I feel it’s profitable to find bugs by reviewing the code of decompiled jar, war or class files. Technologies like Groovy or Scala are Java-related languages but you will omit command execution sinks in them if you are only looking for Java’s Runtime [.] getRuntime()...
Source code
Reversing patches and creating exploits
Reversing patches is a very useful skill because often, companies will only tell you what the bug class was and not how to reproduce it. Thus, if you want to, let’s say, create your own scanner template for a CVE, you need to reverse a patch. And that’s what you’ll...
Advanced search in VS Code
When looking for bugs in the source code, Visual Studio Code is my IDE of choice. One of the most common features I use is searching: searching for vulnerable code patterns, searching for function usages, searching for variable names - I do it all the time. VS Code is...
Code Review Hotspots with Semgrep
Parsia, a senior security engineer at EA, wrote a great blogpost about using semgrep to... not find vulnerabilities. Semgrep is a code scanner and he uses it in two different ways: To find vulnerabilities. These rules must be fairly accurate and can be integrated with...
CodeQL and bugs in NSA’s application
Let's come back to the subject of source code review and CodeQL. CodeQL is a source code analysis tool that does more than just grepping the code for patterns. It runs a semantic analysis - it understands the code just like a compiler or interpreter. CodeQL tries...
How to do Code Review and where to find the code?
Shubs has a really good presentation on the OWASP DevSlop YouTube channel about reviewing the source code. Importantly, he also dedicated some time to tell us where to even find source code if we are auditing something that's not open source. As he says, often...
How to start reviewing code?
This week, I took some notes from the “How to Analyze Code for Vulnerabilities?” talk by Vickie Li from the OWASP DevSlop channel. She shared some tips from a developer’s point of view on how to analyse code to find vulnerabilities. It’s mostly about manual source...
Using CodeQL to hunt for DOM-XSS (+ idea for a series)
CodeQL is a subject that gets mentioned here quite often. I hope it does interest you as much as I do. Today, I have for you an article with some basics of CodeQL and the way you can use it to find DOM-XSS in closed-source applications. The idea is to simply download...
Reverse engineering a CVE
The CVE 2021 40438 is SSRF in mod_proxy of apache2. Now, the vulnerability itself I may cover in a BBRE video because it's quite an interesting one. What I'd like you to focus on in this article is the way that the hacker reverse engineers the patch to find out the...
Writing custom semgrep rules
Semgrep is a tool for static source code analysis. It does use regexes but it also understands the code enough to catch some cases of the same thing written in 2 ways. There is a registry of public rules which you can use (https://semgrep.dev/r ) but it's not...