🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Source Code Security Review

by @quochungto

Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...

Versionv1.0.0
Downloads296
TERMINAL
clawhub install bookforge-source-code-security-review

πŸ“– About This Skill


name: source-code-security-review description: | Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized access to an application's source code and need to identify security flaws faster or more thoroughly than black-box testing alone; auditing a codebase prior to launch or after a security incident; reviewing open-source or purchased software for embedded vulnerabilities; complementing an active penetration test with source-level analysis. Applies a three-phase methodology: (1) identify all user-input entry points via platform-specific source APIs β€” Java HttpServletRequest, ASP.NET Request.Params/Form/QueryString, PHP $_GET/$_POST/$_COOKIE/$_REQUEST, Perl CGI param(), JavaScript document.location/URL; (2) trace data flow forward to dangerous sink APIs β€” Runtime.exec()/Process.Start() for OS command injection, Statement.execute()/mysql_query() for SQL injection, FileInputStream/include() for path traversal, sendRedirect()/header() for open redirect, eval() for script injection; (3) line-by-line close review of authentication, session management, access control, and native code components. Covers 8 vulnerability signature categories: cross-site scripting, SQL injection, path traversal, arbitrary redirection, OS command injection, backdoor passwords, native software bugs (buffer overflow, integer flaw, format string), and incriminating source code comments. Also covers database code components (stored procedures with dynamic SQL) and environment configuration checks (web.xml, Web.config, php.ini). Produces a prioritized findings report with evidence and countermeasures. Maps to CWE-79 (XSS), CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-601 (Open Redirect), CWE-78 (OS Command Injection), CWE-798 (Hardcoded Credentials), CWE-120/121/122 (Buffer Overflow), CWE-134 (Format String). For authorized security review engagements, appsec engineers, and security-minded developers. version: 1.0.0 homepage: https://github.com/bookforge-ai/bookforge-skills/tree/main/books/web-application-hackers-handbook/skills/source-code-security-review metadata: {"openclaw":{"emoji":"πŸ“š","homepage":"https://github.com/bookforge-ai/bookforge-skills"}} status: draft depends-on: [] source-books: - id: web-application-hackers-handbook title: "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws" authors: ["Dafydd Stuttard", "Marcus Pinto"] edition: 2 chapters: [19] pages: "701-745" tags: [code-review, white-box-testing, source-code-analysis, xss, sql-injection, path-traversal, open-redirect, command-injection, backdoor, buffer-overflow, java, aspnet, php, perl, javascript, penetration-testing, appsec, cwe-79, cwe-89, cwe-22, cwe-601, cwe-78, cwe-798, cwe-120, cwe-134] execution: tier: 1 mode: full inputs: - type: codebase description: "Web application source code β€” server-side handlers, data access layer, database stored procedures, configuration files (web.xml, Web.config, php.ini), client-side JavaScript" - type: document description: "Build manifests, dependency lists, architecture diagrams β€” optional but useful for scoping" tools-required: [Read, Grep] tools-optional: [Bash, Write] mcps-required: [] environment: "Run directly against the source code repository. No live application required. Authorized review context required." discovery: goal: "Identify exploitable security vulnerabilities in web application source code using a structured three-phase approach β€” entry points, dangerous sinks, and line-by-line review of high-risk components β€” and produce a prioritized findings report" tasks: - "Establish platform and establish custom wrapper awareness before proceeding" - "Map all user-input entry points using platform-specific source APIs" - "Trace data flow from sources to dangerous sink APIs for each vulnerability category" - "Perform line-by-line review of high-risk components: authentication, session management, access control, native code" - "Audit database stored procedures for dynamic SQL construction" - "Review environment configuration files for security-relevant settings" - "Document findings with CWE mapping, severity, evidence, and countermeasures" audience: roles: ["penetration-tester", "application-security-engineer", "security-minded-developer"] experience: "intermediate-to-advanced β€” assumes familiarity with at least one server-side web platform (Java, .NET, PHP, Perl) and common web vulnerability classes" triggers: - "Penetration test engagement where source code access has been granted" - "Security audit of a web application prior to production deployment" - "Reviewing an open-source project or purchased component for embedded vulnerabilities" - "Root-cause analysis after a security incident β€” understanding how the vulnerability existed in code" - "Supplementing automated SAST tool output with manual verification" not_for: - "Black-box behavioral testing without source access β€” use the relevant black-box testing skills" - "Infrastructure or network security review β€” different scope" - "Mobile application source review β€” different platform APIs"

Source Code Security Review

When to Use

You have authorized access to a web application's source code and need to find security vulnerabilities systematically.

This skill applies when:

  • A penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone
  • You need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing
  • A black-box test revealed anomalous behavior and you want to trace its root cause in code
  • You are reviewing an open-source component before integrating it into production
  • The foundational insight: Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals "3", or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β€” code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.

    Before starting: Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β€” a call to a custom safeQuery() wrapper may or may not prevent SQL injection depending on its implementation.

    Authorized review only. This skill is for security professionals with explicit written authorization.


    Context and Input Gathering

    Required Context

  • Platform(s) in use (Java, ASP.NET, PHP, Perl, JavaScript, or mix):
  • Why: each platform has distinct source APIs for reading user input and distinct dangerous sink APIs. The Grep patterns and review focus differ entirely between a Java servlet application and a PHP script. - Check for: pom.xml / build.gradle (Java), *.csproj / Web.config (ASP.NET), *.php files, *.pl files, package.json (Node.js/JS)

  • Scope of review (full codebase, specific modules, authentication only):
  • Why: a large enterprise application may have hundreds of thousands of lines. Time-boxed reviews require prioritizing the highest-risk components. Without a defined scope, coverage is uneven. - If unspecified, start with authentication, session management, access control, and any component that processes user file access or external command execution

  • Any existing SAST tool output:
  • Why: avoids duplicating what automated analysis already found and focuses manual effort on classes of issues that tools reliably miss (logic flaws, race conditions, backdoors).

    Observable Context (gather from codebase)

  • Platform-specific configuration files: web.xml, Web.config, php.ini, .htaccess
  • Framework identification: Spring, Struts, Django, Laravel, Rails annotations and imports
  • Database access layer: ORM vs raw SQL, presence of prepared statement APIs
  • Custom security utilities: classes or functions named sanitize, validate, encode, escape, filter
  • Native code integration: JNI calls, P/Invoke, C extension includes, Runtime.exec / Process.Start

  • Process

    Phase 1 β€” Map User-Input Entry Points

    ACTION: Grep the codebase for platform-specific source APIs. Every location where user-controlled data enters the application is a potential source of tainted data. Build a catalog of entry points before tracing data flows.

    WHY: Vulnerabilities arise when user-controlled data reaches a dangerous operation without proper validation or encoding. You cannot trace data flow without first knowing all the places data enters. Applications frequently receive input through less-obvious channels β€” HTTP headers, cookies, session-derived data from user registration, even the URL path itself. Missing an entry point means missing all vulnerabilities that originate from it.

    AGENT: EXECUTES β€” Grep for platform-specific source APIs:

    Java (HttpServletRequest / ServletRequest):

    getParameter|getParameterNames|getParameterValues|getParameterMap
    getQueryString|getHeader|getHeaders|getHeaderNames
    getRequestURI|getRequestURL|getCookies|getRequestedSessionId
    getInputStream|getReader|getRemoteUser|getUserPrincipal
    

    ASP.NET (System.Web.HttpRequest):

    Request\.Params|Request\.Item|Request\.Form|Request\.QueryString
    Request\.ServerVariables|Request\.Headers|Request\.Url|Request\.RawUrl
    Request\.UrlReferrer|Request\.Cookies|Request\.BinaryRead
    Request\.Browser|Request\.UserAgent|Request\.AcceptTypes
    

    PHP:

    \$_GET|\$_POST|\$_COOKIE|\$_REQUEST|\$_FILES|\$_SERVER
    \$HTTP_GET_VARS|\$HTTP_POST_VARS|\$HTTP_COOKIE_VARS
    \$GLOBALS
    
    Note: if register_globals is enabled in php.ini, any variable name may receive request parameter values. Line-by-line review is then required to track all uses of uninitialized variables.

    Perl (CGI.pm):

    ->param\(|->param_fetch\(|->Vars\b|->cookie\(|->raw_cookie\(
    ->query_string\b|->referer\b|->self_url\b|->url\b
    ReadParse
    

    JavaScript (DOM sources):

    document\.location|document\.URL|document\.URLUnencoded|document\.referrer
    window\.location|location\.search|location\.hash|location\.href
    

    NOTE: Also search for $GLOBALS (PHP), any class names ending in Request, HttpContext, HttpInput, or equivalent β€” applications commonly abstract input access behind wrapper classes.


    Phase 2 β€” Trace Data Flow to Dangerous Sinks (Signature Scanning)

    ACTION: For each vulnerability category below, grep for the dangerous sink APIs. For each hit, trace backward to determine whether user-controlled data from Phase 1 sources flows into that sink without adequate validation or encoding. Confirm or dismiss each candidate finding.

    WHY: Signature scanning targets the highest-density locations of potential vulnerabilities first. A hard-coded SQL query fragment like "SELECT appearing in application code is almost always part of a SQL injection–vulnerable pattern. An eval() call receiving user input is almost always dangerous. This approach finds low-hanging fruit quickly, leaving remaining time for the subtler line-by-line review in Phase 3.


    #### 2.1 β€” Cross-Site Scripting (XSS)

    Grep for output APIs that write user data to responses:

    Java: response.getWriter().print|println|write, out.print|println, .InnerHtml, response.setHeader

    ASP.NET: Response.Write|Response.Output.Write, \.InnerHtml\s*=, \.InnerText\s*=

    PHP: echo\b|print\b|printf\b|vprintf\b,

    JavaScript (DOM sinks):

    document\.write\(|document\.writeln\(|\.innerHTML\s*=
    eval\(|window\.execScript\(|window\.setInterval\(|window\.setTimeout\(
    

    Pattern to find: User input from a Phase 1 source is incorporated into HTML output without HTML-encoding. Example:

