This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Code Review V2 Table of Contents"

From OWASP
Jump to: navigation, search
(Reviewing by Techincal Control)
m (Glenn 'devalias' Grant moved page OWASP Code review V2 Table of Contents to OWASP Code Review V2 Table of Contents: Correct capitalisation as used on category page)
 
(42 intermediate revisions by 10 users not shown)
Line 14: Line 14:
 
=== What is source code review and Static Analysis ===
 
=== What is source code review and Static Analysis ===
 
=== What is Code Review ===
 
=== What is Code Review ===
# Author - Zyad Mghazli
+
# Author - Zyad Mghazli, Eoin Keary
 
# New Section
 
# New Section
 
''' [[CRV2_WhatIsCodeReview|Content here]]'''
 
''' [[CRV2_WhatIsCodeReview|Content here]]'''
  
 
=== Manual Review - Pros and Cons ===
 
=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
+
# Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
 
# New Section
 
# New Section
 
# Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
 
# Suggestion: Benchmark of different Stataic Analysis Tools  Zyad Mghazli
# Suggestion: Highlight the advantages of code review to the department/team - Gary David Robinson
 
 
# [[CRV2_ManualReviewProsCons|Put content here]]
 
# [[CRV2_ManualReviewProsCons|Put content here]]
 +
 +
=== Advantages of Code Review to Development Practices ===
 +
# Author - Gary David Robinson
 +
# New Section
 +
# [[CRV2_AdvantagesToDevPractices|Put content here]]
  
 
=== Why code review ===
 
=== Why code review ===
Line 31: Line 35:
  
 
=== We can't hack ourselves secure ===
 
=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
+
# Author - Eoin Keary
 
# New Section
 
# New Section
 
# [[CRV2_CantHackSecure|Put content here]]
 
# [[CRV2_CantHackSecure|Put content here]]
  
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
 
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
+
# Author - eoin Keary
 
# New Section
 
# New Section
 
# [[CRV2_360Review|Put content here]]
 
# [[CRV2_360Review|Put content here]]
Line 47: Line 51:
 
=Methodology=
 
=Methodology=
 
===The code review approach===
 
===The code review approach===
#Author -  Prathamesh Mhatre
+
#Author -  Johanna Curiel
 
# [[CRV2_CodeReviewApproach|Put content here]]
 
# [[CRV2_CodeReviewApproach|Put content here]]
  
 
==== Preparation and context ====
 
==== Preparation and context ====
# Author - Open
+
# Author - Gary David Robinson
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
 
# [[CRV2_PrepContext|Put content here]]
 
# [[CRV2_PrepContext|Put content here]]
  
 
====Application Threat Modeling====
 
====Application Threat Modeling====
#Author - Andy, Renchie Joan
+
#Author - Larry Conklin
 
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
 
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
 
# [[CRV2_AppThreatModeling|Put content here]]
 
# [[CRV2_AppThreatModeling|Put content here]]
  
 
====Understanding Code layout/Design/Architecture====
 
====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
+
#Author - Open
 
# [[CRV2_CodeLayoutDesignArch|Put content here]]
 
# [[CRV2_CodeLayoutDesignArch|Put content here]]
 +
====Understanding Business Logic====
 +
#[[CRV2_BusinessLogic|Put content here]]
  
 
===SDLC Integration===
 
===SDLC Integration===
#Author - Andy, Ashish Rao
+
#Author - Larry Conklin
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
 
# [[CRV2_SDLCInt|Put content here]]
 
# [[CRV2_SDLCInt|Put content here]]
Line 71: Line 77:
 
====Deployment Models====
 
====Deployment Models====
 
=====Secure deployment configurations=====
 
=====Secure deployment configurations=====
#Author - Ashish Rao
+
#Author -  
 
# [[CRV2_SecDepConfig|Put content here]]
 
# [[CRV2_SecDepConfig|Put content here]]
  
 
# New Section
 
# New Section
 
=====Metrics and code review=====
 
=====Metrics and code review=====
#Author - Andy
+
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
 
