代码审查101-CSDN博客

重点 (Top highlight)

Reviewing code is probably the best way to find vulnerabilities in a web application. It’s a lot faster than black-box testing, and it helps you learn how to program safely in the future by observing the mistakes of others. If you are interested in open-source software, auditing code is also a great way to get involved in the open-source community and help secure the tools you love.

审查代码可能是查找Web应用程序中漏洞的最佳方法。它比黑盒测试要快得多，并且可以通过观察其他人的错误来帮助您将来学习如何安全地编程。如果您对开放源代码软件感兴趣，那么审核代码也是加入开放源代码社区并帮助保护您喜欢的工具的一种好方法。

Here are a few tricks I’ve learned along the way to audit source code more effectively. Let me know if you have any additional tips for conducting source code reviews.

这是我在更有效地审核源代码的过程中学到的一些技巧。让我知道您是否还有其他进行源代码审查的技巧。

如何寻找错误 (How to look for bugs)

There are several ways to go about hunting for vulnerabilities in source code. Depending on how thorough you want to be, here are some approaches that you could take.

寻找源代码中的漏洞有几种方法。根据您想要的透彻程度，可以采取以下一些方法。

“我会尽我所能” (The “I’ll take what I can get”)

The “I’ll take what I can get” approach works great if you don’t need extensive test coverage. This could be because you have very limited time to audit the application, or because you’re a bug bounty hunter who wants to maximize your bugs to time ROI. These techniques are fast and often leads to the discovery of some of the most severe vulnerabilities.

如果您不需要广泛的测试范围，那么“我会尽我所能”的方法非常有用。这可能是因为您审核应用程序的时间非常有限，或者是您是一个漏洞赏金猎人，他想最大限度地利用漏洞来提高投资回报率。这些技术速度很快，通常会导致发现一些最严重的漏洞。

Use Grep
使用Grep

You can grep for specific functions, strings, keywords and coding patterns that are known to be dangerous. Examples include input() in Python and eval() in PHP. This is the quickest approach and can often lead to critical findings. Focus on the search for dangerous functions used on user-controlled data, as well as hardcoded credentials.

您可以grep获取已知危险的特定功能，字符串，关键字和编码模式。示例包括Python中的input()和PHP中的eval() 。这是最快的方法，通常可以导致重大发现。重点搜索用于用户控制的数据以及硬编码凭据的危险功能。

2. Recent fixes and patches

2. 最近的修复和补丁

You can also take a look at the most recent code fixes and security patches. Recent code change has not stood the test of time and is more likely to have bugs. Look at the protection mechanisms implemented and see if you can bypass them. Search for the program’s dependencies and see if any of them are outdated.

您还可以查看最新的代码修复和安全补丁。最近的代码更改尚未经受时间的考验，并且更有可能出现错误。查看实现的保护机制，看看是否可以绕过它们。搜索程序的依赖项，看是否有过时的。

“臭虫喷雾” (The “Bug Spray”)

If you have more time, you can complement the above techniques with a more extensive source code review. However, instead of reading the entire code base line-by-line, here are a few strategies that you can take to maximize your efficiency.

如果您有更多时间，可以通过更广泛的源代码审查来补充上述技术。但是，您可以采取一些策略来最大化效率，而不是逐行阅读整个代码库。

Important functions first
重要功能优先

When reading source code, focus on important functions such as authentication, password reset, state-changing actions and sensitive info reads. (What is the most important would depend on the application.) Then, review how these components interact with other functionality. Finally, audit other less sensitive parts of the application.

在读取源代码时，应将重点放在重要功能上，例如身份验证，密码重置，状态更改操作和敏感信息读取。 (最重要的取决于应用程序。)然后，查看这些组件如何与其他功能交互。最后，审核应用程序中其他不太敏感的部分。

2. Follow user input

2. 跟随用户输入

Another approach is to follow the code that processes user input. User input such as HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and file uploads provide the entry points for attackers to exploit the application’s vulnerabilities. This can help find common vulnerabilities such as stored-XSS, SQL injections, shell uploads, and XXEs.

另一种方法是遵循处理用户输入的代码。用户输入(例如HTTP请求参数，HTTP标头，HTTP请求路径，数据库条目，文件读取和文件上载)为攻击者提供了利用应用程序漏洞的入口点。这可以帮助查找常见的漏洞，例如存储的XSS，SQL注入，shell上传和XXE。

Focusing on areas of code that deals with user input will provide a good starting point for reviewing where potential dangers might arise. Then, review how the user input gets processed, stored or transferred. Finally, see whether other parts of the application uses the previously processed user input. You might find that the same user input interacts differently with other components of the application.