    // Vulnerable: m_pageTitle set from request.getParameter("title") and
    // later written into a  element without encoding
    m_pageTitle = request.getParameter("title");
    </code></pre>
    Trace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">m_pageTitle</code> forward β€” if it is written to a response element or used to construct a link/HTML fragment without <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HtmlEncode()</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">escapeHtml()</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HtmlUtils.htmlEscape()</code>, this is a confirmed XSS.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for SQL fragment strings to find XSS in query-string construction:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">"SELECT |"INSERT |"DELETE |" WHERE |" AND |" OR |" ORDER BY
    </code></pre>
    These patterns are case-insensitive; also search lowercase. The surrounding whitespace and quote distinguish SQL keyword strings from ordinary concatenated strings.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">NOTE on filter-based mitigations:</strong> If a filter exists that blocks certain XSS payloads in the query string, trace it carefully. Filters applied to the wrong parameter, or applied before the vulnerable parameter is read, provide no protection.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.2 β€” SQL Injection</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for raw SQL execution APIs:</strong></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Java:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement|Statement\.execute|Statement\.executeQuery|Statement\.executeUpdate</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ASP.NET:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">SqlCommand|OleDbCommand|OdbcCommand|SqlDataAdapter|\.CommandText\s*=</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">PHP:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query|mssql_query|pg_query|mysqli_query</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Perl:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">->selectall_arrayref|->do\b</code></p><p style="margin:8px 0">For each hit, check whether the SQL string is constructed by concatenating user-controlled data. The presence of string fragments like <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">" WHERE </code> + variable or <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">"SELECT * FROM </code> + variable adjacent to a <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">execute</code> call is a strong indicator.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Contrast with safe patterns:</strong> Presence of <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">prepareStatement</code> (Java), <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.Parameters.Add</code> (ASP.NET), <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysqli->prepare</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">stmt->bind_param</code> (PHP), or <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">->prepare</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">->execute</code> (Perl) indicates parameterized queries β€” confirm that the prepared statement is actually used with bound parameters, not that the SQL string itself still incorporates concatenated user input before being prepared.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Database stored procedures:</strong> Extend this search to stored procedure definitions (<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.sql</code> files, embedded SQL strings). A web application calling a parameterized stored procedure is safe only if the procedure itself does not construct dynamic SQL from its parameters. Search stored procedure code for dynamic SQL execution keywords: <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">EXEC</code> (MS-SQL, Sybase), <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">EXECUTE IMMEDIATE</code> (Oracle), <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">EXEC SQL</code> (DB2). If user-supplied procedure parameters are concatenated into these dynamic SQL strings, SQL injection exists in the database tier even when the application tier uses parameterized calls.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.3 β€” Path Traversal</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for filesystem APIs:</strong></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Java:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">new File\(|FileInputStream|FileOutputStream|FileReader|FileWriter</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ASP.NET:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">System\.IO\.File\.|FileStream\(|StreamReader\(|StreamWriter\(</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">PHP:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">fopen\(|readfile\(|file\(|fpassthru\(|include\(|require\(|include_once\(|require_once\(</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Perl:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">open\s*\(|sysopen\s*\(</code></p><p style="margin:8px 0">For each hit, determine whether the filename parameter incorporates user-controlled data. The most common pattern is user data appended to a hard-coded base directory:
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">FileStream fs = new FileStream("C:\\temp\\" + userInput, FileMode.Open);
    </code></pre>
    This is vulnerable if <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">userInput</code> is not canonicalized and verified to not contain <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">..</code> sequences.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">For PHP <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">include()</code> / <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">require()</code>:</strong> Also check whether the included file path can resolve to a remote URL (if <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include</code> is enabled in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code>). Remote File Inclusion (RFI) produces arbitrary code execution.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for filename-related parameter names</strong> as a quick surface finder:
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">AttachName|filename|filepath|file=|path=|template=|page=|include=
    </code></pre></p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.4 β€” Arbitrary Redirection</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for redirect APIs:</strong></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Java:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">sendRedirect\(|setStatus\(|addHeader\(</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ASP.NET:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HttpResponse\.Redirect\(|Response\.Status|Response\.StatusCode|Response\.AddHeader|Server\.Transfer</code>
    Note: <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">Server.Transfer</code> changes the page processed server-side without issuing an HTTP redirect, so it cannot be exploited for external redirects β€” but it can still be used for internal access control bypass.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">PHP:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">http_redirect\(|header\s*\(.*Location|HttpMessage::setResponseCode|HttpMessage::setHeaders</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Perl:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">->redirect\(</code></p><p style="margin:8px 0">For each hit, check whether the redirect URL string is constructed from user-controllable data (e.g., a <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">refURL</code> query string parameter, a <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">ReturnUrl</code> form field). Also check client-side JavaScript for redirect patterns:
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">document.location = target;
    window.location.href = url;
    </code></pre>
    Trace whether the URL value originates from a DOM source (<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">document.URL</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">document.referrer</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">location.search</code>). After-validation canonicalization is a common bypass path β€” if the code calls <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">unescape()</code> after checking for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">//</code>, the check can be bypassed with double-encoded slashes (<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">%25252f%25252f</code>).</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.5 β€” OS Command Injection</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for OS command execution APIs:</strong></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Java:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">Runtime\.getRuntime\(\)\.exec|Runtime\.exec\(</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ASP.NET:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">Process\.Start\(|ProcessStartInfo</code></p><p style="margin:8px 0"><strong style="color:#e5e7eb">PHP:</strong> <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">\bexec\s*\(|passthru\(|popen\(|proc_open\(|shell_exec\(|system\(</code>, and the backtick operator `<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> </code>command<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> </code><code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Perl:</strong> </code>system\s*\(|\bexec\s*\(|qx/|qx\(<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, and the backtick operator</p><p style="margin:8px 0"><strong style="color:#e5e7eb">C/C++ (native components):</strong> </code>system\(|popen\(|execve\(|execl\(<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"></p><p style="margin:8px 0">For each hit, determine whether user-controlled data forms part of the command string. In Java, </code>Runtime.exec(string)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> interprets shell metacharacters if the argument is a single string β€” but </code>Runtime.exec(String[])<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with arguments passed as separate array elements does not. Partial control of the command string may still be exploitable via argument injection (injecting command-line flags rather than shell metacharacters).</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.6 β€” Backdoor Passwords and Hidden Debug Functions</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for hardcoded credential patterns in authentication logic:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">equals\(".*"\)|\.equals\('.*'\)|==\s*["']
    password.*==|password.*equals|"admin"|"password"|"secret"
    </code></pre></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Grep for incriminating source code comments:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">// bug|// problem|// bad|// hope|// todo|// fix|// overflow
    // crash|// inject|// xss|// trust|# bug|# hack|# fixme
    <h2 style="color:#f3f4f6;margin:20px 0 10px;font-size:1.15em">todo|# xxx</h2>
    </code></pre></p><p style="margin:8px 0">These comment searches often surface developer-acknowledged vulnerabilities that were never resolved, temporary workarounds that became permanent, or security test code that was never removed. Example from production code:
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">char buf[200]; // I hope this is big enough
    strcpy(buf, userinput);
    </code></pre></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Also look for:</strong> Unreferenced functions accessible via hidden URL parameters, </code>debug=1<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> style logic branches, IP address allowlists that bypass authentication.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0">#### 2.7 β€” Native Software Bugs (C/C++ components)</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Buffer overflow β€” grep for unchecked buffer manipulation APIs:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">\bstrcpy\b|\bstrcat\b|\bmemcpy\b|\bsprintf\b|\bgets\b|\bscanf\b
    </code></pre>
    Also: their wide-character variants (</code>wcscpy<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>wcscat<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>swprintf<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">). For each hit, verify whether the destination buffer is large enough to accommodate the source data, and whether the source length is bounded. Even </code>strncpy<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> can be misused β€” check whether the size argument is </code>strlen(src)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> rather than </code>sizeof(dst)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (the former still overflows if </code>src<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> exceeds </code>dst<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">'s size).</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Integer vulnerabilities β€” grep for signed/unsigned comparisons:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">len\s*<\s*sizeof|size\s*<\s*sizeof|length\s*<\s*sizeof
    </code></pre>
    If </code>len<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> is a signed integer compared to </code>sizeof()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (which returns an unsigned </code>size_t<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">), a user-supplied negative value for </code>len<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> passes the check and causes the subsequent unchecked copy to overwrite memory.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Format string vulnerabilities β€” grep for uncontrolled format strings:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">\bprintf\s*(\s*[^"]\|fprintf\s*(\s*[^"][^,]\|syslog\s*(\s*[^,]*,\s*[^"]
    </code></pre>
    The dangerous pattern is </code>printf(userInput)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> instead of </code>printf("%s", userInput)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. If the format string parameter is user-controllable, the attacker controls format specifiers β€” </code>%n<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> writes to arbitrary memory addresses, enabling code execution.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h4 style="color:#d1d5db;margin:14px 0 6px;font-size:.95em">Phase 3 β€” Line-by-Line Review of High-Risk Components</h4></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ACTION:</strong> Select the components listed below for close sequential reading. The goal is not to find every vulnerability via signatures, but to understand the security logic and find flaws in its design or implementation β€” race conditions, time-of-check/time-of-use issues, bypasses enabled by edge cases, incorrect trust assumptions.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">WHY:</strong> Many serious vulnerabilities are not detectable by grep β€” they require understanding the surrounding logic. An authentication bypass may exist because a conditional check that should be </code>&&<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> is </code>||<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. A session fixation vulnerability requires reading the session initialization flow end-to-end. These subtler issues are common in precisely the most security-critical code.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Components to read line-by-line:</strong></p><p style="margin:8px 0">1. <strong style="color:#e5e7eb">Authentication mechanisms</strong> β€” login logic, password comparison, account lockout, password reset flow, multi-factor verification. Look for: timing-based username enumeration, bypass conditions (OR instead of AND in credential checks), hardcoded fallback credentials, insecure token generation for password reset.</p><p style="margin:8px 0">2. <strong style="color:#e5e7eb">Session management</strong> β€” session token generation, storage, validation, and invalidation. Look for: use of </code>java.util.Random<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (predictable) instead of </code>SecureRandom<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, session tokens derived from user-controllable data, session fixation (token not rotated after login), logout that does not invalidate the server-side session.</p><p style="margin:8px 0">3. <strong style="color:#e5e7eb">Access control</strong> β€” per-resource authorization checks, role validation. Look for: missing checks on sensitive endpoints, checks that rely on client-supplied role data, checks placed after the sensitive operation rather than before.</p><p style="margin:8px 0">4. <strong style="color:#e5e7eb">Application-wide input validation utilities</strong> β€” any class or function named </code>sanitize<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>validate<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>encode<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>escape<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Look for: allowlist vs denylist (denylists are almost always bypassable), post-validation canonicalization (decoding after checking), validation applied to the wrong parameter.</p><p style="margin:8px 0">5. <strong style="color:#e5e7eb">Interfaces to external components</strong> β€” database connections, OS command helpers, file access wrappers, LDAP queries. Confirm that parameterization is consistently applied and that no code path bypasses the wrapper.</p><p style="margin:8px 0">6. <strong style="color:#e5e7eb">Native code (C/C++) integration points</strong> β€” any JNI, P/Invoke, or C extension boundary where Java/.NET managed data crosses into unmanaged memory. Data length and character set assumptions made in managed code may not hold in native code.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h4 style="color:#d1d5db;margin:14px 0 6px;font-size:.95em">Phase 4 β€” Environment Configuration Review</h4></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ACTION:</strong> Read the platform configuration files and check the security-relevant settings below.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">WHY:</strong> A perfectly written application can be made insecure by a misconfigured environment. Debug mode enabled in production exposes stack traces that reveal internal paths, class names, and database credentials. Permissive PHP </code>register_globals<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> creates uninitialized variable injection vectors that do not appear in the application source. Insecure cookie flags allow session token theft.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Java β€” </code>web.xml<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">:</strong>
    <li style="color:#94a3b8;margin:3px 0"></code>login-config<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: verify authentication method; if forms-based, check action is </code>j_security_check<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with correct parameter names (</code>j_username<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>j_password<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">)</li>
