Setting up the Source Code Review Environment

Web application attacks are emerging every day and even the oldest of the attacks has not lost its significance. As the attacks are being evolved the developers are also evolving if not proportionally. At times it is not possible to find all the vulnerabilities by a single approach, be it black box or white box.

In this blog, we will demonstrate the applications and their extensions required for source code review or in other words, this blog will give you an idea of what white box testing is! We wrote this blog with the assumption that your target application is written in PHP.

This blog includes:

  • Debugger Setup – VS Code
  • Setting the debugging Breakpoint
  • Breaking that Breakpoint
  • Enabling and Monitoring DB Query Logging
  • Bonus! – Reliving CVE-2020-13231

Without further ado, let’s begin.

Debugger Setup – VS Code

On the Linux VM, we will download Visual Studio Code.

What is Visual Studio Code?
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux. It comes with built-in support for JavaScript, TypeScript and Node.js and has a rich ecosystem of extensions for other languages and runtimes (such as C++, C#, Java, Python, PHP, Go, .NET).

After downloading VS Code, it’s time to install extensions, for this course of the blog we will perform a manual code review of PHP code so we will be installing the extensions for PHP.

Extensions Installation

We will open our application code in the workspace from the explorer tab prior to adding the extension.

Image highlighting options under file menu in VS codeFig. Image highlighting options under file menu in VS code

Now, we will add extensions

Image displaying the extensions required to review PHP applications

Fig. Image displaying the extensions required to review PHP applications

PHP Debug – We can set up and configure Break Points with the aid of this debug.

PHP Intelephense – This will enable us to rapidly browse the function definitions without having to manually open the file.

Setting up the Breakpoint

To get an idea of the code flow and data flow, one needs to understand all the code but that would be time-consuming, to ease it we have Breakpoints. Breakpoints let the user know that the specific code flow will be executed, and it will take the user inside the function, or the user can skip to the next function.

We’ll select Breakpoint and learn how it works now that we’ve assumed you’ve chosen the application for your first manual source code review.

Open the project in the VS code explorer.

Image displaying the application's code in VS code

Fig. Image displaying the application’s code in VS code

Next, open the file where you want to set the breakpoint, in this case “install.php”.

To set the Breakpoint, click to the left of the line number you want to break.

 Image highlighting the intended breakpoint

Fig. Image highlighting the intended breakpoint

And start debugging from the menu on the top

Run  > Start Debugging

Image displaying the VS code window before the set breakpoint is triggered

Fig. Image displaying the VS code window before the set breakpoint is triggered

Breaking the Breakpoint

When we explore that page, or more specifically when the function with the Breakpoint is executed, the Breakpoint that we defined in the previous section is triggered.

So, to trigger our Breakpoint, we will access our app’s installation page.

Image displaying triggered breakpoint

Fig. Image displaying triggered breakpoint

With this, we can step-in, step-out and step-over the function.

Enabling and Monitoring DB Query Logging

After completing this step, we will be able to examine the communication between the database and our application, which is significant during code review for detecting SQL injections. Configure your /etc/mysql/my.cnf with following configuration:

Image displaying modified mysql configuration file

Fig. Image displaying modified mysql configuration file

Now to view the DB calls:

1$ sudo tail -f /var/log/mysql/mysql.log

Visit the login page, enter the credentials and submit

Bi-sectional Image displaying application's UI and respective DB query

Fig. Bi-sectional Image displaying application’s UI and respective DB query

Bonus! – Reliving CVE-2020-13231

This CVE is a CSRF vulnerability which lets attacker change admin’s mail.

Let’s find the vulnerable code:

Image displaying vulnerable code

Fig. Image displaying vulnerable code

As it is highlighted in the image, to change the parameter name, which accepts email and username, a GET request is sent without any anti-CSRF token.

This issue was assigned CVE-2020-13231.

As a fix, they converted the GET request to POST and an anti-CSRF token was implemented.

Image displaying new commits to fix the vulnerable code

Fig. Image displaying new commits to fix the vulnerable code

Conclusion

We hope the blog has provided you with some learning if you are new to source code reviews or have just started learning code reviews. Practicing will definitely help you move up the ladder, follow the approach, and review as much code as possible.

Post this blog, we will recommend you pick a vulnerable application, find all the vulnerabilities through backbox approach and try to find the same through code review.


About Payatu

Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Want to check the security posture of your organization? Browse through Payatu’s services and get started with the most effective cybersecurity assessments.

Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by