# [[CRV2_MetricsCodeRev|Put content here]]
 
# [[CRV2_MetricsCodeRev|Put content here]]
  
 
=====Source and sink reviews=====
 
=====Source and sink reviews=====
#Author - Ashish Rao
+
#Author - Open
 
# New Section
 
# New Section
 
# [[CRV2_SourceSinkRev|Put content here]]
 
# [[CRV2_SourceSinkRev|Put content here]]
Line 99: Line 105:
  
 
=====A Risk based approach to code review=====
 
=====A Risk based approach to code review=====
#Author - Renchie Joan
+
#Author - Gary David Robinson
 
#New Section
 
#New Section
 
*"Doing things right or doing the right things..."
 
*"Doing things right or doing the right things..."
Line 106: Line 112:
  
 
====Crawling code====
 
====Crawling code====
#Author - Abbas Naderi
+
#Author - Open
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
 
*API of Interest:
 
*API of Interest:
Line 116: Line 122:
 
**Spring
 
**Spring
 
**.NET MVC
 
**.NET MVC
**Structs
+
**Struts
 
**Zend
 
**Zend
 
#New Section
 
#New Section
 
*Searching for code in C/C++
 
*Searching for code in C/C++
#Author - Gary Robinson
+
#Author - Gary David Robinson
  
 
# [[CRV2_CrawlingCode|Put content here]]
 
# [[CRV2_CrawlingCode|Put content here]]
  
 
====Code reviews and Compliance====
 
====Code reviews and Compliance====
#Author -Manual Harti
+
#Author -Open
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
 
# [[CRV2_CodeRevCompliance|Put content here]]
 
# [[CRV2_CodeRevCompliance|Put content here]]
  
=Reviewing by Techincal Control=
+
=Reviewing by Technical Control=
 
===Reviewing code for Authentication controls===
 
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
+
#Author - Gary Robinson
 
# [[CRV2_AuthControls|Put content here]]
 
# [[CRV2_AuthControls|Put content here]]
  
 
====Forgot password====
 
====Forgot password====
#Author Abbas Naderi
+
#Author Abbas Naderi, Larry Conklin
 
# [[CRV2_ForgotPassword|Put content here]]
 
# [[CRV2_ForgotPassword|Put content here]]
 
====Authentication====
 
#Author - Anand Prakash, Joan Renchie
 
# [[CRV2_Authentication|Put content here]]
 
  
 
====CAPTCHA====
 
====CAPTCHA====
Line 147: Line 149:
  
 
====Out of Band considerations====
 
====Out of Band considerations====
#Author - Open
+
#Author - Gary Robinson
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
 
# [[CRV2_OutofBand|Put content here]]
 
# [[CRV2_OutofBand|Put content here]]
  
 
===Reviewing code Authorization weakness===
 
===Reviewing code Authorization weakness===
#Author Ashish Rao (Eoin Keary .NET MVC added)
+
#Author Eoin Keary .NET MVC added
 
# [[CRV2_AuthorizationWeaknesses|Put content here]]
 
# [[CRV2_AuthorizationWeaknesses|Put content here]]
  
 
====Checking authz upon every request====
 
====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
+
#Author - Abbas Naderi
 
# [[CRV2_CheckAuthzEachRequest|Put content here]]
 
# [[CRV2_CheckAuthzEachRequest|Put content here]]
  
 
====Reducing the attack surface====
 
====Reducing the attack surface====
#Author Chris Berberich
+
#Author Gary Robinson
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
 
# [[CRV2_ReducingAttSurf|Put content here]]
 
# [[CRV2_ReducingAttSurf|Put content here]]
Line 169: Line 171:
  
 
====Reviewing code for Session handling====
 
====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
+
#Author - Abbas Naderi
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
 
