Some time ago, CodeQL got an addition of MRVA which allows to run CodeQL queries on multiple repositories. I’ve been procrastinating running some queries for a long time but the author of this article - Maiky didn’t procrastinate and described the process of finding...
Source code
Sources-to-sinks or sinks-to-sources – which approach works better when?
There are two major approaches to finding bugs in the source code - sources to sinks and sinks to sources. The natural question is: which one is better? The answer is, as usual, it depends. In this article, I’ll tell you on what it depends on. I’ll tell you my...
Source code review – catching low-hanging fruit
Manual source code review is tedious and often takes a long time. Albeit tools will never replace a human, utilising tools is simply a smart thing to do. Sometimes, you will be lucky and you will get a bug straight away. I’ve been lucky with it recently. Most of the...
How to write a new CodeQL query and maximise payout? RCE via ZipSlip query
Some of you might have seen on Twitter that I recently received my highest bounty of $5.5k from GitHub Security Lab for a CodeQL query that detects RCE via ZipSlip. It’s my second CodeQL bounty and I'm really happy with the return on investment I get from it. If...
Secure Code Game
GitHub Security Lab has created a secure code game that allows developers to learn how to secure intentionally vulnerable code. It's definitely worth trying out, especially for those who have been asking me how to get started with code review!...
From finding the target, the bug, through getting the CVE, up to my first CodeQL bounty
Last year, I received my first CodeQL bug bounty, which was a very satisfying achievement because I felt that this bug bounty program was right for me and my skillset. It’s a very unusual program because you receive a bounty for the scanner code that you wrote and not...
How to avoid being overwhelmed when reviewing the code?
The beginning of a new project can be very overwhelming - you don’t know what your target does, what technologies they use and you have no idea what bugs you should expect. The source code, although generally helps, can sometimes be even more confusing. Especially if,...
CodeQL learning path
CodeQL is a code scanner that sits somewhere between static analysis - where a scanner just analyses the code as a text - and dynamic analysis - where the scanner actually executes the application and sends payloads. CodeQL understands the code and the flow of the...
Finding RCEs JVM-based languages
I feel it’s profitable to find bugs by reviewing the code of decompiled jar, war or class files. Technologies like Groovy or Scala are Java-related languages but you will omit command execution sinks in them if you are only looking for Java’s Runtime [.] getRuntime()...
Reversing patches and creating exploits
Reversing patches is a very useful skill because often, companies will only tell you what the bug class was and not how to reproduce it. Thus, if you want to, let’s say, create your own scanner template for a CVE, you need to reverse a patch. And that’s what you’ll...