Mastering Web Application Source Code Review Workshop
Every single application we use has at least a few vulnerabilities. Some of them so complex it’s pretty impossible to discover them with a closed-box approach. Having the source code allows us to find bugs that we would miss otherwise. However, for that to be true, you must know how to analyse it effectively. In this workshop, we’ll go through the process of analysing the source code of a web application. We’ll start with catching the low-hanging fruit with automated analysis using tools like semgrep and CodeQL. However, automated tools aren’t enough. Thus, we’ll then go through the process of manual analysis – the setup, the tools, the approach. You will learn what is a source, a sink and if you should rather go sources-to-sinks or sinks-to-sources and debugging the code. And don’t worry if you don’t know the terms from the previous sentence yet. However, you should have prior experience with testing web applications and at least a minimum experience with coding.
This is the plan of the workshop:
- Automated analysis with semgrep
- Automated analysis with CodeQL
- Tools to use for manual analysis – In the workshop we’ll only use VS Code and we’ll focus on languages it’s best for – Golang, Node.js, Python, Ruby. I’m going to tell the audience that for languages like Java or .net I would use IDEs from Jetbrains but I don’t want everyone to install million tools so during the workshop we’ll only use VS Code. It’s the most flexible and my personal favourite as well.
- Starting manual testing – going through the web application manually. Here, I’m going to introduce a real-world application. I’ll go through installation steps and what I do when I first install the app. I haven’t chosen the one yet but I’ll probably prioritize the ease of installation. Ideally, every participant would have a local instance but it would be naive that it would happen. Thus, I’m also going to deploy my instance with a public IP and make it available for participants.
- Getting the feel for the source code – what do to after first opening thousands lines of code.
- What are sources, sinks and the comparison of sources-to-sinks and sinks-to-sources approaches.
- Finding a few bugs
- *Debugging – this one is starred because, as I’ve written in point 4. – not everyone will have a working setup so this will be more presentational to not make them sit and do nothing or get frustrated.
About the Speaker
Grzegorz Niedziela is an ethical hacker who left his job as a pentester to pursue the bug bounty hunter lifestyle. He is focused on hacking web applications and has made a name for himself on leaderboards such as Google, Facebook, GitLab, GitHub Security Lab, Epic Games, Opera, and more. He specializes in security code review of open-source projects and has numerous CVEs to his name. He runs one of the largest YouTube channels about bug bounty called “Bug Bounty Reports Explained”, a podcast as well as other social media platforms. When he’s not at his computer, he leads an active lifestyle, spending a lot of time doing sports, acro-yoga, climbing, or training Brazilian jiu-jitsu.