Approaches to code reviews

1. What is a Code Audit?

A code audit, also known as a source code security review in the field of white-box testing, refers to the process of examining an application’s source code to identify bugs and security vulnerabilities.

1.1 Core Definition

Code auditing is a technical task that requires a diverse set of skills. It demands not only a solid foundation in programming languages (such as PHP and Java) but also a deep understanding of vulnerability mechanisms, as well as familiarity with operating system and middleware characteristics. Unlike black-box testing (functional testing), code auditing involves an open-source approach to identifying bugs at the code level, and software is only permitted to go live once all high-risk vulnerabilities have been eliminated.

1.2 Why Code Audits Are Necessary

Code audits are an indispensable component of enterprise security operations and the Software Development Lifecycle (SDL):

• Core SDL Phase: Most security issues are resolved during the design, coding, and testing phases. Code audits fall under white-box testing within the testing phase and can effectively identify logical flaws and deep-seated code defects that black-box scanners cannot detect.
• Support for Penetration Testing: For penetration testers, mastering code auditing means that, upon obtaining a source code backup package, they can identify database passwords and API keys within configuration files through auditing, or uncover high-risk vulnerabilities (such as secondary injection or unauthorized access via logic) that scanners cannot detect by analyzing code logic.
• The Cornerstone of Secure Programming: Identifying and rectifying vulnerabilities through auditing encourages developers to write more secure code, thereby helping to establish an application security framework.

1.3 Competency Requirements for Auditing

To conduct effective code auditing, one cannot rely solely on automated tools; the following competencies are essential:

• Programming Language Proficiency: The ability to comprehend code logic and, even when encountering unfamiliar functions, understand their functionality by consulting documentation.
• Understanding of Vulnerability Mechanisms: A thorough understanding of the mechanisms underlying common vulnerabilities such as SQL injection, XSS, file operations, and command execution.
• Awareness of Environmental Differences: An understanding of how variations in different systems (Windows/Linux), middleware (Apache/Nginx/IIS), and language versions (e.g., configuration differences between PHP 5.2 and 5.4) affect vulnerability exploitation.

2. Approach to Understanding the Target System

Before formally identifying vulnerabilities, auditors must first gain a comprehensive understanding of the target system’s architecture, business logic, and operating environment. Blindly searching for keywords is often inefficient; the correct approach is to first gain a "macro-level understanding" before proceeding to "micro-level exploration."

2.1 Environment Setup and Configuration Analysis

Vulnerability exploitation often relies on specific environmental configurations. Prior to the audit, a test environment identical to the target system (e.g., WAMP/LNMP) should be set up, with particular attention paid to the following core configurations (using PHP as an example):

• PHP Core Configurations: Such as register_globals (global variable registration), allow_url_include (remote file inclusion), magic_quotes_gpc (magic quote filtering), and open_basedir (directory access restrictions). These settings directly determine whether many vulnerabilities exist or can be exploited.
• Middleware Version: Different versions of web servers may have specific parsing vulnerabilities or configuration differences.

2.2 File Structure Analysis

By examining the program’s file directory structure, one can quickly identify the system’s functional modules and core files. Pay particular attention to the following types of files:

• Entry File (Index): Such as index.php, which is typically the program’s entry point; reading it provides insight into the program’s architecture, execution flow, and the core files it includes.
• Configuration Files (Config): File names often include the keyword config. These files contain database connection details and global variable settings. Note that if parameter values in configuration files are enclosed in double quotes, there may be a risk of code execution due to variable parsing.
• Function Library Files (Functions/Common): File names often include functions or common. These files contain common functions, most of which are included in the header of other files; they are key to understanding the business logic.
• Security Filter Files (Filter/Safe): File names often include filter, safe, or check. These files are responsible for filtering all input parameters (such as SQL injection filtering and XSS filtering) and are areas that require particular focus or verification during an audit.

2.3 Analyzing Business Logic

For complex systems, reading through the entire codebase is the best way to understand the business logic.

• Trace the entry point files: Start from the entry point files and trace the files included via include or require to clarify the code execution flow.
• Identify core modules: Pay attention to folders whose names contain api, admin, manage, or include; these typically contain core business logic.
• Understand Data Flow: Observe how data enters from user input sources (GET/POST/COOKIE), which filtering functions it passes through, and how it is ultimately utilized (e.g., concatenated into SQL statements, output to a page, or written to a file).