# [[CRV2_SessionHandling|Put content here]]
 
# [[CRV2_SessionHandling|Put content here]]
Line 190: Line 192:
  
 
====="Jacking"/Framing=====
 
====="Jacking"/Framing=====
#Author - Abbas Naderi
+
#Author - Eoin  Keary
 
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]
 
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]
  
 
=====HTML 5?=====
 
=====HTML 5?=====
#Author - Sebastien Gioria
+
#Author - Open
 
# [[CRV2_ClientSideCodeHTML5|Put content here]]
 
# [[CRV2_ClientSideCodeHTML5|Put content here]]
  
=====Browser Defenses policy=====
+
=====Browser Defenses=====
 
#Author - Open
 
#Author - Open
 
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]
 
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]
Line 208: Line 210:
  
 
=====Regex Gotchas=====
 
=====Regex Gotchas=====
#Author - Abbas Naderi
+
#Author - Open
 
#New Section
 
#New Section
 
# [[CRV2_InputValRegexGotchas|Put content here]]
 
# [[CRV2_InputValRegexGotchas|Put content here]]
  
 
=====ESAPI=====
 
=====ESAPI=====
#Author - Abbas Naderi
+
#Author - Open
 
#New Section
 
#New Section
 
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 
# [[CRV2_InputValESAPI|Put content here]]
 
# [[CRV2_InputValESAPI|Put content here]]
 +
 +
=====Microsoft Web Protection Library=====
 +
#Author - Michael Hidalgo
 +
#New Section
 +
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
 +
# [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]]
  
 
====Reviewing code for contextual encoding====
 
====Reviewing code for contextual encoding====
 +
[[Overall approach to content encoding and anti XSS]]
 
=====HTML Attribute=====
 
=====HTML Attribute=====
#Author - Shenai Silva
+
#Author - Eoin Keary
 
# [[CRV2_ContextEncHTMLAttribute|Put content here]]
 
# [[CRV2_ContextEncHTMLAttribute|Put content here]]
  
 
=====HTML Entity=====
 
=====HTML Entity=====
#Author - Shenai Silva
+
#Author - Eoin Keary
 
# [[CRV2_ContextEncHTMLEntity|Put content here]]
 
# [[CRV2_ContextEncHTMLEntity|Put content here]]
  
 
=====Javascript Parameters=====
 
=====Javascript Parameters=====
#Author - Open
+
#Author - Eoin Keary
 
# [[CRV2_ContextEncJscriptParams|Put content here]]
 
# [[CRV2_ContextEncJscriptParams|Put content here]]
  
 
=====JQuery=====
 
=====JQuery=====
#Author - Abbas Naderi
+
#Author - Open
 
# [[CRV2_ContextEncJQuery|Put content here]]
 
# [[CRV2_ContextEncJQuery|Put content here]]
  
Line 240: Line 249:
  
 
====Resource Exhaustion - error handling====
 
====Resource Exhaustion - error handling====
#Author - Abbas Naderi
+
#Author - Open
 
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]
 
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]
  
 
=====native calls=====
 
=====native calls=====
#Author Abbas Naderi
+
#Author Open
 
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]
 
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]
  
 
====Reviewing Logging code - Detective Security====
 
====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
+
#Author - Gary Robinson
 
* Where to Log
 
* Where to Log
 
* What to log
 
* What to log
Line 257: Line 266:
  
 
====Reviewing Error handling and Error messages====
 
====Reviewing Error handling and Error messages====
#Author - Gary Robinson
+
#Author - Gary David Robinson
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
 
# [[CRV2_ErrorHandlingMessages|Put content here]]
 
# [[CRV2_ErrorHandlingMessages|Put content here]]
  
 
====Reviewing Security alerts====
 
====Reviewing Security alerts====
#Author - Open
+
#Author - Gary Robinson
 
# [[CRV2_SecurityAlerts|Put content here]]
 
# [[CRV2_SecurityAlerts|Put content here]]
  
Line 270: Line 279:
  
 
====Reviewing Secure Storage====
 
====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
+
#Author - Open source
 