    <li style="color:#94a3b8;margin:3px 0"></code>security-constraint<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with </code>url-pattern<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: verify all sensitive paths are covered; gaps mean unauthenticated access</li>
    <li style="color:#94a3b8;margin:3px 0"></code>session-config session-timeout<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: overly long or zero timeout increases session hijacking window</li>
    <li style="color:#94a3b8;margin:3px 0"></code>error-page<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: verify error codes map to custom pages (not stack traces)</li>
    <li style="color:#94a3b8;margin:3px 0"></code>init-param<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: check </code>listings<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> is </code>false<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> and </code>debug<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> is </code>0<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"></li></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ASP.NET β€” </code>Web.config<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">:</strong>
    <li style="color:#94a3b8;margin:3px 0"></code>httpCookies httpOnlyCookies="true"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: prevents JavaScript cookie theft; </code>requireSSL="true"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> prevents cookie transmission over HTTP</li>
    <li style="color:#94a3b8;margin:3px 0"></code>sessionState timeout<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: session lifetime</li>
    <li style="color:#94a3b8;margin:3px 0"></code>compilation debug="false"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: debug symbols expose internals</li>
    <li style="color:#94a3b8;margin:3px 0"></code>customErrors mode="On"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> or </code>"RemoteOnly"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: prevents detailed error disclosure to users</li>
    <li style="color:#94a3b8;margin:3px 0"></code>httpRuntime enableHeaderChecking="true"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (default): request header injection defense; </code>enableVersionHeader="false"<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: prevents version disclosure</li></p><p style="margin:8px 0"><strong style="color:#e5e7eb">PHP β€” </code>php.ini<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">:</strong>
    <li style="color:#94a3b8;margin:3px 0"></code>register_globals = Off<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: if On, all request parameters become global variables β€” mandatory Off for any application not specifically designed for it</li>
    <li style="color:#94a3b8;margin:3px 0"></code>display_errors = Off<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: prevents PHP errors from leaking to users; use </code>log_errors<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> + </code>error_log<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> instead</li>
    <li style="color:#94a3b8;margin:3px 0"></code>allow_url_fopen<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> and </code>allow_url_include<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: if On, </code>include()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> can load remote URLs β€” Remote File Inclusion vector</li>
    <li style="color:#94a3b8;margin:3px 0"></code>magic_quotes_gpc<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: if On, single quotes in request parameters are auto-escaped β€” affects SQL injection testability; however magic quotes do not prevent numeric injection or second-order injection (data read from DB is unescaped); <strong style="color:#e5e7eb">removed in PHP 6</strong></li>
    <li style="color:#94a3b8;margin:3px 0"></code>safe_mode<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: if On, restricts </code>shell_exec<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>exec<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> execution paths β€” but bypassable; not a security panacea; <strong style="color:#e5e7eb">removed in PHP 6</strong></li>
    <li style="color:#94a3b8;margin:3px 0"></code>file_uploads<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> and </code>upload_tmp_dir<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">: confirm uploaded files are stored in a non-web-accessible temporary path</li></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Perl:</strong> Check for taint mode (</code>-T<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> flag in shebang </code>#!/usr/bin/perl -T<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">). Taint mode marks all user input as tainted and prevents tainted data from reaching dangerous functions (</code>eval<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>system<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>exec<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>open<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">) without explicit pattern-match untainting. If taint mode is not enabled, no framework-level protection exists against injection. If it is enabled, verify the untainting regexes are sufficiently restrictive β€” overly broad patterns (e.g., </code>(.*)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">) that extract arbitrary content defeat the protection.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h4 style="color:#d1d5db;margin:14px 0 6px;font-size:.95em">Phase 5 β€” Document Findings</h4></p><p style="margin:8px 0"><strong style="color:#e5e7eb">ACTION:</strong> For each confirmed vulnerability, record: vulnerability class, CWE identifier, severity, file path and line number(s), evidence (code snippet showing source β†’ sink flow), and countermeasure.</p><p style="margin:8px 0"><strong style="color:#e5e7eb">Severity guidance:</strong>
    <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Critical:</strong> OS command injection with code execution, SQL injection with data access or authentication bypass, Remote File Inclusion, backdoor credentials</li>
    <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">High:</strong> Arbitrary file read via path traversal, XSS in authenticated context or on sensitive page, SQL injection limited to read-only data, stored XSS</li>
    <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Medium:</strong> Reflected XSS in unauthenticated context, open redirect, Local File Inclusion, insecure direct object reference</li>
    <li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Low:</strong> Incriminating comments, configuration weaknesses without direct exploitability, verbose error disclosure</li></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Output format:</strong>
    <pre style="background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0"><code style="color:#a5f3fc;background:none;padding:0;font-size:1em">## Source Code Security Review β€” [Application Name]
    Date: [date]  |  Reviewer: [name]  |  Platform: [Java/PHP/etc]
    Scope: [files or modules reviewed]</p><p style="margin:8px 0"><h4 style="color:#d1d5db;margin:14px 0 6px;font-size:.95em">FINDING-001 β€” [Vulnerability Class] β€” [File:Line]</h4>
    <li style="color:#94a3b8;margin:3px 0">CWE: CWE-XX</li>
    <li style="color:#94a3b8;margin:3px 0">Severity: [Critical | High | Medium | Low]</li>
    <li style="color:#94a3b8;margin:3px 0">Location: [path/to/file.java:42]</li>
    <li style="color:#94a3b8;margin:3px 0">Evidence: [2-5 line code snippet showing the vulnerable pattern]</li>
    <li style="color:#94a3b8;margin:3px 0">Root cause: [1-2 sentences]</li>
    <li style="color:#94a3b8;margin:3px 0">Countermeasure: [specific fix]</li></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Coverage Summary</h3>
    [Table: Phase | Files Reviewed | Findings]
    </code></pre></p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Inputs</h3></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0">Web application source code (all server-side files, client-side JavaScript, database scripts)</li>
    <li style="color:#94a3b8;margin:3px 0">Platform configuration files (</code>web.xml<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>Web.config<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>php.ini<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">)</li>
    <li style="color:#94a3b8;margin:3px 0">Any existing SAST tool output (to focus manual effort on what tools miss)</li>
    <li style="color:#94a3b8;margin:3px 0">Scope definition: modules in scope, time budget</li></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Outputs</h3></p><p style="margin:8px 0">A <strong style="color:#e5e7eb">Source Code Security Review Report</strong> with:
    <li style="color:#94a3b8;margin:3px 0">Per-finding entries (class, CWE, severity, location, evidence, countermeasure)</li>
    <li style="color:#94a3b8;margin:3px 0">Coverage summary (phases completed, files reviewed, findings count by severity)</li>
    <li style="color:#94a3b8;margin:3px 0">Prioritized remediation list</li></p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Key Principles</h3></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">White-box finds a different population of bugs than black-box.</strong> Backdoor passwords, condition-guarded logic flaws, and vulnerabilities that only activate for specific secondary parameter values are nearly impossible to find by fuzzing. Code review is not a replacement for behavioral testing β€” it is a complement that finds what fuzzing cannot.</li></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Trace the full data flow β€” source to sink.</strong> A dangerous API call is only a vulnerability if user-controlled data reaches it without adequate sanitization. Conversely, a piece of code that stores user data in a class field and later passes that field to a dangerous API is vulnerable even if the dangerous API call looks harmless in isolation. Never confirm or dismiss a finding without tracing the full path.</li></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Denylists fail; allowlists don't.</strong> Filters that block known-bad patterns (</code>../<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code><script><code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, single quote) are routinely bypassed via URL encoding, Unicode encoding, case variation, or application-specific decoding. An application that validates input by allowlisting known-safe characters and rejecting everything else is structurally more robust. When you see a denylist filter protecting a dangerous API, treat it as a weak mitigant β€” look for bypasses.</li></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Post-validation canonicalization is always a bug.</strong> Any decoding, unescaping, or canonicalization performed after validation defeats the validation. If an application validates a redirect URL by checking for </code>//<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, then calls </code>unescape()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> on the value before using it, an attacker can encode the slashes as </code>%252f%252f<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (percent-encoding the percent sign), pass validation, then have </code>unescape()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> decode to </code>//<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.</li></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Configuration is part of the attack surface.</strong> PHP </code>register_globals<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, ASP.NET debug mode, and Java </code>listings=true<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> each create vulnerabilities that are not visible anywhere in the application source files. Always read the configuration files as part of the review scope.</li></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0"><strong style="color:#e5e7eb">Database stored procedures are not automatically safe.</strong> Using parameterized calls from application code to invoke a stored procedure prevents SQL injection in the application tier β€” but if the stored procedure itself constructs dynamic SQL by concatenating its parameters, the vulnerability simply moves one layer deeper. Include stored procedure and trigger code in the review scope.</li></p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Examples</h3></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Penetration test with source access β€” Java banking application</strong>
    Trigger: "We're granting you source access for this pentest. The application handles fund transfers and user account management."
    Process:
    1. Phase 1: Grep for </code>getParameter<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds 47 call sites. Note </code>request.getParameter("title")<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> stored in </code>m_pageTitle<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> field in </code>PageController.java:88<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.
    2. Phase 2.1 (XSS): Grep for </code>InnerHtml<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>objCell.InnerHtml = link<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>ReportView.java:204<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Trace </code>link<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> backward β€” constructed by string concatenation from </code>HttpUtility.UrlDecode(Request.QueryString["refURL"])<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace </code>m_pageTitle<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> forward β€” finds it written into </code><title><code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires </code>type=3<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">).
    3. Phase 2.2 (SQL injection): Grep for </code>createStatement<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>s.executeQuery("SELECT name, accno FROM TblCustomers WHERE " + SqlWhere)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>CustomerSearch.java:156<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. </code>SqlWhere<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> is built from </code>Request.QueryString["CID"]<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Confirmed SQL injection (CWE-89, Critical).
    4. Phase 2.6 (Backdoor): Line-by-line review of </code>AuthService.java<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>if (checkCredentials(up, password) || "oculiomnium".equals(password)) return up;<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Hardcoded backdoor password grants access to any account (CWE-798, Critical).
    Output: 3 findings β€” Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace </code>createStatement<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with </code>prepareStatement<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">; remove hardcoded password; HTML-encode all output via </code>HtmlUtils.htmlEscape()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Pre-launch PHP e-commerce application review</strong>
    Trigger: "We're launching next month. Please review our PHP codebase for security issues before we go live."
    Process:
    1. Phase 1: Grep for PHP input sources β€” finds </code>$_GET<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>$_POST<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">, </code>$_COOKIE<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in 23 files. Check </code>php.ini<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” </code>register_globals = On<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> on their dev server; flag immediately.
    2. Phase 2.3 (Path traversal + RFI): Grep for </code>include(<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>include($_GET['page'] . '.php')<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>main.php:12<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. No </code>allow_url_include<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> check in code. Check </code>php.ini<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” </code>allow_url_include = 1<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Confirmed Remote File Inclusion (CWE-98, Critical). Also: </code>allow_url_fopen = 1<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> and </code>display_errors = On<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in production config.
    3. Phase 2.2 (SQL injection): Grep for </code>mysql_query(<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'")<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>login.php:34<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Variables from </code>$_POST<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> without escaping. Confirmed SQL injection (CWE-89, Critical). </code>magic_quotes_gpc = Off<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> confirms no runtime escaping active.
    4. Phase 2.5 (OS command injection): Grep for </code>exec(<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” finds </code>exec("convert " . $_POST['filename'] . " -resize 100x100 output.jpg")<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>image.php:67<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).
    5. Phase 4 (Config): </code>display_errors = On<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>php.ini<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” leaks stack traces and DB credentials to users (Low). </code>register_globals = On<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” creates uninitialized variable injection vectors (High).
    Output: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable </code>allow_url_include<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> and </code>allow_url_fopen<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">; replace </code>mysql_query<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with </code>mysqli->prepare<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">; replace shell </code>exec<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with ImageMagick PHP extension API; set </code>display_errors = Off<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> + </code>log_errors = On<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">; set </code>register_globals = Off<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Security audit of a PHP/JavaScript SPA β€” focus on client-side and database tier</strong>
    Trigger: "Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture."
    Process:
    1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β€” finds </code>url = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> in </code>redirect.js:22<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Script checks for </code>//<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> to block absolute URLs but calls </code>unescape()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> afterward. Confirmed DOM-based open redirect and XSS via </code>?redir=%2500javascript:alert(1)<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.
    2. Phase 2.2 (Stored procedure SQL injection): Review </code>.sql<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> migration files β€” finds </code>CREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from </code>@name<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” confirmed stored procedure SQL injection (CWE-89, High).