3. Approaches to Code Auditing

Having understood the basic architecture of the target system, you can adopt the following three main auditing approaches to identify vulnerabilities. Each of these approaches has its own advantages and disadvantages; they are usually most effective when used in combination.

3.1 Tracing Parameters of Sensitive Functions (Reverse Tracing)

This is currently the most widely used and highly efficient method. Most vulnerabilities are caused by the improper use of high-risk functions.

• Method: Search for keywords of sensitive functions within the code, then trace the variable passing process to determine whether variables are controllable and have not undergone strict filtering.

Common sensitive functions (PHP):

Vulnerability Type	Sensitive Functions
SQL Injection	select, insert, update, delete, mysql_query
Code/Command Execution	eval, assert, system, exec, shell_exec, preg_replace (with the /e modifier)
File Operations	include, require, file_get_contents, unlink, move_uploaded_file
XSS Output	echo, print, printf

• Advantages: Targeted exploration, efficient, suitable for quickly identifying common vulnerabilities.
• Disadvantages: Lack of in-depth understanding of the program’s overall architecture; logical vulnerabilities may be overlooked.

3.2 Reading the Full Source Code (Forward Tracing)

This approach is suitable for security operations within an organization or when auditing open-source frameworks.

• Method: Read the code from start to finish following the file execution flow, or read through all the code for specific functional modules.
• Applicable Scenarios: Identifying logical vulnerabilities (such as payment vulnerabilities, unauthorized access vulnerabilities, and race conditions), secondary vulnerabilities, and security issues at the framework level.
• Advantages: Provides a better understanding of the program architecture and business logic, enabling the discovery of more and higher-quality logical vulnerabilities.
• Disadvantages: Time-consuming; requires considerable patience and strong code-reading skills from the auditor.

Tip: There is no need to read every line meticulously; start by reviewing the directory structure, then examine the core configuration files and entry points, and finally delve into the code of specific functional modules.

3.3 Targeted Auditing Based on Functional Areas (Experience-Driven)

Based on auditing experience, identify which functional areas are typically prone to vulnerabilities and conduct a focused audit of the code in those specific areas.

Common high-risk functional areas:

• File Upload: Check whether file extensions are restricted, whether files are renamed, and whether file headers are validated.
• File Management: Check whether filename parameters are controllable and whether directory traversal (../) is possible.
• Login Authentication: Check the cookie validation logic, session generation mechanism, and whether there are any arbitrary user login vulnerabilities.
• Password Recovery: Check whether verification codes can be brute-forced, whether reset tokens are predictable, and whether they are bound to the user’s identity.
• Payment Process: Check whether unit price, quantity, and total price are controlled by the client, and whether there are any race conditions.
• Third-Party Interaction: Such as SSRF (Server-Side Request Forgery) and unauthorized access to API interfaces.

Methodology: First perform black-box testing of functional points; once anomalies are identified, conduct white-box code auditing; or directly locate and review the relevant functional code files.

3.4 Use of Supporting Tools

Although code auditing relies primarily on manual logic, tools can significantly improve efficiency.

• Code Editors: Such as Notepad++, UltraEdit, and Zend Studio, used for code highlighting, searching, and debugging.
• Audit Systems: Such as the Seay source code audit system, RIPS, and Fortify SCA, which can automatically scan for sensitive functions and potential vulnerabilities.
• Debugging Tools: Such as Burp Suite (for packet capture and modification), browser extensions (HackBar, Firebug), regular expression debugging tools, and SQL execution monitoring tools, used to verify the existence of vulnerabilities.

Conclusion

Code auditing is both an art and a core discipline within information security. Whilst automated tools can resolve some issues, they are unable to comprehend complex business logic and code context. An excellent auditor must be able to endure repetitive, manual tasks whilst maintaining a passion for innovation, and must be able to flexibly apply the three approaches of "sensitive function tracing," "full-text reading," and "function-point targeting." Only by deeply understanding code logic and combining this with extensive knowledge of vulnerabilities can one uncover the most deeply hidden security risks within enterprise-level web architectures.