# New Section
 
# New Section
 
# [[CRV2_SecureStorage|Put content here]]
 
# [[CRV2_SecureStorage|Put content here]]
  
 
====Hashing & Salting - When, How and Where====
 
====Hashing & Salting - When, How and Where====
=====Encrpyption=====
+
=====Encryption=====
 
======.NET======
 
======.NET======
 
#Author Larry Conklin, Joan Renchie
 
#Author Larry Conklin, Joan Renchie
Line 284: Line 293:
 
=Reviewing by Vulnerability=
 
=Reviewing by Vulnerability=
 
===Review Code for XSS===
 
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash (Examples added by Eoin Keary)
+
#Author Examples added by Eoin Keary
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
 
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
 
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
Line 290: Line 299:
  
 
===Persistent - The Anti pattern===
 
===Persistent - The Anti pattern===
#Author Abbas Naderi
+
#Author  
 
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]
 
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]
  
 
====.NET====
 
====.NET====
#Author Johanna Curiel, Renchie Joan, Larry Conklin
+
#Author Johanna Curiel, Eoin Keary
 
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]
 
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]
  
 
====.Java====
 
====.Java====
#Author Palak Gohil
+
#Author Johanna Curiel
 
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]
 
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]
  
 
====PHP====
 
====PHP====
#Author Mohammed Damavandi, Abbas Naderi
+
#Author Abbas Naderi
 
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]
 
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]
  
 
====Ruby====
 
====Ruby====
#Author Chris Berberich
+
#Author Open
 
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]
 
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]
  
Line 313: Line 322:
  
 
====.NET====
 
====.NET====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]
 
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]
  
 
====.Java====
 
====.Java====
#Author Palak Gohil
+
#Author Johanna Curiel
 
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]
 
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]
  
 
====PHP====
 
====PHP====
#Author Mohammed Damavandi, Abbas Naderi
+
#Author Abbas Naderi
 
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]
 
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]
  
Line 329: Line 338:
  
 
===Stored - The Anti pattern===
 
===Stored - The Anti pattern===
# Author - Open
+
# Author - Johanna Curiel
 
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]
 
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]
  
 
====.NET====
 
====.NET====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]
 
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]
  
 
====.Java====
 
====.Java====
#Author Palak Gohil
+
#Author Johanna Curiel
 
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]
 
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]
  
 
====PHP====
 
====PHP====
#Author Mohammed Damavandi, Abbas Naderi
+
#Author Johanna Curiel
 
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]
 
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]
  
 
====Ruby====
 
====Ruby====
#Author - Open
+
#Author - Johanna Curiel
 
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]
 
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]
  
Line 353: Line 362:
  
 
===JQuery mistakes===
 
===JQuery mistakes===
#Author Shenal Silva
+
#Author  
 
# [[CRV2_JQueryMistakes|Put content here]]
 
# [[CRV2_JQueryMistakes|Put content here]]
  
 
===Reviewing code for SQL Injection===
 
===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
+
#Author Gary Robinson
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
 
# [[CRV2_RevCodeSQLInjection|Put content here]]
 
# [[CRV2_RevCodeSQLInjection|Put content here]]
Line 366: Line 375:
  
 
====Java====
 
====Java====
#Author - Open
+
#Author - Johanna Curiel
 
# [[CRV2_SQLInjJava|Put content here]]
 
# [[CRV2_SQLInjJava|Put content here]]
  
 
====.NET====
 
====.NET====
#Author - Mennouchi Islam Azeddine
+
#Author - Open
 
# [[CRV2_SQLInjdotNET|Put content here]]
 
# [[CRV2_SQLInjdotNET|Put content here]]
  
Line 382: Line 391:
 
