mastering source code analysis lab

Here’s a comprehensive guide to mastering source code analysis with:

• 🧨 Vulnerable codebases

• ⚒️ Static analysis tools

• 🔍 Manual code review techniques

• 💻 Real-world scenarios

• 🎯 Language-specific recommendations

---

🧨 Vulnerable Codebases for Practice

1. Vulnerable Web Applications with Source Code Access

Name	Stack	Link
OWASP Juice Shop	Node.js	GitHub
DVWA	PHP	GitHub
bWAPP	PHP	GitHub
WebGoat	Java	GitHub
NodeGoat	Node.js	GitHub
Vulnerable Flask App	Python	GitHub
RailsGoat	Ruby	GitHub

These are perfect for:

• Identifying insecure functions

• Understanding common anti-patterns

• Practicing code-level exploitation

---

⚒️ Static Analysis Tools (SAST)

These tools help automatically detect vulnerabilities in source code.

🔹 Multi-language Tools

Tool	Strengths
Semgrep	Fast, rule-based scanner, highly customizable
SonarQube / SonarCloud	Full enterprise-grade code quality + security
CodeQL (GitHub)	Semantic code analysis with advanced query language
Bearer	Privacy/security scanner, excellent for API and secrets issues
Bandit	Python-specific analyzer
Gosec	Go language security scanner
Brakeman	For Ruby on Rails apps
FindSecBugs (SpotBugs)	Java bytecode scanner with OWASP rules
Taint-Mode Tools (e.g., CodeQL)	Track data flow across sinks and sources

---

🔍 Manual Review Methodology

What to Look For:

Category	Examples
Input Validation	eval(), exec(), raw SQL, unsanitized headers
Authentication/Authorization	Hardcoded creds, weak token logic, IDOR
Session Management	Insecure cookies, session fixation
Insecure Storage	Passwords stored in plaintext, weak encryption
Crypto Failures	Homebrew crypto, ECB mode, missing IVs
Command Execution	Shell injection points (os.system, subprocess)
Deserialization	pickle.load(), Java readObject()
Race Conditions	TOCTOU bugs, threading misuse
Secrets in Code	API keys, passwords in .env, .git or config files
Logic Flaws	Business logic errors, bypasses, incorrect conditions

Tactics:

• Trace data flow from source (user input) to sink (DB, shell, etc.)

• Review API endpoints, middleware, and helper utilities

• Look for insecure defaults or commented-out protections

• Check for inconsistent authentication or authorization checks

---

📦 Real-World Source Code Analysis Scenarios

Scenario	Language	How to Practice
Insecure Deserialization	Java, PHP, Python	WebGoat, vulnerable Flask App
SQL Injection via ORM Misuse	Node.js, Django	NodeGoat, custom apps
Insecure File Upload	PHP, .NET, Python	DVWA, bWAPP
Broken Access Control	Java, Ruby	WebGoat, RailsGoat
Secrets Leaking in Commits	Any	Practice using truffleHog, git-secrets on GitHub repos

---

🧪 Automated Secrets & Token Discovery

Tool	Purpose
truffleHog	Finds secrets in git repos
gitLeaks	Secret scanning + custom rules
detect-secrets	Pre-commit hook for secret detection
GitHub Advanced Security	Secrets scanning across public/private repos (if enabled)

---

📚 Resources to Learn Source Code Review

Resource	Focus
The Art of Software Security Assessment (Book)	Deep manual code review
OWASP Code Review Guide	Framework-agnostic review practices
Semgrep Playground	Practice writing your own detection rules
CodeQL Learning Lab (GitHub)	Create advanced security queries
PortSwigger Labs + Source View	Browse source + exploit live (Pro users)
HackTheBox Academy – Secure Coding	Great for building secure code review mindset

---

🎯 Language-Specific Advice

Language	Unique Risks
JavaScript (Node.js)	eval, insecure templates, prototype pollution
Python	pickle, yaml.load, subprocess abuse
PHP	Variable variables, LFI/RFI, magic quotes
Java	Deserialization, unsafe reflection
Go	Lack of built-in auth, poor error handling
C#/.NET	Insecure crypto APIs, config leaks
Ruby (Rails)	eval, mass assignment (params.permit!)

