# Code review

> **Skill Level**: Intermediate to Advanced\
> **Prerequisites**: Programming knowledge, security concepts

{% embed url="<https://www.cobalt.io/blog/a-pentesters-guide-to-source-code-review>" %}

## Methodology

### Phase 1: Reconnaissance

```bash
# Understand the application
1. What language/framework is used?
2. What's the application's purpose?
3. How does authentication work?
4. What data does it process?
5. What external services does it connect to?

# Get codebase statistics
cloc . --exclude-dir=node_modules,vendor,venv
tokei .

# Find entry points
grep -rn "app.get\|app.post\|@RequestMapping\|@GetMapping\|Route\|def index" .
```

### Phase 2: High-Value Targets

```bash
# Priority areas to review:
1. Authentication & Authorization
2. Input validation & sanitization
3. Database queries
4. File operations
5. Cryptographic implementations
6. Session management
7. API endpoints
8. Configuration files
9. Third-party integrations
10. Error handling & logging
```

### Phase 3: Vulnerability Patterns

```bash
# SQL Injection patterns
grep -rn "execute\|query\|cursor\|raw\|sprintf.*SELECT\|%s.*SELECT" . --include="*.py" --include="*.php" --include="*.java"

# Command Injection
grep -rn "exec\|system\|popen\|subprocess\|shell_exec\|passthru\|eval" . --include="*.py" --include="*.php" --include="*.rb"

# Path Traversal
grep -rn "open(\|file_get_contents\|readfile\|include\|require\|fopen" . --include="*.py" --include="*.php"

# XSS patterns
grep -rn "innerHTML\|document.write\|v-html\|dangerouslySetInnerHTML\|\$sce.trustAsHtml" . --include="*.js" --include="*.jsx" --include="*.vue"

# Hardcoded secrets
grep -rni "password\s*=\|secret\s*=\|api_key\s*=\|token\s*=" . --include="*.py" --include="*.js" --include="*.java"

# Deserialization
grep -rn "pickle.loads\|yaml.load\|unserialize\|readObject\|JSON.parse" .
```

## SAST Tools

### Multi-Language Scanners

```bash
# Semgrep (recommended - fast, customizable)
# https://github.com/returntocorp/semgrep
semgrep --config=auto .
semgrep --config=p/security-audit .
semgrep --config=p/owasp-top-ten .

# Custom rules
semgrep --config=my-rules.yaml .

# Snyk Code
# https://snyk.io/product/snyk-code/
snyk code test

# SonarQube (comprehensive)
# https://www.sonarqube.org/downloads/
docker run -d --name sonarqube -p 9000:9000 sonarqube:community
sonar-scanner -Dsonar.projectKey=myproject -Dsonar.sources=.

# CodeQL (GitHub's SAST)
# https://github.com/github/codeql
codeql database create mydb --language=javascript
codeql database analyze mydb codeql/javascript-queries:codeql-suites/javascript-security-extended.qls --format=csv --output=results.csv
```

### Secret Detection

```bash
# Gitleaks
# https://github.com/gitleaks/gitleaks
gitleaks detect -v
gitleaks detect --source=. --report-path=leaks.json

# TruffleHog
# https://github.com/trufflesecurity/trufflehog
trufflehog filesystem . --only-verified
trufflehog git https://github.com/org/repo --only-verified

# detect-secrets
# https://github.com/Yelp/detect-secrets
detect-secrets scan . --all-files > .secrets.baseline
detect-secrets audit .secrets.baseline
```

## General

```bash
# Guidelines
https://rules.sonarsource.com/

# Resource
https://vladtoie.gitbook.io/secure-coding/

# Tools
https://www.sonarqube.org/downloads/
https://deepsource.io/signup/
https://github.com/pyupio/safety
https://github.com/returntocorp/semgrep
https://github.com/WhaleShark-Team/cobra
https://github.com/mhaskar/Bughound

# Find interesting strings
https://github.com/s0md3v/hardcodes
https://github.com/micha3lb3n/SourceWolf
https://libraries.io/pypi/detect-secrets

# Tips
1.Important functions first
2.Follow user input
3.Hardcoded secrets and credentials
4.Use of dangerous functions and outdated dependencies
5.Developer comments, hidden debug functionalities, configuration files, and the .git directory
6.Hidden paths, deprecated endpoints, and endpoints in development
7.Weak cryptography or hashing algorithms
8.Missing security checks on user input and regex strength
9.Missing cookie flags
10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions
```

```bash
# Guidelines
https://rules.sonarsource.com/

# Resource
https://vladtoie.gitbook.io/secure-coding/

# Tools
https://www.sonarqube.org/downloads/
https://deepsource.io/signup/
https://github.com/pyupio/safety
https://github.com/returntocorp/semgrep
https://github.com/WhaleShark-Team/cobra
https://github.com/mhaskar/Bughound

# Find interesting strings
https://github.com/s0md3v/hardcodes
https://github.com/micha3lb3n/SourceWolf
https://libraries.io/pypi/detect-secrets

# Tips
1.Important functions first
2.Follow user input
3.Hardcoded secrets and credentials
4.Use of dangerous functions and outdated dependencies
5.Developer comments, hidden debug functionalities, configuration files, and the .git directory
6.Hidden paths, deprecated endpoints, and endpoints in development
7.Weak cryptography or hashing algorithms
8.Missing security checks on user input and regex strength
9.Missing cookie flags
10.Unexpected behavior, conditionals, unnecessarily complex and verbose functions
```

## JavaScript

```
https://jshint.com/
https://github.com/jshint/jshint/
```

## NodeJS

```
https://github.com/ajinabraham/nodejsscan
```

## Electron

```
https://github.com/doyensec/electronegativity
https://github.com/doyensec/awesome-electronjs-hacking
```

## Python

```
# bandit
https://github.com/PyCQA/bandit
# pyt
https://github.com/python-security/pyt
# atheris
https://github.com/google/atheris
# aura
https://github.com/SourceCode-AI/aura
```

## .NET

```
# dnSpy
https://github.com/0xd4d/dnSpy

# .NET compilation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs

# Cheatsheet
https://www.c-sharpcorner.com/UploadFile/ajyadav123/net-penetration-testing-cheat-sheet/
```

## PHP

```
# phpvuln
https://github.com/ecriminal/phpvuln
```

## C/C++

```
# flawfinder
https://github.com/david-a-wheeler/flawfinder
```

## Kotlin

```
https://github.com/detekt/detekt

```

## Java

```
# JD-Gui
https://github.com/java-decompiler/jd-gui

# Java compilation step-by-step
javac -source 1.8 -target 1.8 test.java
mkdir META-INF
echo "Main-Class: test" > META-INF/MANIFEST.MF
jar cmvf META-INF/MANIFEST.MF test.jar test.class
```

| Task            | Command                                                   |
| --------------- | --------------------------------------------------------- |
| Execute Jar     | java -jar \[jar]                                          |
| Unzip Jar       | unzip -d \[output directory] \[jar]                       |
| Create Jar      | jar -cmf META-INF/MANIFEST.MF \[output jar] \*            |
| Base64 SHA256   | sha256sum \[file] \| cut -d' ' -f1 \| xxd -r -p \| base64 |
| Remove Signing  | rm META-INF/*.SF META-INF/*.RSA META-INF/\*.DSA           |
| Delete from Jar | zip -d \[jar] \[file to remove]                           |
| Decompile class | procyon -o . \[path to class]                             |
| Decompile Jar   | procyon -jar \[jar] -o \[output directory]                |
| Compile class   | javac \[path to .java file]                               |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/others/code-review.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.