https://www.owasp.org/index.php/CRV2_AntiPattern
 
https://www.owasp.org/index.php/CRV2_AntiPattern
 
====PHP====
 
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
+
#Author -  
 
# [[CRV2_AntiPatternPHP|Put content here]]
 
# [[CRV2_AntiPatternPHP|Put content here]]
  
 
====Java====
 
====Java====
#Author - Palak Gohil
+
#Author -  
 
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
 
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
 
# [[CRV2_AntiPatternJava|Put content here]]
 
# [[CRV2_AntiPatternJava|Put content here]]
  
 
====.NET====
 
====.NET====
#Author Johanna Curiel, Renchie Joan,Larry Conklin
+
#Author Open
 
# [[CRV2_AntiPatterndotNet|Put content here]]
 
# [[CRV2_AntiPatterndotNet|Put content here]]
  
Line 403: Line 412:
  
 
===Reviewing code for CSRF Issues===
 
===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
+
#Author Abbas Naderi
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
 
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]
+
# This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]]
  
===Transactional logic / Non idempotent functions / State Changing Functions===
+
===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
 
 
# [[CRV2_TransLogic|Put content here]]
 
# [[CRV2_TransLogic|Put content here]]
  
 
===Reviewing code for poor logic /Business logic/Complex authorization===
 
===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
+
#Author - Open
 
# [[CRV2_PoorLogic|Put content here]]
 
# [[CRV2_PoorLogic|Put content here]]
  
Line 425: Line 433:
  
 
====HTTP Headers====
 
====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
+
#Author Gary Robinson
 
# [[CRV2_SecCommsHTTPHdrs|Put content here]]
 
# [[CRV2_SecCommsHTTPHdrs|Put content here]]
 
=====CSP=====
 
#Author Gregory Disney
 
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]
 
 
=====HSTS=====
 
#Author Abbas Naderi
 
# [[CRV2_SecCommsHTTPHSTS|Put content here]]
 
  
 
===Tech-Stack pitfalls===
 
===Tech-Stack pitfalls===
#Author Gregory Disney
+
#Author Open
 
# [[CRV2_TechStackPitfalls|Put content here]]
 
# [[CRV2_TechStackPitfalls|Put content here]]
  
Line 445: Line 445:
 
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]
  
====Structs====
+
====Struts====
 
#Author - Open
 
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]
+
# [[CRV2_FrameworkSpecIssuesStruts|Put content here]]
  
 
====Drupal====
 
====Drupal====
#Author Gregory Disney
+
#Author Open
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]
+
# [[CRV2_FrameworkSpecIssuesDrupal|Put content here]]
  
 
====Ruby on Rails====
 
====Ruby on Rails====
Line 458: Line 458:
  
 
====Django====
 
====Django====
#Author Gregory Disney
+
#Author Open
 
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]
  
 
====.NET Security / MVC====
 
====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel, Eoin Keary
 
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]
  
 
====Security in ASP.NET applications====
 
====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]
  
 
=====Strongly Named Assemblies=====
 
=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel, Larry Conklin
 
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]
  
Line 479: Line 479:
 
======How to prevent Round tripping======
 
======How to prevent Round tripping======
 
# Author - Open
 
# Author - Open
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]
  
 
=====Setting the right Configurations=====
 
=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]
  
 
=====Authentication Options=====
 
=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]
  
 
=====Code Review for Managed Code - .Net 1.0 and up=====
 
=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]
  
 
=====Using OWASP Top 10 as your guideline=====
 
=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]
  
 
=====Code review for Unsafe Code (C#)=====
 
=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
+
#Author Johanna Curiel
 
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]
  
 
====PHP Specific Issues====
 
====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
+
#Author Open
 
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]
  
Line 511: Line 511:
  
 
====C#====
 
====C#====
#Author Johanna Curiel, Renchie Joan
+
#Author Open
 
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]
  
 
====C/C++====
 
====C/C++====
#Author Gary Robinson
+
#Author Open
 
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]
  
Line 523: Line 523:
  
 
====Java====
 
====Java====
#Author Palak Gohil
+
#Author Open
 
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]
  
Line 533: Line 533:
 
#Author Open
 
#Author Open
 
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]
 