    3. Phase 3 (Session management): Line-by-line review of </code>TokenGenerator.java<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> β€” uses </code>java.util.Random<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).
    Output: 3 High findings β€” DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove </code>unescape()<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> call from redirect script; rewrite stored procedure using </code>sp_executesql<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with parameterized query; replace </code>java.util.Random<code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"> with </code>java.security.SecureRandom`.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">References</h3></p><p style="margin:8px 0"><li style="color:#94a3b8;margin:3px 0">Per-platform source and sink API tables: <a href="references/platform-api-reference.md" target="_blank" rel="noopener" style="color:#6366f1">platform-api-reference.md</a></li>
    <li style="color:#94a3b8;margin:3px 0">Environment configuration security settings: <a href="references/environment-config-reference.md" target="_blank" rel="noopener" style="color:#6366f1">environment-config-reference.md</a></li>
    <li style="color:#94a3b8;margin:3px 0">CWE and OWASP mapping for findings: <a href="references/vuln-cwe-owasp-mapping.md" target="_blank" rel="noopener" style="color:#6366f1">vuln-cwe-owasp-mapping.md</a></li>
    <li style="color:#94a3b8;margin:3px 0">Source: Stuttard, D. & Pinto, M. (2011). *The Web Application Hacker's Handbook* (2nd ed.), Chapter 19: "Finding Vulnerabilities in Source Code," pp. 701-745. Wiley.</li></p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">License</h3></p><p style="margin:8px 0">This skill is licensed under <a href="https://creativecommons.org/licenses/by-sa/4.0/" target="_blank" rel="noopener" style="color:#6366f1">CC-BY-SA-4.0</a>.
    Source: <a href="https://github.com/bookforge-ai/bookforge-skills" target="_blank" rel="noopener" style="color:#6366f1">BookForge</a> β€” The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto.</p><p style="margin:8px 0"><h3 style="color:#e5e7eb;margin:18px 0 8px;font-size:1.05em">Related BookForge Skills</h3></p><p style="margin:8px 0">This skill is standalone. Browse more BookForge skills: <a href="https://github.com/bookforge-ai/bookforge-skills" target="_blank" rel="noopener" style="color:#6366f1">bookforge-skills</a>
    </p></div></section><section class="skill-card" style="margin-bottom:20px"><h2 style="color:#f8fafc;font-size:1.2em;font-weight:800;margin:0 0 16px;display:flex;align-items:center;gap:8px">⚑ When to Use</h2><div><table style="width:100%;border-collapse:collapse;border:1px solid #1e1e3f;border-radius:8px;overflow:hidden;font-size:.9em"><thead><tr style="background:#0a0a1c"><th style="padding:12px 16px;text-align:left;color:#818cf8;font-weight:700;border-bottom:2px solid #6366f130">Trigger</th><th style="padding:12px 16px;text-align:left;color:#818cf8;font-weight:700;border-bottom:2px solid #6366f130">Action</th></tr></thead><tbody><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">This skill applies when:</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">- A penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">- You need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">- A black-box test revealed anomalous behavior and you want to trace its root cause in code</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">- You are reviewing an open-source component before integrating it into production</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">**The foundational insight:** Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals `"3"`, or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β€” code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">**Before starting:** Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β€” a call to a custom `safeQuery()` wrapper may or may not prevent SQL injection depending on its implementation.</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">**Authorized review only.** This skill is for security professionals with explicit written authorization.</td></tr><tr><td style="padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8" colspan="2">---</td></tr></tbody></table></div></section><section class="skill-card" style="margin-bottom:20px"><h2 style="color:#f8fafc;font-size:1.2em;font-weight:800;margin:0 0 16px;display:flex;align-items:center;gap:8px">πŸ’‘ Examples</h2><div style="font-size:.92em;color:#94a3b8;line-height:1.75"><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Penetration test with source access β€” Java banking application</strong>
    Trigger: "We're granting you source access for this pentest. The application handles fund transfers and user account management."
    Process:
    1. Phase 1: Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">getParameter</code> β€” finds 47 call sites. Note <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">request.getParameter("title")</code> stored in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">m_pageTitle</code> field in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">PageController.java:88</code>.
    2. Phase 2.1 (XSS): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">InnerHtml</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">objCell.InnerHtml = link</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">ReportView.java:204</code>. Trace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">link</code> backward β€” constructed by string concatenation from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HttpUtility.UrlDecode(Request.QueryString["refURL"])</code> without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">m_pageTitle</code> forward β€” finds it written into <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em"><title></code> element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">type=3</code>).
    3. Phase 2.2 (SQL injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">s.executeQuery("SELECT name, accno FROM TblCustomers WHERE " + SqlWhere)</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">CustomerSearch.java:156</code>. <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">SqlWhere</code> is built from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">Request.QueryString["CID"]</code>. Confirmed SQL injection (CWE-89, Critical).
    4. Phase 2.6 (Backdoor): Line-by-line review of <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">AuthService.java</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">if (checkCredentials(up, password) || "oculiomnium".equals(password)) return up;</code>. Hardcoded backdoor password grants access to any account (CWE-798, Critical).
    Output: 3 findings β€” Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">createStatement</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">prepareStatement</code>; remove hardcoded password; HTML-encode all output via <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">HtmlUtils.htmlEscape()</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Pre-launch PHP e-commerce application review</strong>
    Trigger: "We're launching next month. Please review our PHP codebase for security issues before we go live."
    Process:
    1. Phase 1: Grep for PHP input sources β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_GET</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_POST</code>, <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_COOKIE</code> in 23 files. Check <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β€” <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = On</code> on their dev server; flag immediately.
    2. Phase 2.3 (Path traversal + RFI): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">include(</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">include($_GET['page'] . '.php')</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">main.php:12</code>. No <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include</code> check in code. Check <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β€” <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include = 1</code>. Confirmed Remote File Inclusion (CWE-98, Critical). Also: <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_fopen = 1</code> and <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = On</code> in production config.
    3. Phase 2.2 (SQL injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query(</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'")</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">login.php:34</code>. Variables from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">$_POST</code> without escaping. Confirmed SQL injection (CWE-89, Critical). <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">magic_quotes_gpc = Off</code> confirms no runtime escaping active.
    4. Phase 2.5 (OS command injection): Grep for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec(</code> β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec("convert " . $_POST['filename'] . " -resize 100x100 output.jpg")</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">image.php:67</code>. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).
    5. Phase 4 (Config): <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = On</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">php.ini</code> β€” leaks stack traces and DB credentials to users (Low). <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = On</code> β€” creates uninitialized variable injection vectors (High).
    Output: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_include</code> and <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">allow_url_fopen</code>; replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysql_query</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">mysqli->prepare</code>; replace shell <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">exec</code> with ImageMagick PHP extension API; set <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">display_errors = Off</code> + <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">log_errors = On</code>; set <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">register_globals = Off</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p><p style="margin:8px 0"><strong style="color:#e5e7eb">Scenario: Security audit of a PHP/JavaScript SPA β€” focus on client-side and database tier</strong>
    Trigger: "Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture."
    Process:
    1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">url = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;</code> in <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">redirect.js:22</code>. Script checks for <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">//</code> to block absolute URLs but calls <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">unescape()</code> afterward. Confirmed DOM-based open redirect and XSS via <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">?redir=%2500javascript:alert(1)</code> (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.
    2. Phase 2.2 (Stored procedure SQL injection): Review <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">.sql</code> migration files β€” finds <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">CREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO</code>. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">@name</code> β€” confirmed stored procedure SQL injection (CWE-89, High).
    3. Phase 3 (Session management): Line-by-line review of <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">TokenGenerator.java</code> β€” uses <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.util.Random</code> (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).
    Output: 3 High findings β€” DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">unescape()</code> call from redirect script; rewrite stored procedure using <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">sp_executesql</code> with parameterized query; replace <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.util.Random</code> with <code style="background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em">java.security.SecureRandom</code>.</p><p style="margin:8px 0"><hr style="border:none;border-top:1px solid #1e1e3f;margin:12px 0"></p></div></section></div><div class="two-col-side"></div></div></div><script>
            document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn => {
              btn.addEventListener('click', () => {
                const cmd = btn.getAttribute('data-cmd');
                if (!cmd) return;
                navigator.clipboard.writeText(cmd).then(() => {
                  const orig = btn.textContent;
                  btn.textContent = 'Copied!';
                  setTimeout(() => btn.textContent = orig, 1500);
                }).catch(() => {});
              });
            });
          </script><!--$--><!--/$--></main><footer style="background:var(--bg-primary);border-top:1px solid var(--border-secondary);margin-top:60px"><div style="border-top:1px solid var(--border-light);max-width:1200px;margin:0 auto;padding:24px 20px"><div style="display:flex;justify-content:space-between;flex-wrap:wrap;gap:24px;margin-bottom:24px"><div><div style="font-weight:700;color:var(--text-muted);margin-bottom:8px">BytesAgain</div><div style="color:var(--text-muted3);font-size:.82em;max-width:200px">Discover the best AI agent skills for your workflow.</div></div><div><div style="color:var(--text-muted);font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Explore</div><div style="margin-bottom:6px"><a href="/skills" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Skills</a></div><div style="margin-bottom:6px"><a href="/articles" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Articles</a></div><div style="margin-bottom:6px"><a href="/use-case" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Cases</a></div></div><div><div style="color:var(--text-muted);font-size:.75em;text-transform:uppercase;letter-spacing:1px;margin-bottom:10px">Company</div><div style="margin-bottom:6px"><a href="/about" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">About</a></div><div style="margin-bottom:6px"><a href="/contact" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Contact</a></div><div style="margin-bottom:6px"><a href="/privacy-policy" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Privacy Policy</a></div><div style="margin-bottom:6px"><a href="/terms" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Terms</a></div><div style="margin-bottom:6px"><a href="/feedback" style="color:var(--text-muted2);text-decoration:none;font-size:.85em">Feedback</a></div></div></div><div style="border-top:1px solid var(--border-light);padding-top:16px"><div style="color:var(--text-muted4);font-size:.8em;margin-bottom:8px">Β© <!-- -->2026<!-- --> BytesAgain. All rights reserved.</div><div style="color:var(--text-muted5);font-size:.75em;line-height:1.6;max-width:720px">BytesAgain is an independent skill directory. We index and link to third-party content (ClawHub, GitHub, LobeHub, Dify, etc.) for informational purposes only. All trademarks, skill names, and content are the property of their respective owners. BytesAgain does not claim ownership of any indexed content.</div></div></div></footer><button style="position:fixed;bottom:28px;right:28px;z-index:1000;width:48px;height:48px;border-radius:50%;border:none;cursor:pointer;background:linear-gradient(135deg,#667eea,#00d4ff);color:#fff;font-size:1.3em;box-shadow:0 4px 20px #667eea66;display:flex;align-items:center;justify-content:center;transition:transform .2s">πŸ’¬</button><script src="/_next/static/chunks/0ze4gu236oq96.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[62894,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"LangProvider\"]\n3:I[89220,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"ThemeProvider\"]\n4:I[16988,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\ne:I[68027,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\",1]\n:HL[\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"style\"]\n:HL[\"/_next/static/media/caa3a2e1cccd8315-s.p.09~u27dqhyhd6.woff2?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n5:Td5e,"])</script><script>self.__next_f.push([1,"[{\"@context\":\"https://schema.org\",\"@type\":\"WebSite\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"description\":\"Search 60,000+ verified AI agent skills via MCP API or REST. Supports 7 languages. Free, no auth required.\",\"inLanguage\":[\"en\",\"zh\",\"es\",\"fr\",\"de\",\"ja\",\"ko\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https://bytesagain.com/skills?q={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}},{\"@context\":\"https://schema.org\",\"@type\":\"Organization\",\"name\":\"BytesAgain\",\"url\":\"https://bytesagain.com\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://bytesagain.com/og-image.png\"},\"description\":\"AI agent skill directory. Search 60,000+ skills, 1,000+ use cases, and community requests.\",\"foundingDate\":\"2026\",\"foundingLocation\":{\"@type\":\"Place\",\"name\":\"Global\"},\"sameAs\":[\"https://x.com/bytesagain\",\"https://github.com/bytesagain/ai-skills\",\"https://clawhub.ai/profile/bytesagain\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"email\":\"hello@bytesagain.com\",\"contactType\":\"customer support\"},\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"value\":1}},{\"@context\":\"https://schema.org\",\"@type\":\"WebApplication\",\"name\":\"BytesAgain AI Skills Search\",\"url\":\"https://bytesagain.com\",\"applicationCategory\":\"DeveloperApplication\",\"operatingSystem\":\"Web\",\"description\":\"Search engine and MCP API for 60,000+ AI agent skills. Semantic search, role recommendations, and use case packs.\",\"offers\":{\"@type\":\"Offer\",\"price\":\"0\",\"priceCurrency\":\"USD\"},\"featureList\":[\"Search 60,000+ AI agent skills\",\"Role-based recommendations for developers, creators, and traders\",\"1,000+ curated use case packs\",\"Free MCP API and REST API\",\"Multi-language search (EN, ZH, ES, FR, DE, JA, KO)\"],\"potentialAction\":{\"@type\":\"SearchAction\",\"target\":\"https://bytesagain.com/skills?q={search_term_string}\",\"query-input\":\"required name=search_term_string\"},\"dateModified\":\"2026-07-17\"},{\"@context\":\"https://schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"BytesAgain is a curated directory of 60,000+ AI agent skills from ClawHub, GitHub, LobeHub, and Dify. Search skills by keyword in 7 languages, browse by role (developer, creator, trader, marketer) or by use case.\"}},{\"@type\":\"Question\",\"name\":\"How do I find AI skills on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Use the search bar on BytesAgain.com to search by keyword in 7 languages. You can also browse by role (developer, creator, trader, marketer) or by use case. Each skill shows install instructions for Claude, Cursor, OpenClaw, Continue, and more.\"}},{\"@type\":\"Question\",\"name\":\"Is BytesAgain free?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes, BytesAgain is completely free. No registration required for searching skills. The MCP API is also free with rate limits.\"}},{\"@type\":\"Question\",\"name\":\"Does BytesAgain have an API for AI agents?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! BytesAgain provides a free MCP SSE endpoint at /api/mcp/sse for AI agents, plus a REST API at /api/mcp?action=search\u0026q=\u003cquery\u003e. No authentication needed.