Code Review Methodology

  1. Planning
  2. Reviewing Code
  3. Reviewing the process

Planning Stage

  • List of use cases of the application.
  • List of technologies used.
  • List of interesting features in the application.
  • List of possible attack vectors.
  • List of features tested.
  • Enumerate how the log in page works.
  • What functions are involved in the file upload.
  • Understand where the files are stored.

Reviewing Code

  1. Use key words from the application to identify files that may be relevant.
  2. If it is a form, the variables when the form is submitted may be used as a starting point.
  3. There may be words in the request path/variables that may be functions.
  4. Go through the structure of the application. It may be quite easy to navigate.
  5. Try to navigate the flow of the code from when it is entered in the view. Or the other way round.
  • Google everything! This will make it easier for you to understand what is happening. Looking through documentation will really help.
  • Set the application in debug mode so you can view how variables are affected during run time. You can look in areas such as log files and printing alert boxes.
  • If you’re really stuck, extract the code and create a test program to understand what is happening.
  • If the goal of the current process requires something like a general understanding of the flow of the code. There is no need to go fully in depth. Mapping out what functions are called where and how they interact would be good enough.

Reviewing the process

  • Understanding the structure of the files and functions.
  • Interesting functions that may be useful.
  • Possible attack vectors that may be used.
  • The initial processes may not find much. This is because you need to grow your knowledge the application. After this phase, you will be able to craft slightly more complex attack vectors.
  • Taking regular breaks helps a lot.
  • Learn how the developer writes their code. For example, if a developer really enjoys using blacklists, that may really help craft an attack vector.
  • Not each cycle will give you a vulnerability. However, the knowledge gained is just as important.
  • Update your notes as frequently as possible.

Thank you for reading, let me know if you have any ideas you can add to this.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store