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]
 +
 +
====CodeIgniter====
 +
 +
# Author Open
 +
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]
  
 
=Security code review for Agile development=
 
=Security code review for Agile development=
Line 538: Line 543:
 
# [[CRV2_CodeReviewAgile|Put content here]]
 
# [[CRV2_CodeReviewAgile|Put content here]]
  
=Willing to review drafts=
+
=Code Review for Backdoors=
#Terry Nerpester
+
#Author Yiannis Pavlosoglou
#Larry Conklin
+
The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.
#Gary Robinson
+
 
#Simon Whittaker
+
A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.
#Jason Johnson
+
 
#Carlos Pantelides
+
Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.
 +
 
 +
An excellent introduction into how to look for rootkits in the Java programming language can be found [https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf  here]. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.
 +
 +
=Code Review Tools=
 +
https://www.owasp.org/index.php/CRV2_CodeReviewTools

Latest revision as of 01:27, 8 January 2016

OWASP Code Review Guide v2.0:

Forward

  1. Author - Eoin Keary
  2. Previous version to be updated:[[1]]

Content here

Code Review Guide Introduction

  1. Author - Eoin Keary
  2. Previous version to be updated:[[2]]

Content here

What is source code review and Static Analysis

What is Code Review

  1. Author - Zyad Mghazli, Eoin Keary
  2. New Section

Content here

Manual Review - Pros and Cons

  1. Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
  2. New Section
  3. Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
  4. Put content here

Advantages of Code Review to Development Practices

  1. Author - Gary David Robinson
  2. New Section
  3. Put content here

Why code review

Scope and Objective of secure code review

  1. Author - Ashish Rao
  2. Put content here

We can't hack ourselves secure

  1. Author - Eoin Keary
  2. New Section
  3. Put content here

360 Review: Coupling source code review and Testing / Hybrid Reviews

  1. Author - eoin Keary
  2. New Section
  3. Put content here

Can static code analyzers do it all?

  1. Author - Ashish Rao
  2. New Section
  3. Put content here

Methodology

The code review approach

  1. Author - Johanna Curiel
  2. Put content here

Preparation and context

  1. Author - Gary David Robinson
  2. Previous version to be updated: [[3]]
  3. Put content here

Application Threat Modeling

  1. Author - Larry Conklin
  2. Previous version to be updated: [[4]]
  3. Put content here

Understanding Code layout/Design/Architecture

  1. Author - Open
  2. Put content here

Understanding Business Logic

  1. Put content here

SDLC Integration

  1. Author - Larry Conklin
  2. Previous version to be updated: [[5]]
  3. Put content here

Deployment Models

Secure deployment configurations
  1. Author -
  2. Put content here
  1. New Section
Metrics and code review
  1. Author [email protected]
  2. Previous version to be updated: [[6]]
  3. Put content here
Source and sink reviews
  1. Author - Open
  2. New Section
  3. Put content here
Code review Coverage
  1. Author - Open
  2. Previous version to be updated: [[7]]
  3. Put content here
Design Reviews
  1. Author - Ashish Rao
  • Why to review design?
    • Building security in design - secure by design principle
    • Design Areas to be reviewed
    • Common Design Flaws
  1. Put content here
A Risk based approach to code review
  1. Author - Gary David Robinson
  2. New Section
  • "Doing things right or doing the right things..."
    • "Not all bugs are equal
  1. Put content here

Crawling code

  1. Author - Open
  2. Previous version to be updated: [[8]]
  • API of Interest:
    • Java
    • .NET
    • PHP
    • RUBY
  • Frameworks:
    • Spring
    • .NET MVC
    • Struts
    • Zend
  1. New Section
  • Searching for code in C/C++
  1. Author - Gary David Robinson
  1. Put content here

