Without question, the best way to analyse an open source target is by debugging. However, it doesn’t come without a cost. I have shivers when I’m thinking about installing a proper ruby version with all its gems. In fact, when writing this, I already have an OpenSSL...
Source code
50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
The Aqua Security conducted a fascinating analysis of the open-source vulnerabilities being fixed or, more precisely, the time gaps between the fixes being committed to GitHub and the official fixes are released. They even define terms like 0.5day and 0.75day which do...
Finding Vulnerabilities with MRVA CodeQL
Some time ago, CodeQL got an addition of MRVA which allows to run CodeQL queries on multiple repositories. I’ve been procrastinating running some queries for a long time but the author of this article - Maiky didn’t procrastinate and described the process of finding...
Sources-to-sinks or sinks-to-sources – which approach works better when?
There are two major approaches to finding bugs in the source code - sources to sinks and sinks to sources. The natural question is: which one is better? The answer is, as usual, it depends. In this article, I’ll tell you on what it depends on. I’ll tell you my...
Source code review – catching low-hanging fruit
Manual source code review is tedious and often takes a long time. Albeit tools will never replace a human, utilising tools is simply a smart thing to do. Sometimes, you will be lucky and you will get a bug straight away. I’ve been lucky with it recently. Most of the...
How to write a new CodeQL query and maximise payout? RCE via ZipSlip query
Some of you might have seen on Twitter that I recently received my highest bounty of $5.5k from GitHub Security Lab for a CodeQL query that detects RCE via ZipSlip. It’s my second CodeQL bounty and I'm really happy with the return on investment I get from it. If...
Secure Code Game
GitHub Security Lab has created a secure code game that allows developers to learn how to secure intentionally vulnerable code. It's definitely worth trying out, especially for those who have been asking me how to get started with code review!...
From finding the target, the bug, through getting the CVE, up to my first CodeQL bounty
Last year, I received my first CodeQL bug bounty, which was a very satisfying achievement because I felt that this bug bounty program was right for me and my skillset. It’s a very unusual program because you receive a bounty for the scanner code that you wrote and not...
How to avoid being overwhelmed when reviewing the code?
The beginning of a new project can be very overwhelming - you don’t know what your target does, what technologies they use and you have no idea what bugs you should expect. The source code, although generally helps, can sometimes be even more confusing. Especially if,...
CodeQL learning path
CodeQL is a code scanner that sits somewhere between static analysis - where a scanner just analyses the code as a text - and dynamic analysis - where the scanner actually executes the application and sends payloads. CodeQL understands the code and the flow of the...