\"}},{\"@type\":\"Question\",\"name\":\"Can I request a new AI skill on BytesAgain?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes! Visit the Requests page on BytesAgain.com to submit a skill request. Your request will be visible to the community and notified to the site admin.\"}}]}]"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"c\":[\"\",\"skill\",\"bookforge-source-code-security-review\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"skill\",{\"children\":[[\"slug\",\"bookforge-source-code-security-review\",\"d\",null],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",16],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-2\",{\"src\":\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"llms\",\"href\":\"/llms.txt\"}],[\"$\",\"link\",null,{\"rel\":\"llms-full\",\"href\":\"/llms-full.txt\"}],[\"$\",\"script\",null,{\"async\":true,\"src\":\"https://www.googletagmanager.com/gtag/js?id=G-3C1MM9FWYF\"}],[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n          window.dataLayer = window.dataLayer || [];\\n          function gtag(){dataLayer.push(arguments);}\\n          gtag('js', new Date());\\n          gtag('config', 'G-3C1MM9FWYF');\\n        \"}}]]}],[\"$\",\"body\",null,{\"className\":\"geist_9e050971-module__05dp7a__className\",\"style\":{\"margin\":0},\"children\":[\"$\",\"$L2\",null,{\"children\":[\"$\",\"$L3\",null,{\"children\":[[\"$\",\"div\",null,{\"style\":{\"width\":\"100%\",\"background\":\"var(--bg-subscribe)\",\"borderBottom\":\"1px solid var(--border-primary)\",\"padding\":\"8px 20px\",\"textAlign\":\"center\",\"fontSize\":\".82em\",\"color\":\"#818cf8\"},\"children\":[\"🎁 \",[\"$\",\"strong\",null,{\"style\":{\"color\":\"var(--text-primary)\"},\"children\":\"Get the FREE AI Skills Starter Guide\"}],\" β€” \",[\"$\",\"a\",null,{\"href\":\"/register\",\"style\":{\"color\":\"#00d4ff\",\"textDecoration\":\"underline\"},\"children\":\"Subscribe β†’\"}]]}],[\"$\",\"$L4\",null,{}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"$5\"}}],\"$L6\",\"$L7\",\"$L8\"]}]}]}]]}]]}],{\"children\":[\"$L9\",{\"children\":[\"$La\",{\"children\":[\"$Lb\",{},null,false,null]},null,false,\"$@c\"]},null,false,\"$@c\"]},null,false,null],\"$Ld\",false]],\"m\":\"$undefined\",\"G\":[\"$e\",[\"$Lf\"]],\"S\":true,\"h\":null,\"s\":\"$undefined\",\"l\":\"$undefined\",\"p\":\"$undefined\",\"d\":\"$undefined\"}\n"])</script><script>self.__next_f.push([1,"10:I[39756,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n11:I[37457,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n12:I[22016,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0ka051yepewro.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"\"]\n13:I[90940,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n14:I[16397,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n16:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"OutletBoundary\"]\n17:\"$Sreact.suspense\"\n1a:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"ViewportBoundary\"]\n1c:I[97367,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"MetadataBoundary\"]\n"])</script><script>self.__next_f.push([1,"6:[\"$\",\"main\",null,{\"children\":[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"main\",null,{\"style\":{\"minHeight\":\"100vh\",\"display\":\"flex\",\"alignItems\":\"center\",\"justifyContent\":\"center\",\"background\":\"#050611\",\"color\":\"#e5e7eb\"},\"children\":[[\"$\",\"style\",null,{\"children\":\"\\n        .nf-box { text-align: center; padding: 60px 32px; }\\n        .nf-code { font-size: 6rem; font-weight: 900; color: #22d3ee; line-height: 1; margin: 0; }\\n        .nf-title { font-size: 1.8rem; font-weight: 800; margin: 12px 0 8px; }\\n        .nf-desc { color: var(--text-muted2); font-size: 1rem; margin-bottom: 32px; max-width: 440px; }\\n        .nf-link { display: inline-block; padding: 12px 28px; background: linear-gradient(135deg,#34d399,#22d3ee); color: #000; font-weight: 900; border-radius: 12px; text-decoration: none; }\\n      \"}],[\"$\",\"div\",null,{\"className\":\"nf-box\",\"children\":[[\"$\",\"p\",null,{\"className\":\"nf-code\",\"children\":\"404\"}],[\"$\",\"h1\",null,{\"className\":\"nf-title\",\"children\":\"Page Not Found\"}],[\"$\",\"p\",null,{\"className\":\"nf-desc\",\"children\":\"The skill or page you're looking for doesn't exist or has been moved.\"}],[\"$\",\"$L12\",null,{\"className\":\"nf-link\",\"href\":\"/\",\"children\":\"Back to BytesAgain\"}]]}]]}],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}]\n"])</script><script>self.__next_f.push([1,"7:[\"$\",\"$L13\",null,{}]\n8:[\"$\",\"$L14\",null,{}]\n9:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\na:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L10\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L11\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\nb:[\"$\",\"$1\",\"c\",{\"children\":[\"$L15\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L16\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@18\"}]}]]}]\n19:[]\nc:\"$W19\"\nd:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L1a\",null,{\"children\":\"$L1b\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L1c\",null,{\"children\":[\"$\",\"$17\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L1d\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\nf:[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/051nc0vy_6.rl.css?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n"])</script><script>self.__next_f.push([1,"1b:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n"])</script><script>self.__next_f.push([1,"1e:I[27201,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"IconMark\"]\n18:null\n"])</script><script>self.__next_f.push([1,"1d:[[\"$\",\"title\",\"0\",{\"children\":\"Source Code Security Review β€” AI Agent Skill | BytesAgain | BytesAgain\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"2\",{\"name\":\"robots\",\"content\":\"index, follow\"}],[\"$\",\"meta\",\"3\",{\"name\":\"googlebot\",\"content\":\"index, follow, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"meta\",\"4\",{\"name\":\"llms-txt\",\"content\":\"https://bytesagain.com/llms.txt\"}],[\"$\",\"meta\",\"5\",{\"name\":\"llms-full-txt\",\"content\":\"https://bytesagain.com/llms-full.txt\"}],[\"$\",\"link\",\"6\",{\"rel\":\"canonical\",\"href\":\"https://bytesagain.com/skill/bookforge-source-code-security-review\"}],[\"$\",\"meta\",\"7\",{\"name\":\"baidu-site-verification\",\"content\":\"codeva-0evUqX1TFs\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:title\",\"content\":\"Source Code Security Review β€” AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:url\",\"content\":\"https://bytesagain.com/skill/bookforge-source-code-security-review\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:site_name\",\"content\":\"BytesAgain\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"14\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"15\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:title\",\"content\":\"Source Code Security Review β€” AI Agent Skill | BytesAgain\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:description\",\"content\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image\",\"content\":\"https://bytesagain.com/social-preview.png\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"21\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"link\",\"22\",{\"rel\":\"icon\",\"href\":\"/favicon.ico?favicon.0x3dzn~oxb6tn.ico\",\"sizes\":\"256x256\",\"type\":\"image/x-icon\"}],[\"$\",\"$L1e\",\"23\",{}]]\n"])</script><script>self.__next_f.push([1,"1f:T1562,"])</script><script>self.__next_f.push([1,"\n        .skill-page { max-width: 1100px; margin: 0 auto; padding: 32px 20px 80px; }\n        .two-col { display: flex; gap: 32px; align-items: flex-start; }\n        .two-col-main { flex: 1; min-width: 0; }\n        .two-col-side { width: 300px; flex-shrink: 0; }\n        @media (max-width: 860px) {\n          .two-col { flex-direction: column; }\n          .two-col-side { width: 100%; }\n        }\n        .breadcrumb { font-size: .82em; color: var(--text-muted2); margin-bottom: 28px; }\n        .breadcrumb a { color: #818cf8; text-decoration: none; }\n        .breadcrumb a:hover { text-decoration: underline; }\n        .skill-card { background: var(--bg-card); border: 1px solid var(--border-card); border-radius: 20px; padding: 28px; margin-bottom: 24px; }\n        .skill-header { display: flex; align-items: flex-start; justify-content: space-between; gap: 16px; margin-bottom: 20px; flex-wrap: wrap; }\n        .skill-badges { display: flex; align-items: center; gap: 8px; flex-wrap: wrap; }\n        .skill-top-actions { display: flex; align-items: center; gap: 10px; margin-left: auto; }\n        .badge { display: inline-flex; align-items: center; gap: 5px; font-size: .75em; font-weight: 600; padding: 4px 12px; border-radius: 999px; border: 1px solid transparent; }\n        .skill-title { font-size: 1.6em; font-weight: 800; color: var(--text-primary); margin: 0 0 4px; line-height: 1.2; }\n        .skill-owner { font-size: .82em; color: var(--text-muted2); margin: 0 0 14px; }\n        .skill-owner span { color: #818cf8; }\n        .skill-desc { font-size: .92em; color: var(--text-secondary); line-height: 1.65; margin: 0 0 16px; }\n        .skill-meta { display: flex; gap: 16px; flex-wrap: wrap; margin-bottom: 18px; padding-bottom: 16px; border-bottom: 1px solid var(--border-card); }\n        .meta-item { display: flex; flex-direction: column; gap: 2px; }\n        .meta-label { font-size: .7em; color: var(--text-muted5); text-transform: uppercase; letter-spacing: 1px; font-weight: 600; }\n        .meta-value { font-size: .92em; color: var(--text-muted2); font-weight: 600; }\n        .tags-row { display: flex; gap: 6px; flex-wrap: wrap; }\n        .tag { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 3px 10px; text-decoration: none; }\n        .tag:hover { background: #6366f125; }\n        .install-box { background: var(--bg-deep); border: 1px solid var(--border-card); border-radius: 12px; overflow: hidden; margin-bottom: 24px; }\n        .install-header { display: flex; align-items: center; justify-content: space-between; padding: 10px 16px; border-bottom: 1px solid var(--border-card); }\n        .install-dots { display: flex; gap: 6px; }\n        .dot { width: 10px; height: 10px; border-radius: 50%; }\n        .install-label { font-size: .72em; color: var(--text-muted5); font-family: monospace; letter-spacing: 1px; }\n        .install-body { padding: 16px 20px; display: flex; align-items: center; justify-content: space-between; gap: 12px; }\n        .install-cmd { color: var(--text-code);\n font-family: 'Courier New', monospace; font-size: 1em; }\n        .copy-btn { font-size: .75em; color: #6366f1; background: #6366f115; border: 1px solid #6366f130; border-radius: 6px; padding: 5px 12px; cursor: pointer; white-space: nowrap; transition: all .15s; }\n        .copy-btn:hover { background: #6366f125; }\n        .btn-secondary { display: inline-flex; align-items: center; gap: 8px; padding: 13px 24px; background: transparent; border: 1px solid var(--border-card); border-radius: 10px; color: #6b7280; text-decoration: none; font-weight: 600; font-size: .95em; transition: all .15s; }\n        .btn-secondary:hover { border-color: #818cf8; color: #818cf8; }\n        .ours-badge { display: inline-flex; align-items: center; gap: 6px; font-size: .72em; font-weight: 700; color: #22d3ee; background: #22d3ee10; border: 1px solid #22d3ee30; border-radius: 999px; padding: 4px 14px; }\n        .section-card { background: var(--bg-card); border: 1px solid var(--border-card); border-radius: 16px; padding: 22px 24px; margin-bottom: 20px; }\n        .section-title { color: var(--text-primary); font-size: 1.08em; font-weight: 800; margin: 0 0 12px; display: flex; align-items: center; gap: 8px; }\n        /* Script box */\n        .script-header { display: flex; align-items: center; justify-content: space-between; padding: 8px 14px; background: var(--bg-input); border-bottom: 1px solid var(--border-card); }\n        .script-filename { font-size: .72em; color: var(--text-muted2); font-family: 'Courier New', monospace; }\n        .script-copy-btn { font-size: .72em; color: #6366f1; background: none; border: 1px solid #6366f130; border-radius: 4px; padding: 2px 10px; cursor: pointer; }\n        .script-copy-btn:hover { background: #6366f115; }\n        .script-body { padding: 14px 16px; font-family: 'Courier New', monospace; font-size: .82em; line-height: 1.6; color: var(--text-code); overflow-x: auto; max-height: 420px; overflow-y: auto; white-space: pre; }\n        /* Articles */\n        .article-card { display: block; background: var(--bg-secondary); border: 1px solid var(--border-primary); border-radius: 10px; padding: 14px 16px; text-decoration: none; transition: border-color .15s; }\n        .article-card:hover { border-color: #6366f1; }\n        @media (max-width: 600px) {\n          .skill-card { padding: 20px; }\n          .skill-title { font-size: 1.5em; }\n        }\n      "])</script><script>self.__next_f.push([1,"15:[[\"$\",\"style\",null,{\"children\":\"$1f\"}],\"$L20\",\"$L21\"]\n"])</script><script>self.__next_f.push([1,"22:I[78297,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n23:T12bc8,"])</script><script>self.__next_f.push([1,"\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\nname: source-code-security-review\ndescription: |\n  Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized access to an application's source code and need to identify security flaws faster or more thoroughly than black-box testing alone; auditing a codebase prior to launch or after a security incident; reviewing open-source or purchased software for embedded vulnerabilities; complementing an active penetration test with source-level analysis. Applies a three-phase methodology: (1) identify all user-input entry points via platform-specific source APIs β€” Java HttpServletRequest, ASP.NET Request.Params/Form/QueryString, PHP $_GET/$_POST/$_COOKIE/$_REQUEST, Perl CGI param(), JavaScript document.location/URL; (2) trace data flow forward to dangerous sink APIs β€” Runtime.exec()/Process.Start() for OS command injection, Statement.execute()/mysql_query() for SQL injection, FileInputStream/include() for path traversal, sendRedirect()/header() for open redirect, eval() for script injection; (3) line-by-line close review of authentication, session management, access control, and native code components. Covers 8 vulnerability signature categories: cross-site scripting, SQL injection, path traversal, arbitrary redirection, OS command injection, backdoor passwords, native software bugs (buffer overflow, integer flaw, format string), and incriminating source code comments. Also covers database code components (stored procedures with dynamic SQL) and environment configuration checks (web.xml, Web.config, php.ini). Produces a prioritized findings report with evidence and countermeasures. Maps to CWE-79 (XSS), CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-601 (Open Redirect), CWE-78 (OS Command Injection), CWE-798 (Hardcoded Credentials), CWE-120/121/122 (Buffer Overflow), CWE-134 (Format String). For authorized security review engagements, appsec engineers, and security-minded developers.\nversion: 1.0.0\nhomepage: https://github.com/bookforge-ai/bookforge-skills/tree/main/books/web-application-hackers-handbook/skills/source-code-security-review\nmetadata: {\"openclaw\":{\"emoji\":\"πŸ“š\",\"homepage\":\"https://github.com/bookforge-ai/bookforge-skills\"}}\nstatus: draft\ndepends-on: []\nsource-books:\n  - id: web-application-hackers-handbook\n    title: \"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws\"\n    authors: [\"Dafydd Stuttard\", \"Marcus Pinto\"]\n    edition: 2\n    chapters: [19]\n    pages: \"701-745\"\ntags: [code-review, white-box-testing, source-code-analysis, xss, sql-injection, path-traversal, open-redirect, command-injection, backdoor, buffer-overflow, java, aspnet, php, perl, javascript, penetration-testing, appsec, cwe-79, cwe-89, cwe-22, cwe-601, cwe-78, cwe-798, cwe-120, cwe-134]\nexecution:\n  tier: 1\n  mode: full\n  inputs:\n    - type: codebase\n      description: \"Web application source code β€” server-side handlers, data access layer, database stored procedures, configuration files (web.xml, Web.config, php.ini), client-side JavaScript\"\n    - type: document\n      description: \"Build manifests, dependency lists, architecture diagrams β€” optional but useful for scoping\"\n  tools-required: [Read, Grep]\n  tools-optional: [Bash, Write]\n  mcps-required: []\n  environment: \"Run directly against the source code repository. No live application required. Authorized review context required.\"\ndiscovery:\n  goal: \"Identify exploitable security vulnerabilities in web application source code using a structured three-phase approach β€” entry points, dangerous sinks, and line-by-line review of high-risk components β€” and produce a prioritized findings report\"\n  tasks:\n    - \"Establish platform and establish custom wrapper awareness before proceeding\"\n    - \"Map all user-input entry points using platform-specific source APIs\"\n    - \"Trace data flow from sources to dangerous sink APIs for each vulnerability category\"\n    - \"Perform line-by-line review of high-risk components: authentication, session management, access control, native code\"\n    - \"Audit database stored procedures for dynamic SQL construction\"\n    - \"Review environment configuration files for security-relevant settings\"\n    - \"Document findings with CWE mapping, severity, evidence, and countermeasures\"\n  audience:\n    roles: [\"penetration-tester\", \"application-security-engineer\", \"security-minded-developer\"]\n    experience: \"intermediate-to-advanced β€” assumes familiarity with at least one server-side web platform (Java, .NET, PHP, Perl) and common web vulnerability classes\"\n  triggers:\n    - \"Penetration test engagement where source code access has been granted\"\n    - \"Security audit of a web application prior to production deployment\"\n    - \"Reviewing an open-source project or purchased component for embedded vulnerabilities\"\n    - \"Root-cause analysis after a security incident β€” understanding how the vulnerability existed in code\"\n    - \"Supplementing automated SAST tool output with manual verification\"\n  not_for:\n    - \"Black-box behavioral testing without source access β€” use the relevant black-box testing skills\"\n    - \"Infrastructure or network security review β€” different scope\"\n    - \"Mobile application source review β€” different platform APIs\"\n\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch2 style=\"color:#f3f4f6;margin:20px 0 10px;font-size:1.15em\"\u003eSource Code Security Review\u003c/h2\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eWhen to Use\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eYou have authorized access to a web application's source code and need to find security vulnerabilities systematically.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eThis skill applies when:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eYou need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eA black-box test revealed anomalous behavior and you want to trace its root cause in code\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eYou are reviewing an open-source component before integrating it into production\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eThe foundational insight:\u003c/strong\u003e Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\"3\"\u003c/code\u003e, or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β€” code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eBefore starting:\u003c/strong\u003e Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β€” a call to a custom \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003esafeQuery()\u003c/code\u003e wrapper may or may not prevent SQL injection depending on its implementation.