Code reviews and Compliance

  1. Author -Open
  2. Previous version to be updated: [[9]]
  3. Put content here

Reviewing by Technical Control

Reviewing code for Authentication controls

  1. Author - Gary Robinson
  2. Put content here

Forgot password

  1. Author Abbas Naderi, Larry Conklin
  2. Put content here

CAPTCHA

  1. Author Larry Conklin, Joan Renchie

Content here

Out of Band considerations

  1. Author - Gary Robinson
  2. Previous version to be updated: [[10]]
  3. Put content here

Reviewing code Authorization weakness

  1. Author Eoin Keary .NET MVC added
  2. Put content here

Checking authz upon every request

  1. Author - Abbas Naderi
  2. Put content here

Reducing the attack surface

  1. Author Gary Robinson
  2. Previous version to be updated: [[11]]
  3. Put content here

SSL/TLS Implementations

  1. Author - Eoin Keary
  2. Put content here

Reviewing code for Session handling

  1. Author - Abbas Naderi
  2. Previous version to be updated: [[12]]
  3. Put content here

Reviewing client side code

  1. New Section
  2. Put content here
Javascript
  1. Author - Abbas Naderi
  2. Put content here
JSON
  1. Author - Open
  2. Put content here
Content Security Policy
  1. Author - Open
  2. Put content here
"Jacking"/Framing
  1. Author - Eoin Keary
  2. Put content here
HTML 5?
  1. Author - Open
  2. Put content here
Browser Defenses
  1. Author - Open
  2. Put content here
etc...

Review code for input validation

  1. Author - Open
  2. Put content here
Regex Gotchas
  1. Author - Open
  2. New Section
  3. Put content here
ESAPI
  1. Author - Open
  2. New Section
  3. Internal Link: [[13]]
  4. Put content here
Microsoft Web Protection Library
  1. Author - Michael Hidalgo
  2. New Section
  3. Internal Link: [[14]]
  4. Put content here

Reviewing code for contextual encoding

Overall approach to content encoding and anti XSS

HTML Attribute
  1. Author - Eoin Keary
  2. Put content here
HTML Entity
  1. Author - Eoin Keary
  2. Put content here
Javascript Parameters
  1. Author - Eoin Keary
  2. Put content here
JQuery
  1. Author - Open
  2. Put content here

Reviewing file and resource handling code

  1. Author - Open
  2. Put content here

Resource Exhaustion - error handling

  1. Author - Open
  2. Put content here
native calls
  1. Author Open
  2. Put content here

Reviewing Logging code - Detective Security

  1. Author - Gary Robinson
  • Where to Log
  • What to log
  • What not to log
  • How to log
  1. Internal link: [[15]]
  2. Put content here

Reviewing Error handling and Error messages

  1. Author - Gary David Robinson
  2. Previous version to be updated: [[16]]
  3. Put content here

Reviewing Security alerts

  1. Author - Gary Robinson
  2. Put content here

Review for active defense

  1. Author - Colin Watson
  2. Put content here

Reviewing Secure Storage

  1. Author - Open source
  2. New Section
  3. Put content here

Hashing & Salting - When, How and Where

Encryption
.NET
  1. Author Larry Conklin, Joan Renchie
  2. Previous version to be updated: [[17]]
  • Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao

Content here

Reviewing by Vulnerability

Review Code for XSS

  1. Author Examples added by Eoin Keary
  2. Previous version to be updated: [[18]]
  3. In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
  4. Put content here

