code review – WindowsTechs.com

How to calculate CVSS score of a finding detected in the source code?

Posted on March 12, 2024 by Anonymous

While I was doing source code review of API handlers for REST APIs, I found a security issue.
This issue is that some methods have the annotation @PreAuthorize("permitAll()").
If I want to document this as a finding and give it a… Continue reading How to calculate CVSS score of a finding detected in the source code?→

What does all this mean ?

Posted on January 30, 2024 by Peter Pan

Can I upload a pic? This came up on a different cell phone & I don’t know what it is.
Ok how can I find where my stolen cell phone is? It’s a Samsung A51 & carrier does nothing. I had insurance on it & I just got 1 of my emails… Continue reading What does all this mean ?→

Best Code Review Tools

Posted on August 19, 2023 by Enrique Corrales

We highlight some of the best code review software and tools for software developers. Learn about their features, benefits, and pricing. Continue reading Best Code Review Tools→

Trying to ret2text on 64bit program issues, can’t jump to shell

Posted on August 11, 2023 by Nsion

Here is the elf summary of the program:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

This is the main function of the disassembly of the p… Continue reading Trying to ret2text on 64bit program issues, can’t jump to shell→

PHP code review: is it open to object code injection through unserialize [closed]

Posted on March 24, 2023 by Dave

I’m trying to figure out if the code below is open to object injection:
<?php
// loggin level
define(‘CRIT’, 5);
define(‘ERROR’, 4);
// secret is defined somewhere in the script like this
define(‘SECRET’, ‘mYs3cr37P4… Continue reading PHP code review: is it open to object code injection through unserialize [closed]→

Crashing the sha1() function in PHP?

Posted on February 5, 2023 by user5623335

I am working on the following war game from Defend The Web, which requires me to do a source code review to login as the user memtash. The code is on GitLab here.
Here is my methodology:

Reset the password for user memtash which causes me… Continue reading Crashing the sha1() function in PHP?→

How long would this take to bruteforce?

Posted on February 4, 2023 by user5623335

I am working on the following war game from Defend The Web, which requires me to do a source code review to login as the user memtash. The code is on GitLab here.
Having inspected the source code during this code review, I find this line i… Continue reading How long would this take to bruteforce?→

What are some effective strategies to pentest a native code library?

Posted on December 17, 2022 by the_endian

The vast majority of resources out there about penetration testing applications is about web and mobile applications; in some cases there are resources about so-called "native applications" which compile to machine code (such as … Continue reading What are some effective strategies to pentest a native code library?→

Vulnerable Projects to Test and Compare Code Review Tools [closed]

Posted on July 29, 2022 by john_zombie

I am working on testing multiple code review tools and what to know if there are any free vulnerable code projects that I can run my scanning tools against and compare the results of each tool. I am mostly aiming at projects using .NET/C# … Continue reading Vulnerable Projects to Test and Compare Code Review Tools [closed]→

Code sample (OpenSSL – EVP) of verifying signed Ed25599 content

Posted on July 10, 2022 by Decaf Sux

The link here, https://www.openssl.org/docs/manmaster/man7/Ed25519.html, contains C-code that works just perfect to sign a message using Ed25519 in a C/C++ program.
But I just can’t find any corresponding code to verify a signed message.
A… Continue reading Code sample (OpenSSL – EVP) of verifying signed Ed25599 content→