CODE REVIEW GUIDE

247706 CODE

REVIEW

GUIDE

RELEASE

Creative Commons (CC) Attribution

Free Version at: https://www.owasp.org

Project leaders: Larry Conklin and Gary Robinson

2.0 1

ForewordAcknowledgements

1 3685

IntroductionHow To Use The Code Review Guide

2

Code Review Do's And Dont's

Code Review Checklist

Threat Modeling Example

Code Crawling

192
196
200
206
3

A1 Injection

A2 Broken Authentication And Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object Reference

A5 Security Miscon

guration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components With Know Vulnerabilities

A10 Unvalidated Redirects And Forwards

43
58
70
77
82
117
133
139
146
149
Technical Reference For Secure Code ReviewAppendix 4 HTML5

Same Origin Policy

Reviewing Logging Code

Error Handling

Reviewing Security Alerts

Review For Active Defence

Race Conditions

Bu er Overruns

Client Side JavaScript

154
158
160
163
175
178
181
183
188

Secure Code Review

Methodology

9 20

Introduction

2 1

3Code Review Guide Foreword - By Eoin Keary

By Eoin Keary,

Long Serving OWASP Global Board Member

The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. Howev- er, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initia- tive and a grant from the United States Department of Home- land Security. The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organi- zations in the world. It is common knowledge that more secure software can be pro- duced and developed in a more cost e ective way when bugs are detected early on in the systems development lifecycle. Or- ganizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remark- ably better code from a security standpoint. To put it simply "We can't hack ourselves secure". Attackers have more time to nd vulnerabilities on a system than the time allocated to a defend- er. Hacking our way secure amounts to an uneven battle eld, asymmetric warfare, and a losing battle. By necessity, this guide does not cover all programming lan- guages. It mainly focuses on C#/.NET and Java, but includes C/ C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to al- most any code environment. Fortunately (or unfortunately), the security aws in web applications are remarkably consistent across programming languages.

Eoin Keary, June 2017

FOREWORD1

4Acknowledgements

APPRECIATION TO UNITED STATES DEPARTMENT OF

HOMELAND SECURITY

FEEDBACK

OWASP community and Code Review Guide project leaders wish to expresses its deep ap- preciation to United States Department of Homeland Security for helping make this book possible by funds provided to OWASP thru a grant. OWASP continues be to the preeminent organization for free unbiased/unfretted application security. We have seen a disturbing rise in threats and attacks on community institutions thru appli- cation vulnerabilities, only by joining forces, and with unfretted information can we help turn back the tide these threats. The world now runs on software and that software needs to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing in this goal. If you have any feedback for the OWASP Code Review team, and/or nd any mistakes or improvements in this Code Review Guide please contact us at: owasp-codereview-project@owasp.org

5Acknowledgements

ACKNOWLEDGEMENTS

Content Contributors

Larry Conklin

Gary Robinson

Johanna Curiel

Eoin Keary

Islam Azeddine Mennouchi

Abbas Naderi

Carlos Pantelides

Michael Hidalgo

Reviewers

Alison Shubert

Fernando Galves

Sytze van Koningsveld

Carolyn Cohen

Helen Gao

Jan Masztal

CODE

REVIEW

GUIDE

RELEASE

Creative Commons (CC) Attribution

Free Version at: https://www.owasp.org

Project leaders: Larry Conklin and Gary Robinson

2.0 1

ForewordAcknowledgements

1 3685

IntroductionHow To Use The Code Review Guide

2

Code Review Do's And Dont's

Code Review Checklist

Threat Modeling Example

Code Crawling

192
196
200
206
3

A1 Injection

A2 Broken Authentication And Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object Reference

A5 Security Miscon

guration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components With Know Vulnerabilities

A10 Unvalidated Redirects And Forwards

43
58
70
77
82
117
133
139
146
149
Technical Reference For Secure Code ReviewAppendix 4 HTML5

Same Origin Policy

Reviewing Logging Code

Error Handling

Reviewing Security Alerts

Review For Active Defence

Race Conditions

Bu er Overruns

Client Side JavaScript

154
158
160
163
175
178
181
183
188

Secure Code Review

Methodology

9 20

Introduction

2 1

3Code Review Guide Foreword - By Eoin Keary

By Eoin Keary,

Long Serving OWASP Global Board Member

The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. Howev- er, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initia- tive and a grant from the United States Department of Home- land Security. The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organi- zations in the world. It is common knowledge that more secure software can be pro- duced and developed in a more cost e ective way when bugs are detected early on in the systems development lifecycle. Or- ganizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remark- ably better code from a security standpoint. To put it simply "We can't hack ourselves secure". Attackers have more time to nd vulnerabilities on a system than the time allocated to a defend- er. Hacking our way secure amounts to an uneven battle eld, asymmetric warfare, and a losing battle. By necessity, this guide does not cover all programming lan- guages. It mainly focuses on C#/.NET and Java, but includes C/ C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to al- most any code environment. Fortunately (or unfortunately), the security aws in web applications are remarkably consistent across programming languages.

Eoin Keary, June 2017

FOREWORD1

4Acknowledgements

APPRECIATION TO UNITED STATES DEPARTMENT OF

HOMELAND SECURITY

FEEDBACK

OWASP community and Code Review Guide project leaders wish to expresses its deep ap- preciation to United States Department of Homeland Security for helping make this book possible by funds provided to OWASP thru a grant. OWASP continues be to the preeminent organization for free unbiased/unfretted application security. We have seen a disturbing rise in threats and attacks on community institutions thru appli- cation vulnerabilities, only by joining forces, and with unfretted information can we help turn back the tide these threats. The world now runs on software and that software needs to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing in this goal. If you have any feedback for the OWASP Code Review team, and/or nd any mistakes or improvements in this Code Review Guide please contact us at: owasp-codereview-project@owasp.org

5Acknowledgements

ACKNOWLEDGEMENTS

Content Contributors

Larry Conklin

Gary Robinson

Johanna Curiel

Eoin Keary

Islam Azeddine Mennouchi

Abbas Naderi

Carlos Pantelides

Michael Hidalgo

Reviewers

Alison Shubert

Fernando Galves

Sytze van Koningsveld

Carolyn Cohen

Helen Gao

Jan Masztal