专注于处理用户输入的代码区域将为检查可能出现潜在危险的位置提供一个良好的起点。然后，查看如何处理，存储或传输用户输入。最后，查看应用程序的其他部分是否使用先前处理的用户输入。您可能会发现同一用户输入与该应用程序的其他组件的交互方式有所不同。

要找什么 (What to look for)

Now that we know how to look for bugs in source code, what exactly are we looking for? While a source code review can, potentially reveal most vulnerabilities hiding in an application, some are easier to find than others.

现在我们知道了如何在源代码中查找错误，我们到底在寻找什么？虽然源代码审查可以潜在地揭示大多数隐藏在应用程序中的漏洞，但某些漏洞比其他漏洞更容易找到。

In addition to looking for all common vulnerabilities that might be exploited by an attacker, you should also focus on bugs that are critical but hard to discover via other methods (like pen-testing or bug bounties).

除了查找攻击者可能利用的所有常见漏洞之外，您还应该关注那些很关键但很难通过其他方法(例如笔测试或漏洞赏金)发现的错误。

Hardcoded secrets and credentials: Hardcoded secrets such as API keys, encryption keys and database passwords can be easily discovered during a source code review. You can grep for keywords such as “key”, “secret”, “password”, “encrypt” or regex search for hex or base64 strings (depending on the key format in use).
硬编码的机密和凭据 ：在源代码检查期间，可以轻松发现诸如API密钥，加密密钥和数据库密码之类的硬编码机密。您可以grep表示“ key”，“ secret”，“ password”，“ encrypt”或regex等关键字，以搜索十六进制或base64字符串(取决于使用的密钥格式)。
Use of dangerous functions and outdated dependencies: Unchecked use of dangerous functions and outdated dependencies are a huge source of bugs. Grep for specific functions for the language you are using and search through the dependency versions list to see if they are outdated.
使用危险功能和过时的依赖关系 ：未经检查的危险功能和过时的依赖关系使用是大量错误的来源。 Grep提供您正在使用的语言的特定功能，并在依赖性版本列表中进行搜索以查看它们是否已过时。
Developer comments, hidden debug functionalities, configuration files, and the .git directory: These are things that developers often forget about and they leave the application in a dangerous state. Developer comments can point out obvious programming mistakes, hidden debug functionalities often lead to privilege escalation, config files allow attackers to gather more information about your infrastructure and finally, an exposed .git directory allows attackers to reconstruct your source code.
开发人员注释，隐藏的调试功能，配置文件和.git目录 ：这些是开发人员经常忘记的事情，它们使应用程序处于危险状态。开发人员的注释可能指出明显的编程错误，隐藏的调试功能通常会导致特权提升，配置文件使攻击者可以收集有关您的基础结构的更多信息，最后，公开的.git目录允许攻击者重建您的源代码。
Hidden paths, deprecated endpoints, and endpoints in development: These are endpoints that users might not encounter when using the application normally. But if they work and they are discovered by an attacker, it can lead to vulnerabilities such as authentication bypass and sensitive information leak, depending on the exposed endpoint.
隐藏的路径，不建议使用的端点和开发中的端点：这些是用户正常使用应用程序时可能不会遇到的端点。但是，如果它们起作用并且被攻击者发现，则可能会导致漏洞，例如身份验证绕过和敏感信息泄漏，具体取决于暴露的端点。
Weak cryptography or hashing algorithms: This is an issue that is hard to find during a black-box test, but easy to spot when reviewing source code. Look for issues such as weak encryption keys, breakable encryption algorithms, and weak hashing algorithms. Grep for terms like ECB, MD4, and MD5.
加密或哈希算法薄弱 ：这是在黑盒测试期间很难发现的问题，但是在查看源代码时很容易发现。查找诸如弱加密密钥，易破解的加密算法和弱哈希算法之类的问题。 Grep表示ECB，MD4和MD5等术语。
Missing security checks on user input and regex strength: Reviewing source code is a great way to find out what kind of security checks are missing. Read through the application’s documentation and test all the edge cases that you can think of. A great resource for what kind of edge cases that you should consider is PayloadsAllTheThings.
缺少对用户输入和正则表达式强度的安全检查 ：查看源代码是找出缺少哪种安全检查的好方法。通读应用程序的文档并测试您能想到的所有极端情况。 PayloadsAllTheThings是您应该考虑的哪种极端情况的重要资源。
Missing cookie flags: Look out for missing cookie flags such as httpOnly and secure.
缺少cookie标志 ：请注意缺少cookie标志，例如httpOnly和secure。
Unexpected behavior, conditionals, unnecessarily complex and verbose functions: Additionally, pay special attention to the application’s unexpected behavior, conditionals, and complex functions. These locations are where obscure bugs are often discovered.
意外的行为，条件，不必要的复杂和冗长的功能 ：此外，请特别注意应用程序的意外行为，条件和复杂的功能。这些位置是经常发现模糊错误的地方。