidden issues IN ACTION Let's have a walkthrough of a REST API code developed in Django

Slide 17

Slide 17 text

Helps uncover hidden issues UNDERSTANDING FUNCTIONS Function Name: ArrayAddition In-Parameters: arr, size Out-Parameters: sum Local Parameters: i, sum What is function doing? The function is taking input as the address of array stored in pointer variable and its size. It is running a for loop over the array and storing the sum of the array in the sum variable which is returned as out parameter.

Slide 18

Slide 18 text

Helps uncover hidden issues UNDERSTANDING ARCHITETURE Organisational codebase has to be structured in a specific way. Using right pattern can increase speed, productivity and speed. There are numerous patterns which are used across industries. Understaning the pattern used in the codebase helps us to locate right files and study data flow easily.

Slide 19

Slide 19 text

Helps uncover hidden issues MVC ARCHITECTURE One such architecture is Model-View- Controller(MVC) The whole application is divided into three parts. Model contains the data and main functionality. View displays the data and interacts with the user. Controller acts as the handles user input and acts as mediator between view and model. Source: Wikipedia Further read: RedHat Blog

Slide 20

Slide 20 text

AN EXAMPLE Source: Github CodeQL

Slide 21

Slide 21 text

SIMPLE LOGICAL ISSUE

Slide 22

Slide 22 text

RESOURCES The query help section has snippets with vulnerable code and its patch. CodeQL github Hackerrank To get started, pick up any damn vulnerable open-source software and do a code review of it. Hackerrank is a very nice platform to learn the basics of programming languages and problem solving. OSS Hackerone disclosed reports for programs like GitLab, Internet Bug Bounty, etc have many reports discussing the vulnerability from the perspective of code. Hackerone reports Semgrep Learn can help you get started with creating semgrep rules. Semgrep Learn

Slide 23

Slide 23 text

CONNECT WITH ME @thakare_prateek Twitter LinkedIn /prateek-thakare

Slide 24

Slide 24 text

Thank You!!