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eAuthorized review only.\u003c/strong\u003e This skill is for security professionals with explicit written authorization.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eContext and Input Gathering\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eRequired Context\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePlatform(s) in use (Java, ASP.NET, PHP, Perl, JavaScript, or mix):\u003c/strong\u003e\u003c/li\u003e\n  Why: each platform has distinct source APIs for reading user input and distinct dangerous sink APIs. The Grep patterns and review focus differ entirely between a Java servlet application and a PHP script.\n  - Check for: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003epom.xml\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ebuild.gradle\u003c/code\u003e (Java), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e*.csproj\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eWeb.config\u003c/code\u003e (ASP.NET), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e*.php\u003c/code\u003e files, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e*.pl\u003c/code\u003e files, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003epackage.json\u003c/code\u003e (Node.js/JS)\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScope of review (full codebase, specific modules, authentication only):\u003c/strong\u003e\u003c/li\u003e\n  Why: a large enterprise application may have hundreds of thousands of lines. Time-boxed reviews require prioritizing the highest-risk components. Without a defined scope, coverage is uneven.\n  - If unspecified, start with authentication, session management, access control, and any component that processes user file access or external command execution\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eAny existing SAST tool output:\u003c/strong\u003e\u003c/li\u003e\n  Why: avoids duplicating what automated analysis already found and focuses manual effort on classes of issues that tools reliably miss (logic flaws, race conditions, backdoors).\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eObservable Context (gather from codebase)\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePlatform-specific configuration files: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eweb.xml\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eWeb.config\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.htaccess\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eFramework identification: Spring, Struts, Django, Laravel, Rails annotations and imports\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eDatabase access layer: ORM vs raw SQL, presence of prepared statement APIs\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eCustom security utilities: classes or functions named \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003esanitize\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003evalidate\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eencode\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eescape\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003efilter\u003c/code\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eNative code integration: JNI calls, P/Invoke, C extension includes, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eRuntime.exec\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eProcess.Start\u003c/code\u003e\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eProcess\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003ePhase 1 β€” Map User-Input Entry Points\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eACTION:\u003c/strong\u003e Grep the codebase for platform-specific source APIs. Every location where user-controlled data enters the application is a potential source of tainted data. Build a catalog of entry points before tracing data flows.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eWHY:\u003c/strong\u003e Vulnerabilities arise when user-controlled data reaches a dangerous operation without proper validation or encoding. You cannot trace data flow without first knowing all the places data enters. Applications frequently receive input through less-obvious channels β€” HTTP headers, cookies, session-derived data from user registration, even the URL path itself. Missing an entry point means missing all vulnerabilities that originate from it.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eAGENT: EXECUTES\u003c/strong\u003e β€” Grep for platform-specific source APIs:\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava (HttpServletRequest / ServletRequest):\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003egetParameter|getParameterNames|getParameterValues|getParameterMap\ngetQueryString|getHeader|getHeaders|getHeaderNames\ngetRequestURI|getRequestURL|getCookies|getRequestedSessionId\ngetInputStream|getReader|getRemoteUser|getUserPrincipal\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET (System.Web.HttpRequest):\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003eRequest\\.Params|Request\\.Item|Request\\.Form|Request\\.QueryString\nRequest\\.ServerVariables|Request\\.Headers|Request\\.Url|Request\\.RawUrl\nRequest\\.UrlReferrer|Request\\.Cookies|Request\\.BinaryRead\nRequest\\.Browser|Request\\.UserAgent|Request\\.AcceptTypes\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e\\$_GET|\\$_POST|\\$_COOKIE|\\$_REQUEST|\\$_FILES|\\$_SERVER\n\\$HTTP_GET_VARS|\\$HTTP_POST_VARS|\\$HTTP_COOKIE_VARS\n\\$GLOBALS\n\u003c/code\u003e\u003c/pre\u003e\nNote: if \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eregister_globals\u003c/code\u003e is enabled in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e, any variable name may receive request parameter values. Line-by-line review is then required to track all uses of uninitialized variables.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl (CGI.pm):\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e-\u003eparam\\(|-\u003eparam_fetch\\(|-\u003eVars\\b|-\u003ecookie\\(|-\u003eraw_cookie\\(\n-\u003equery_string\\b|-\u003ereferer\\b|-\u003eself_url\\b|-\u003eurl\\b\nReadParse\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJavaScript (DOM sources):\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003edocument\\.location|document\\.URL|document\\.URLUnencoded|document\\.referrer\nwindow\\.location|location\\.search|location\\.hash|location\\.href\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eNOTE:\u003c/strong\u003e Also search for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$GLOBALS\u003c/code\u003e (PHP), any class names ending in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eRequest\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHttpContext\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHttpInput\u003c/code\u003e, or equivalent β€” applications commonly abstract input access behind wrapper classes.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003ePhase 2 β€” Trace Data Flow to Dangerous Sinks (Signature Scanning)\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eACTION:\u003c/strong\u003e For each vulnerability category below, grep for the dangerous sink APIs. For each hit, trace backward to determine whether user-controlled data from Phase 1 sources flows into that sink without adequate validation or encoding. Confirm or dismiss each candidate finding.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eWHY:\u003c/strong\u003e Signature scanning targets the highest-density locations of potential vulnerabilities first. A hard-coded SQL query fragment like \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\"SELECT\u003c/code\u003e appearing in application code is almost always part of a SQL injection–vulnerable pattern. An \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eeval()\u003c/code\u003e call receiving user input is almost always dangerous. This approach finds low-hanging fruit quickly, leaving remaining time for the subtler line-by-line review in Phase 3.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.1 β€” Cross-Site Scripting (XSS)\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for output APIs that write user data to responses:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eresponse.getWriter().print|println|write\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eout.print|println\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.InnerHtml\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eresponse.setHeader\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eResponse.Write|Response.Output.Write\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\\.InnerHtml\\s*=\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\\.InnerText\\s*=\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eecho\\b|print\\b|printf\\b|vprintf\\b\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\u003c?=\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJavaScript (DOM sinks):\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003edocument\\.write\\(|document\\.writeln\\(|\\.innerHTML\\s*=\neval\\(|window\\.execScript\\(|window\\.setInterval\\(|window\\.setTimeout\\(\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePattern to find:\u003c/strong\u003e User input from a Phase 1 source is incorporated into HTML output without HTML-encoding. Example:\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e// Vulnerable: m_pageTitle set from request.getParameter(\"title\") and\n// later written into a \u003ctitle\u003e element without encoding\nm_pageTitle = request.getParameter(\"title\");\n\u003c/code\u003e\u003c/pre\u003e\nTrace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003em_pageTitle\u003c/code\u003e forward β€” if it is written to a response element or used to construct a link/HTML fragment without \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHtmlEncode()\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eescapeHtml()\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHtmlUtils.htmlEscape()\u003c/code\u003e, this is a confirmed XSS.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for SQL fragment strings to find XSS in query-string construction:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e\"SELECT |\"INSERT |\"DELETE |\" WHERE |\" AND |\" OR |\" ORDER BY\n\u003c/code\u003e\u003c/pre\u003e\nThese patterns are case-insensitive; also search lowercase. The surrounding whitespace and quote distinguish SQL keyword strings from ordinary concatenated strings.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eNOTE on filter-based mitigations:\u003c/strong\u003e If a filter exists that blocks certain XSS payloads in the query string, trace it carefully. Filters applied to the wrong parameter, or applied before the vulnerable parameter is read, provide no protection.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.2 β€” SQL Injection\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for raw SQL execution APIs:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ecreateStatement|Statement\\.execute|Statement\\.executeQuery|Statement\\.executeUpdate\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eSqlCommand|OleDbCommand|OdbcCommand|SqlDataAdapter|\\.CommandText\\s*=\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysql_query|mssql_query|pg_query|mysqli_query\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e-\u003eselectall_arrayref|-\u003edo\\b\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eFor each hit, check whether the SQL string is constructed by concatenating user-controlled data. The presence of string fragments like \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\" WHERE \u003c/code\u003e + variable or \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\"SELECT * FROM \u003c/code\u003e + variable adjacent to a \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ecreateStatement\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eexecute\u003c/code\u003e call is a strong indicator.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eContrast with safe patterns:\u003c/strong\u003e Presence of \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eprepareStatement\u003c/code\u003e (Java), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.Parameters.Add\u003c/code\u003e (ASP.NET), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysqli-\u003eprepare\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003estmt-\u003ebind_param\u003c/code\u003e (PHP), or \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e-\u003eprepare\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e-\u003eexecute\u003c/code\u003e (Perl) indicates parameterized queries β€” confirm that the prepared statement is actually used with bound parameters, not that the SQL string itself still incorporates concatenated user input before being prepared.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eDatabase stored procedures:\u003c/strong\u003e Extend this search to stored procedure definitions (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.sql\u003c/code\u003e files, embedded SQL strings). A web application calling a parameterized stored procedure is safe only if the procedure itself does not construct dynamic SQL from its parameters. Search stored procedure code for dynamic SQL execution keywords: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eEXEC\u003c/code\u003e (MS-SQL, Sybase), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eEXECUTE IMMEDIATE\u003c/code\u003e (Oracle), \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eEXEC SQL\u003c/code\u003e (DB2). If user-supplied procedure parameters are concatenated into these dynamic SQL strings, SQL injection exists in the database tier even when the application tier uses parameterized calls.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.3 β€” Path Traversal\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for filesystem APIs:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003enew File\\(|FileInputStream|FileOutputStream|FileReader|FileWriter\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eSystem\\.IO\\.File\\.|FileStream\\(|StreamReader\\(|StreamWriter\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003efopen\\(|readfile\\(|file\\(|fpassthru\\(|include\\(|require\\(|include_once\\(|require_once\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eopen\\s*\\(|sysopen\\s*\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eFor each hit, determine whether the filename parameter incorporates user-controlled data. The most common pattern is user data appended to a hard-coded base directory:\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003eFileStream fs = new FileStream(\"C:\\\\temp\\\\\" + userInput, FileMode.Open);\n\u003c/code\u003e\u003c/pre\u003e\nThis is vulnerable if \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003euserInput\u003c/code\u003e is not canonicalized and verified to not contain \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e..\u003c/code\u003e sequences.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eFor PHP \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003einclude()\u003c/code\u003e / \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003erequire()\u003c/code\u003e:\u003c/strong\u003e Also check whether the included file path can resolve to a remote URL (if \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_include\u003c/code\u003e is enabled in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e). Remote File Inclusion (RFI) produces arbitrary code execution.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for filename-related parameter names\u003c/strong\u003e as a quick surface finder:\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003eAttachName|filename|filepath|file=|path=|template=|page=|include=\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.4 β€” Arbitrary Redirection\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for redirect APIs:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003esendRedirect\\(|setStatus\\(|addHeader\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHttpResponse\\.Redirect\\(|Response\\.Status|Response\\.StatusCode|Response\\.AddHeader|Server\\.Transfer\u003c/code\u003e\nNote: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eServer.Transfer\u003c/code\u003e changes the page processed server-side without issuing an HTTP redirect, so it cannot be exploited for external redirects β€” but it can still be used for internal access control bypass.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ehttp_redirect\\(|header\\s*\\(.*Location|HttpMessage::setResponseCode|HttpMessage::setHeaders\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e-\u003eredirect\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eFor each hit, check whether the redirect URL string is constructed from user-controllable data (e.g., a \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003erefURL\u003c/code\u003e query string parameter, a \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eReturnUrl\u003c/code\u003e form field). Also check client-side JavaScript for redirect patterns:\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003edocument.location = target;\nwindow.location.href = url;\n\u003c/code\u003e\u003c/pre\u003e\nTrace whether the URL value originates from a DOM source (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edocument.URL\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edocument.referrer\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003elocation.search\u003c/code\u003e). After-validation canonicalization is a common bypass path β€” if the code calls \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eunescape()\u003c/code\u003e after checking for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e//\u003c/code\u003e, the check can be bypassed with double-encoded slashes (\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e%25252f%25252f\u003c/code\u003e).\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.5 β€” OS Command Injection\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for OS command execution APIs:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eRuntime\\.getRuntime\\(\\)\\.exec|Runtime\\.exec\\(\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eProcess\\.Start\\(|ProcessStartInfo\u003c/code\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP:\u003c/strong\u003e \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\\bexec\\s*\\(|passthru\\(|popen\\(|proc_open\\(|shell_exec\\(|system\\(\u003c/code\u003e, and the backtick operator `\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e \u003c/code\u003ecommand\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e \u003c/code\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl:\u003c/strong\u003e \u003c/code\u003esystem\\s*\\(|\\bexec\\s*\\(|qx/|qx\\(\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, and the backtick operator\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eC/C++ (native components):\u003c/strong\u003e \u003c/code\u003esystem\\(|popen\\(|execve\\(|execl\\(\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eFor each hit, determine whether user-controlled data forms part of the command string. In Java, \u003c/code\u003eRuntime.exec(string)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e interprets shell metacharacters if the argument is a single string β€” but \u003c/code\u003eRuntime.exec(String[])\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with arguments passed as separate array elements does not. Partial control of the command string may still be exploitable via argument injection (injecting command-line flags rather than shell metacharacters).