Persistent - The Anti pattern

  1. Author
  2. Put content here

.NET

  1. Author Johanna Curiel, Eoin Keary
  2. Put content here

.Java

  1. Author Johanna Curiel
  2. Put content here

PHP

  1. Author Abbas Naderi
  2. Put content here

Ruby

  1. Author Open
  2. Put content here

Reflected - The Anti pattern

  1. Put content here

.NET

  1. Author Johanna Curiel
  2. Put content here

.Java

  1. Author Johanna Curiel
  2. Put content here

PHP

  1. Author Abbas Naderi
  2. Put content here

Ruby

  1. Author - Open
  2. Put content here

Stored - The Anti pattern

  1. Author - Johanna Curiel
  2. Put content here

.NET

  1. Author Johanna Curiel
  2. Put content here

.Java

  1. Author Johanna Curiel
  2. Put content here

PHP

  1. Author Johanna Curiel
  2. Put content here

Ruby

  1. Author - Johanna Curiel
  2. Put content here

DOM XSS

  1. Author Larry Conklin
  2. Put content here

JQuery mistakes

  1. Author
  2. Put content here

Reviewing code for SQL Injection

  1. Author Gary Robinson
  2. Previous version to be updated: [[19]]
  3. Put content here

PHP

  1. Author - Mennouchi Islam Azeddine
  2. Put content here

Java

  1. Author - Johanna Curiel
  2. Put content here

.NET

  1. Author - Open
  2. Put content here

HQL

  1. Author - Open
  2. Put content here

The Anti pattern

  1. Author Larry Conklin
  2. Content here

https://www.owasp.org/index.php/CRV2_AntiPattern

PHP

  1. Author -
  2. Put content here

Java

  1. Author -
  2. => Searching for traditional SQL,JPA,JPSQL,Criteria,...
  3. Put content here

.NET

  1. Author Open
  2. Put content here

Ruby

  1. Author - Open
  2. Put content here

Cold Fusion

  1. Author - Open
  2. Put content here

Reviewing code for CSRF Issues

  1. Author Abbas Naderi
  2. Previous version to be updated: [[20]]
  3. This page needs to be deleted. Put content here

(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions

  1. Put content here

Reviewing code for poor logic /Business logic/Complex authorization

  1. Author - Open
  2. Put content here

Reviewing Secure Communications

.NET Config

  1. Author Johanna Curiel, Renchie Joan
  2. Put content here

Spring Config

  1. Author - Open
  2. Put content here

HTTP Headers

  1. Author Gary Robinson
  2. Put content here

Tech-Stack pitfalls

  1. Author Open
  2. Put content here

Framework specific Issues

Spring

  1. Author - Open
  2. Put content here

Struts

  1. Author - Open
  2. Put content here

Drupal

  1. Author Open
  2. Put content here

Ruby on Rails

  1. Author - Open
  2. Put content here

Django

  1. Author Open
  2. Put content here

.NET Security / MVC

  1. Author Johanna Curiel, Eoin Keary
  2. Put content here

Security in ASP.NET applications

  1. Author Johanna Curiel
  2. Put content here
Strongly Named Assemblies
  1. Author Johanna Curiel, Larry Conklin
  2. Put content here
Round Tripping
  1. Author - Open
  2. Put content here
How to prevent Round tripping
  1. Author - Open
  2. Author Johanna Curiel
  3. Put content here
Setting the right Configurations
  1. Author Johanna Curiel
  2. Put content here
Authentication Options
  1. Author Johanna Curiel
  2. Put content here
Code Review for Managed Code - .Net 1.0 and up
  1. Author Johanna Curiel
  2. Put content here
Using OWASP Top 10 as your guideline
  1. Author Johanna Curiel
  2. Put content here
Code review for Unsafe Code (C#)
  1. Author Johanna Curiel
  2. Put content here

PHP Specific Issues

  1. Author Open
  2. Put content here

Classic ASP

  1. Author Johanna Curiel
  2. Put content here

C#

  1. Author Open
  2. Put content here

C/C++

  1. Author Open
  2. Put content here

Objective C

  1. Author Open
  2. Put content here

Java

  1. Author Open
  2. Put content here

Android

  1. Author Open
  2. Put content here

Coldfusion

  1. Author Open
  2. Put content here

CodeIgniter

  1. Author Open
  2. Put content here

Security code review for Agile development

  1. Author Carlos Pantelides
  2. Put content here

Code Review for Backdoors

  1. Author Yiannis Pavlosoglou

The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.

A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.

An excellent introduction into how to look for rootkits in the Java programming language can be found here. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.

Code Review Tools

https://www.owasp.org/index.php/CRV2_CodeReviewTools