---

🔬 Advanced Manual Code Review Tactics

Beyond basic input validation, look for:

1. Inconsistent Authorization

• Checks on the UI but not enforced on the backend.

• Example:

  if user.is_admin:
      return dashboard()
  # missing auth here
  return data_view()

2. Logic Bombs

• Flawed if/else logic that causes unintended access:

  if not user.is_banned or user.is_admin:
      allow_access()

3. Regex Bypass

• Poor input filters like:

  re.match("[a-zA-Z0-9]+", input)  # misses full string match

4. Unsafe File Access

• Watch for string concatenation in file paths:

  open(f"files/{filename}", "r")  # LFI risk

5. Cryptographic Failures

• Look for:

  • Hardcoded keys

  • Static IVs

  • ECB mode

  • Custom encryption

---

🧠 Less Common but Critical Vulnerabilities to Look For

Vuln Type	How It Appears
Insecure logging	Logging secrets or tokens to logs (logger.debug(auth_token))
Feature flag misfires	Admin features enabled via client-side toggle
Insecure dependencies	Importing vulnerable libraries (e.g., event-stream in Node.js)
OAuth/OpenID misimplementation	Not validating aud, iss, exp in JWTs
Time-based attacks	Login timing difference revealing valid usernames
Race conditions	check_balance() → withdraw() in fast sequence
Insecure template rendering	Using render(request, user_input) (template injection)

---

🧪 Open-Source Projects You Can Practice On (Ethically)

These are security-focused or “bug bounty” friendly:

Project	Stack	Notes
Mozilla Firefox (Bug Bounty Eligible)	C++/Rust	Complex parsing logic, legacy components
OWASP Threat Dragon	Node.js	Simple but real-world app
SecureDrop (Freedom of the Press Foundation)	Python/Flask	Handles anonymity + encryption
Bitwarden CLI	Go	Password manager code is rich in crypto logic
Mastodon	Ruby on Rails	Great for OAuth, ActivityPub protocol abuse
PeerTube	Node.js + P2P	Use case: content access control logic

Audit code and match findings to:

• https://github.com/projectdiscovery/nuclei-templates

• https://huntr.dev (Open-source bug bounty program)

---

🚨 Real Vulnerabilities Found via Source Review

Vuln	Description	Source
Signal	XSS in link previews inside encrypted messages	Bug bounty
Slack	Command injection via internal CLI	Found via static analysis
npm event-stream	Malicious dependency used in open source	Report
JWT None Bypass	Developers forgot to check alg=none	Found via manual token review
GitLab RCE	YAML config deserialization bug	CVEs

---

⚙️ Source Code Review in CI/CD (DevSecOps Integration)

Tool	Best Used For	CI Integration
Semgrep CI	Code scanning, custom rules	GitHub Actions, GitLab CI, CircleCI
Snyk Code	SAST + dependency scan	Built-in GitHub integration
Checkov + Terrascan	IaC security	Terraform, CloudFormation audits
GitLeaks + TruffleHog	Secret detection	Git pre-commit + PR check
CodeQL	Advanced data flow analysis	GitHub native or custom CI

💡 Tip: Set to fail builds only on high-severity findings or use a "monitor-only" mode.

---

👩‍💻 Bug Bounty Source Review (If You Have Source or Recon Access)

Focus on these techniques:

Attack Vector	What to Look For
API keys in frontend	.env, .js, .map, Vue/React bundles
Old endpoints in codebase	Routes not in Swagger/UI
JS/TS source leaks	.map files or open-source client repos
GitHub dorks	company filename:.env or filename:docker-compose.yml
Accidental test code in production	Debug ports, credentials in staging branches
API backend repos	No rate limits, misauth, internal APIs exposed

---