\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.6 β€” Backdoor Passwords and Hidden Debug Functions\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for hardcoded credential patterns in authentication logic:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003eequals\\(\".*\"\\)|\\.equals\\('.*'\\)|==\\s*[\"']\npassword.*==|password.*equals|\"admin\"|\"password\"|\"secret\"\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eGrep for incriminating source code comments:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e// bug|// problem|// bad|// hope|// todo|// fix|// overflow\n// crash|// inject|// xss|// trust|# bug|# hack|# fixme\n\u003ch2 style=\"color:#f3f4f6;margin:20px 0 10px;font-size:1.15em\"\u003etodo|# xxx\u003c/h2\u003e\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eThese comment searches often surface developer-acknowledged vulnerabilities that were never resolved, temporary workarounds that became permanent, or security test code that was never removed. Example from production code:\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003echar buf[200]; // I hope this is big enough\nstrcpy(buf, userinput);\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eAlso look for:\u003c/strong\u003e Unreferenced functions accessible via hidden URL parameters, \u003c/code\u003edebug=1\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e style logic branches, IP address allowlists that bypass authentication.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e#### 2.7 β€” Native Software Bugs (C/C++ components)\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eBuffer overflow β€” grep for unchecked buffer manipulation APIs:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e\\bstrcpy\\b|\\bstrcat\\b|\\bmemcpy\\b|\\bsprintf\\b|\\bgets\\b|\\bscanf\\b\n\u003c/code\u003e\u003c/pre\u003e\nAlso: their wide-character variants (\u003c/code\u003ewcscpy\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003ewcscat\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eswprintf\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e). For each hit, verify whether the destination buffer is large enough to accommodate the source data, and whether the source length is bounded. Even \u003c/code\u003estrncpy\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e can be misused β€” check whether the size argument is \u003c/code\u003estrlen(src)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e rather than \u003c/code\u003esizeof(dst)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (the former still overflows if \u003c/code\u003esrc\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e exceeds \u003c/code\u003edst\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e's size).\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eInteger vulnerabilities β€” grep for signed/unsigned comparisons:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003elen\\s*\u003c\\s*sizeof|size\\s*\u003c\\s*sizeof|length\\s*\u003c\\s*sizeof\n\u003c/code\u003e\u003c/pre\u003e\nIf \u003c/code\u003elen\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e is a signed integer compared to \u003c/code\u003esizeof()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (which returns an unsigned \u003c/code\u003esize_t\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e), a user-supplied negative value for \u003c/code\u003elen\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e passes the check and causes the subsequent unchecked copy to overwrite memory.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eFormat string vulnerabilities β€” grep for uncontrolled format strings:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e\\bprintf\\s*(\\s*[^\"]\\|fprintf\\s*(\\s*[^\"][^,]\\|syslog\\s*(\\s*[^,]*,\\s*[^\"]\n\u003c/code\u003e\u003c/pre\u003e\nThe dangerous pattern is \u003c/code\u003eprintf(userInput)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e instead of \u003c/code\u003eprintf(\"%s\", userInput)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. If the format string parameter is user-controllable, the attacker controls format specifiers β€” \u003c/code\u003e%n\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e writes to arbitrary memory addresses, enabling code execution.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003ePhase 3 β€” Line-by-Line Review of High-Risk Components\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eACTION:\u003c/strong\u003e Select the components listed below for close sequential reading. The goal is not to find every vulnerability via signatures, but to understand the security logic and find flaws in its design or implementation β€” race conditions, time-of-check/time-of-use issues, bypasses enabled by edge cases, incorrect trust assumptions.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eWHY:\u003c/strong\u003e Many serious vulnerabilities are not detectable by grep β€” they require understanding the surrounding logic. An authentication bypass may exist because a conditional check that should be \u003c/code\u003e\u0026\u0026\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e is \u003c/code\u003e||\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. A session fixation vulnerability requires reading the session initialization flow end-to-end. These subtler issues are common in precisely the most security-critical code.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eComponents to read line-by-line:\u003c/strong\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e1. \u003cstrong style=\"color:#e5e7eb\"\u003eAuthentication mechanisms\u003c/strong\u003e β€” login logic, password comparison, account lockout, password reset flow, multi-factor verification. Look for: timing-based username enumeration, bypass conditions (OR instead of AND in credential checks), hardcoded fallback credentials, insecure token generation for password reset.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e2. \u003cstrong style=\"color:#e5e7eb\"\u003eSession management\u003c/strong\u003e β€” session token generation, storage, validation, and invalidation. Look for: use of \u003c/code\u003ejava.util.Random\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (predictable) instead of \u003c/code\u003eSecureRandom\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, session tokens derived from user-controllable data, session fixation (token not rotated after login), logout that does not invalidate the server-side session.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e3. \u003cstrong style=\"color:#e5e7eb\"\u003eAccess control\u003c/strong\u003e β€” per-resource authorization checks, role validation. Look for: missing checks on sensitive endpoints, checks that rely on client-supplied role data, checks placed after the sensitive operation rather than before.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e4. \u003cstrong style=\"color:#e5e7eb\"\u003eApplication-wide input validation utilities\u003c/strong\u003e β€” any class or function named \u003c/code\u003esanitize\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003evalidate\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eencode\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eescape\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Look for: allowlist vs denylist (denylists are almost always bypassable), post-validation canonicalization (decoding after checking), validation applied to the wrong parameter.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e5. \u003cstrong style=\"color:#e5e7eb\"\u003eInterfaces to external components\u003c/strong\u003e β€” database connections, OS command helpers, file access wrappers, LDAP queries. Confirm that parameterization is consistently applied and that no code path bypasses the wrapper.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e6. \u003cstrong style=\"color:#e5e7eb\"\u003eNative code (C/C++) integration points\u003c/strong\u003e β€” any JNI, P/Invoke, or C extension boundary where Java/.NET managed data crosses into unmanaged memory. Data length and character set assumptions made in managed code may not hold in native code.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003ePhase 4 β€” Environment Configuration Review\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eACTION:\u003c/strong\u003e Read the platform configuration files and check the security-relevant settings below.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eWHY:\u003c/strong\u003e A perfectly written application can be made insecure by a misconfigured environment. Debug mode enabled in production exposes stack traces that reveal internal paths, class names, and database credentials. Permissive PHP \u003c/code\u003eregister_globals\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e creates uninitialized variable injection vectors that do not appear in the application source. Insecure cookie flags allow session token theft.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eJava β€” \u003c/code\u003eweb.xml\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e:\u003c/strong\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003elogin-config\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: verify authentication method; if forms-based, check action is \u003c/code\u003ej_security_check\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with correct parameter names (\u003c/code\u003ej_username\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003ej_password\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003esecurity-constraint\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with \u003c/code\u003eurl-pattern\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: verify all sensitive paths are covered; gaps mean unauthenticated access\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003esession-config session-timeout\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: overly long or zero timeout increases session hijacking window\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003eerror-page\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: verify error codes map to custom pages (not stack traces)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003einit-param\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: check \u003c/code\u003elistings\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e is \u003c/code\u003efalse\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e and \u003c/code\u003edebug\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e is \u003c/code\u003e0\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eASP.NET β€” \u003c/code\u003eWeb.config\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e:\u003c/strong\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003ehttpCookies httpOnlyCookies=\"true\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: prevents JavaScript cookie theft; \u003c/code\u003erequireSSL=\"true\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e prevents cookie transmission over HTTP\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003esessionState timeout\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: session lifetime\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003ecompilation debug=\"false\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: debug symbols expose internals\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003ecustomErrors mode=\"On\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e or \u003c/code\u003e\"RemoteOnly\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: prevents detailed error disclosure to users\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003ehttpRuntime enableHeaderChecking=\"true\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (default): request header injection defense; \u003c/code\u003eenableVersionHeader=\"false\"\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: prevents version disclosure\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePHP β€” \u003c/code\u003ephp.ini\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e:\u003c/strong\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003eregister_globals = Off\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: if On, all request parameters become global variables β€” mandatory Off for any application not specifically designed for it\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003edisplay_errors = Off\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: prevents PHP errors from leaking to users; use \u003c/code\u003elog_errors\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e + \u003c/code\u003eerror_log\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e instead\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003eallow_url_fopen\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e and \u003c/code\u003eallow_url_include\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: if On, \u003c/code\u003einclude()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e can load remote URLs β€” Remote File Inclusion vector\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003emagic_quotes_gpc\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: if On, single quotes in request parameters are auto-escaped β€” affects SQL injection testability; however magic quotes do not prevent numeric injection or second-order injection (data read from DB is unescaped); \u003cstrong style=\"color:#e5e7eb\"\u003eremoved in PHP 6\u003c/strong\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003esafe_mode\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: if On, restricts \u003c/code\u003eshell_exec\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eexec\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e execution paths β€” but bypassable; not a security panacea; \u003cstrong style=\"color:#e5e7eb\"\u003eremoved in PHP 6\u003c/strong\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003c/code\u003efile_uploads\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e and \u003c/code\u003eupload_tmp_dir\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e: confirm uploaded files are stored in a non-web-accessible temporary path\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePerl:\u003c/strong\u003e Check for taint mode (\u003c/code\u003e-T\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e flag in shebang \u003c/code\u003e#!/usr/bin/perl -T\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e). Taint mode marks all user input as tainted and prevents tainted data from reaching dangerous functions (\u003c/code\u003eeval\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003esystem\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eexec\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eopen\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e) without explicit pattern-match untainting. If taint mode is not enabled, no framework-level protection exists against injection. If it is enabled, verify the untainting regexes are sufficiently restrictive β€” overly broad patterns (e.g., \u003c/code\u003e(.*)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e) that extract arbitrary content defeat the protection.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003ePhase 5 β€” Document Findings\u003c/h4\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eACTION:\u003c/strong\u003e For each confirmed vulnerability, record: vulnerability class, CWE identifier, severity, file path and line number(s), evidence (code snippet showing source β†’ sink flow), and countermeasure.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eSeverity guidance:\u003c/strong\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eCritical:\u003c/strong\u003e OS command injection with code execution, SQL injection with data access or authentication bypass, Remote File Inclusion, backdoor credentials\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eHigh:\u003c/strong\u003e Arbitrary file read via path traversal, XSS in authenticated context or on sensitive page, SQL injection limited to read-only data, stored XSS\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eMedium:\u003c/strong\u003e Reflected XSS in unauthenticated context, open redirect, Local File Inclusion, insecure direct object reference\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eLow:\u003c/strong\u003e Incriminating comments, configuration weaknesses without direct exploitability, verbose error disclosure\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eOutput format:\u003c/strong\u003e\n\u003cpre style=\"background:#0a0a1c;border:1px solid #1e1e3f;border-radius:6px;padding:10px 12px;overflow-x:auto;font-size:.9em;margin:8px 0\"\u003e\u003ccode style=\"color:#a5f3fc;background:none;padding:0;font-size:1em\"\u003e## Source Code Security Review β€” [Application Name]\nDate: [date]  |  Reviewer: [name]  |  Platform: [Java/PHP/etc]\nScope: [files or modules reviewed]\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch4 style=\"color:#d1d5db;margin:14px 0 6px;font-size:.95em\"\u003eFINDING-001 β€” [Vulnerability Class] β€” [File:Line]\u003c/h4\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eCWE: CWE-XX\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eSeverity: [Critical | High | Medium | Low]\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eLocation: [path/to/file.java:42]\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eEvidence: [2-5 line code snippet showing the vulnerable pattern]\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eRoot cause: [1-2 sentences]\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eCountermeasure: [specific fix]\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eCoverage Summary\u003c/h3\u003e\n[Table: Phase | Files Reviewed | Findings]\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eInputs\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eWeb application source code (all server-side files, client-side JavaScript, database scripts)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePlatform configuration files (\u003c/code\u003eweb.xml\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003eWeb.config\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003ephp.ini\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eAny existing SAST tool output (to focus manual effort on what tools miss)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eScope definition: modules in scope, time budget\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eOutputs\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eA \u003cstrong style=\"color:#e5e7eb\"\u003eSource Code Security Review Report\u003c/strong\u003e with:\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePer-finding entries (class, CWE, severity, location, evidence, countermeasure)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eCoverage summary (phases completed, files reviewed, findings count by severity)\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePrioritized remediation list\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eKey Principles\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eWhite-box finds a different population of bugs than black-box.\u003c/strong\u003e Backdoor passwords, condition-guarded logic flaws, and vulnerabilities that only activate for specific secondary parameter values are nearly impossible to find by fuzzing. Code review is not a replacement for behavioral testing β€” it is a complement that finds what fuzzing cannot.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eTrace the full data flow β€” source to sink.\u003c/strong\u003e A dangerous API call is only a vulnerability if user-controlled data reaches it without adequate sanitization. Conversely, a piece of code that stores user data in a class field and later passes that field to a dangerous API is vulnerable even if the dangerous API call looks harmless in isolation. Never confirm or dismiss a finding without tracing the full path.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eDenylists fail; allowlists don't.\u003c/strong\u003e Filters that block known-bad patterns (\u003c/code\u003e../\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003e\u003cscript\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, single quote) are routinely bypassed via URL encoding, Unicode encoding, case variation, or application-specific decoding. An application that validates input by allowlisting known-safe characters and rejecting everything else is structurally more robust. When you see a denylist filter protecting a dangerous API, treat it as a weak mitigant β€” look for bypasses.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003ePost-validation canonicalization is always a bug.\u003c/strong\u003e Any decoding, unescaping, or canonicalization performed after validation defeats the validation. If an application validates a redirect URL by checking for \u003c/code\u003e//\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, then calls \u003c/code\u003eunescape()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e on the value before using it, an attacker can encode the slashes as \u003c/code\u003e%252f%252f\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (percent-encoding the percent sign), pass validation, then have \u003c/code\u003eunescape()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e decode to \u003c/code\u003e//\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eConfiguration is part of the attack surface.\u003c/strong\u003e PHP \u003c/code\u003eregister_globals\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, ASP.NET debug mode, and Java \u003c/code\u003elistings=true\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e each create vulnerabilities that are not visible anywhere in the application source files. Always read the configuration files as part of the review scope.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eDatabase stored procedures are not automatically safe.\u003c/strong\u003e Using parameterized calls from application code to invoke a stored procedure prevents SQL injection in the application tier β€” but if the stored procedure itself constructs dynamic SQL by concatenating its parameters, the vulnerability simply moves one layer deeper. Include stored procedure and trigger code in the review scope.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eExamples\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Penetration test with source access β€” Java banking application\u003c/strong\u003e\nTrigger: \"We're granting you source access for this pentest. The application handles fund transfers and user account management.\"\nProcess:\n1. Phase 1: Grep for \u003c/code\u003egetParameter\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds 47 call sites. Note \u003c/code\u003erequest.getParameter(\"title\")\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e stored in \u003c/code\u003em_pageTitle\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e field in \u003c/code\u003ePageController.java:88\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.\n2. Phase 2.1 (XSS): Grep for \u003c/code\u003eInnerHtml\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003eobjCell.InnerHtml = link\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003eReportView.java:204\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Trace \u003c/code\u003elink\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e backward β€” constructed by string concatenation from \u003c/code\u003eHttpUtility.UrlDecode(Request.QueryString[\"refURL\"])\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace \u003c/code\u003em_pageTitle\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e forward β€” finds it written into \u003c/code\u003e\u003ctitle\u003e\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires \u003c/code\u003etype=3\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e).\n3. Phase 2.2 (SQL injection): Grep for \u003c/code\u003ecreateStatement\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003es.executeQuery(\"SELECT name, accno FROM TblCustomers WHERE \" + SqlWhere)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003eCustomerSearch.java:156\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. \u003c/code\u003eSqlWhere\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e is built from \u003c/code\u003eRequest.QueryString[\"CID\"]\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Confirmed SQL injection (CWE-89, Critical).\n4. Phase 2.6 (Backdoor): Line-by-line review of \u003c/code\u003eAuthService.java\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003eif (checkCredentials(up, password) || \"oculiomnium\".equals(password)) return up;\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Hardcoded backdoor password grants access to any account (CWE-798, Critical).\nOutput: 3 findings β€” Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace \u003c/code\u003ecreateStatement\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with \u003c/code\u003eprepareStatement\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e; remove hardcoded password; HTML-encode all output via \u003c/code\u003eHtmlUtils.htmlEscape()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Pre-launch PHP e-commerce application review\u003c/strong\u003e\nTrigger: \"We're launching next month. Please review our PHP codebase for security issues before we go live.\"\nProcess:\n1. Phase 1: Grep for PHP input sources β€” finds \u003c/code\u003e$_GET\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003e$_POST\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e, \u003c/code\u003e$_COOKIE\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in 23 files. Check \u003c/code\u003ephp.ini\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” \u003c/code\u003eregister_globals = On\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e on their dev server; flag immediately.\n2. Phase 2.3 (Path traversal + RFI): Grep for \u003c/code\u003einclude(\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003einclude($_GET['page'] . '.php')\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003emain.php:12\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. No \u003c/code\u003eallow_url_include\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e check in code. Check \u003c/code\u003ephp.ini\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” \u003c/code\u003eallow_url_include = 1\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Confirmed Remote File Inclusion (CWE-98, Critical). Also: \u003c/code\u003eallow_url_fopen = 1\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e and \u003c/code\u003edisplay_errors = On\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in production config.\n3. Phase 2.2 (SQL injection): Grep for \u003c/code\u003emysql_query(\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003emysql_query(\"SELECT * FROM users WHERE username = '$username' AND password = '$password'\")\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003elogin.php:34\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Variables from \u003c/code\u003e$_POST\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e without escaping. Confirmed SQL injection (CWE-89, Critical). \u003c/code\u003emagic_quotes_gpc = Off\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e confirms no runtime escaping active.\n4. Phase 2.5 (OS command injection): Grep for \u003c/code\u003eexec(\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” finds \u003c/code\u003eexec(\"convert \" . $_POST['filename'] . \" -resize 100x100 output.jpg\")\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003eimage.php:67\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).\n5. Phase 4 (Config): \u003c/code\u003edisplay_errors = On\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003ephp.ini\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” leaks stack traces and DB credentials to users (Low). \u003c/code\u003eregister_globals = On\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” creates uninitialized variable injection vectors (High).\nOutput: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable \u003c/code\u003eallow_url_include\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e and \u003c/code\u003eallow_url_fopen\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e; replace \u003c/code\u003emysql_query\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with \u003c/code\u003emysqli-\u003eprepare\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e; replace shell \u003c/code\u003eexec\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with ImageMagick PHP extension API; set \u003c/code\u003edisplay_errors = Off\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e + \u003c/code\u003elog_errors = On\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e; set \u003c/code\u003eregister_globals = Off\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Security audit of a PHP/JavaScript SPA β€” focus on client-side and database tier\u003c/strong\u003e\nTrigger: \"Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture.\"\nProcess:\n1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β€” finds \u003c/code\u003eurl = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e in \u003c/code\u003eredirect.js:22\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Script checks for \u003c/code\u003e//\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e to block absolute URLs but calls \u003c/code\u003eunescape()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e afterward. Confirmed DOM-based open redirect and XSS via \u003c/code\u003e?redir=%2500javascript:alert(1)\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.\n2. Phase 2.2 (Stored procedure SQL injection): Review \u003c/code\u003e.sql\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e migration files β€” finds \u003c/code\u003eCREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from \u003c/code\u003e@name\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” confirmed stored procedure SQL injection (CWE-89, High).\n3. Phase 3 (Session management): Line-by-line review of \u003c/code\u003eTokenGenerator.java\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e β€” uses \u003c/code\u003ejava.util.Random\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).\nOutput: 3 High findings β€” DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove \u003c/code\u003eunescape()\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e call from redirect script; rewrite stored procedure using \u003c/code\u003esp_executesql\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with parameterized query; replace \u003c/code\u003ejava.util.Random\u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e with \u003c/code\u003ejava.security.SecureRandom`.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eReferences\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003ePer-platform source and sink API tables: \u003ca href=\"references/platform-api-reference.md\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003eplatform-api-reference.md\u003c/a\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eEnvironment configuration security settings: \u003ca href=\"references/environment-config-reference.md\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003eenvironment-config-reference.md\u003c/a\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eCWE and OWASP mapping for findings: \u003ca href=\"references/vuln-cwe-owasp-mapping.md\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003evuln-cwe-owasp-mapping.md\u003c/a\u003e\u003c/li\u003e\n\u003cli style=\"color:#94a3b8;margin:3px 0\"\u003eSource: Stuttard, D. \u0026 Pinto, M. (2011). *The Web Application Hacker's Handbook* (2nd ed.), Chapter 19: \"Finding Vulnerabilities in Source Code,\" pp. 701-745. Wiley.\u003c/li\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eLicense\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eThis skill is licensed under \u003ca href=\"https://creativecommons.org/licenses/by-sa/4.0/\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003eCC-BY-SA-4.0\u003c/a\u003e.\nSource: \u003ca href=\"https://github.com/bookforge-ai/bookforge-skills\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003eBookForge\u003c/a\u003e β€” The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003ch3 style=\"color:#e5e7eb;margin:18px 0 8px;font-size:1.05em\"\u003eRelated BookForge Skills\u003c/h3\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003eThis skill is standalone. Browse more BookForge skills: \u003ca href=\"https://github.com/bookforge-ai/bookforge-skills\" target=\"_blank\" rel=\"noopener\" style=\"color:#6366f1\"\u003ebookforge-skills\u003c/a\u003e\n\u003c/p\u003e"])</script><script>self.__next_f.push([1,"20:[\"$\",\"div\",null,{\"className\":\"skill-page\",\"children\":[[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"SoftwareApplication\\\",\\\"name\\\":\\\"Source Code Security Review\\\",\\\"description\\\":\\\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\\\",\\\"url\\\":\\\"https://bytesagain.com/skill/bookforge-source-code-security-review\\\",\\\"applicationCategory\\\":\\\"clawhub\\\",\\\"operatingSystem\\\":\\\"Any\\\",\\\"offers\\\":{\\\"@type\\\":\\\"Offer\\\",\\\"price\\\":\\\"0\\\",\\\"priceCurrency\\\":\\\"USD\\\"},\\\"publisher\\\":{\\\"@type\\\":\\\"Organization\\\",\\\"name\\\":\\\"BytesAgain\\\",\\\"url\\\":\\\"https://bytesagain.com\\\"}}\"}}],[\"$\",\"div\",null,{\"className\":\"breadcrumb\",\"children\":[[\"$\",\"a\",null,{\"href\":\"/\",\"children\":\"BytesAgain\"}],\" β€Ί \",[\"$\",\"a\",null,{\"href\":\"/skills\",\"children\":\"Skills\"}],\" β€Ί \",\"Source Code Security Review\"]}],[\"$\",\"div\",null,{\"className\":\"two-col\",\"children\":[[\"$\",\"div\",null,{\"className\":\"two-col-main\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-card\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"skill-badges\",\"children\":[[\"$\",\"span\",null,{\"className\":\"badge\",\"style\":{\"color\":\"#818cf8\",\"background\":\"#818cf822\",\"borderColor\":\"#818cf844\"},\"children\":[\"πŸ¦€\",\" \",\"ClawHub\"]}],false]}],[\"$\",\"div\",null,{\"className\":\"skill-top-actions\",\"children\":[\"$\",\"$L22\",null,{\"slug\":\"bookforge-source-code-security-review\"}]}]]}],[\"$\",\"h1\",null,{\"className\":\"skill-title\",\"children\":\"Source Code Security Review\"}],[\"$\",\"p\",null,{\"className\":\"skill-owner\",\"children\":[\"by \",[\"$\",\"span\",null,{\"children\":[\"@\",\"quochungto\"]}]]}],[\"$\",\"p\",null,{\"className\":\"skill-desc\",\"children\":\"Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...\"}],[\"$\",\"div\",null,{\"className\":\"skill-meta\",\"children\":[[\"$\",\"div\",null,{\"className\":\"meta-item\",\"children\":[[\"$\",\"span\",null,{\"className\":\"meta-label\",\"children\":\"Version\"}],[\"$\",\"span\",null,{\"className\":\"meta-value\",\"children\":[\"v\",\"1.0.0\"]}]]}],[\"$\",\"div\",null,{\"className\":\"meta-item\",\"children\":[[\"$\",\"span\",null,{\"className\":\"meta-label\",\"children\":\"Downloads\"}],[\"$\",\"span\",null,{\"className\":\"meta-value\",\"children\":\"296\"}]]}],false,false,false,[\"$\",\"div\",null,{\"className\":\"meta-item\",\"style\":{\"flexDirection\":\"row\",\"gap\":6,\"alignItems\":\"center\"},\"children\":[[\"$\",\"a\",\"security\",{\"href\":\"/?q=security\",\"className\":\"tag\",\"children\":[\"#\",\"security\"]}],[\"$\",\"a\",\"legal\",{\"href\":\"/?q=legal\",\"className\":\"tag\",\"children\":[\"#\",\"legal\"]}]]}]]}],[\"$\",\"div\",null,{\"style\":{\"marginTop\":6},\"children\":[\"$\",\"a\",null,{\"href\":\"https://clawhub.ai/quochungto/bookforge-source-code-security-review\",\"target\":\"_blank\",\"rel\":\"noopener\",\"className\":\"btn-secondary\",\"style\":{\"padding\":\"6px 12px\",\"fontSize\":\".82em\",\"borderRadius\":8,\"background\":\"transparent\",\"border\":\"1px solid var(--border-card)\",\"color\":\"var(--text-muted2)\",\"textDecoration\":\"none\",\"whiteSpace\":\"nowrap\"},\"children\":[\"View on \",\"ClawHub\",\" β†’\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"install-box\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-header\",\"children\":[[\"$\",\"div\",null,{\"className\":\"install-dots\",\"children\":[[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#ef4444\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#eab308\"}}],[\"$\",\"div\",null,{\"className\":\"dot\",\"style\":{\"background\":\"#22c55e\"}}]]}],[\"$\",\"span\",null,{\"className\":\"install-label\",\"children\":\"TERMINAL\"}]]}],[\"$\",\"div\",null,{\"className\":\"install-body\",\"style\":{\"flexWrap\":\"wrap\"},\"children\":[[\"$\",\"code\",null,{\"className\":\"install-cmd\",\"children\":\"clawhub install bookforge-source-code-security-review\"}],[\"$\",\"button\",null,{\"className\":\"copy-btn\",\"data-cmd\":\"clawhub install bookforge-source-code-security-review\",\"style\":{\"fontWeight\":700},\"children\":\"Copy\"}]]}]]}],[\"$\",\"section\",null,{\"className\":\"skill-card\",\"style\":{\"marginBottom\":20},\"children\":[[\"$\",\"h2\",null,{\"style\":{\"color\":\"#f8fafc\",\"fontSize\":\"1.2em\",\"fontWeight\":800,\"margin\":\"0 0 16px\",\"display\":\"flex\",\"alignItems\":\"center\",\"gap\":8},\"children\":\"πŸ“– About This Skill\"}],[\"$\",\"div\",null,{\"style\":{\"fontSize\":\".92em\",\"color\":\"#94a3b8\",\"lineHeight\":1.75},\"dangerouslySetInnerHTML\":{\"__html\":\"$23\"}}]]}],\"$L24\",\"$L25\",null,null,null,null,null,false,false]}],\"$L26\"]}]]}]\n"])</script><script>self.__next_f.push([1,"21:[\"$\",\"script\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"\\n        document.querySelectorAll('.copy-btn, .script-copy-btn').forEach(btn =\u003e {\\n          btn.addEventListener('click', () =\u003e {\\n            const cmd = btn.getAttribute('data-cmd');\\n            if (!cmd) return;\\n            navigator.clipboard.writeText(cmd).then(() =\u003e {\\n              const orig = btn.textContent;\\n              btn.textContent = 'Copied!';\\n              setTimeout(() =\u003e btn.textContent = orig, 1500);\\n            }).catch(() =\u003e {});\\n          });\\n        });\\n      \"}}]\n"])</script><script>self.__next_f.push([1,"29:I[71521,[\"/_next/static/chunks/0ph_0rx9ah5dc.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/0i_x3w546rsb3.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/06ig5gym-0n-u.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\",\"/_next/static/chunks/12w5ognupk9fb.js?dpl=dpl_9zPFH6pojPkqyspdDNz28GzCc6KQ\"],\"default\"]\n27:Tbab,"])</script><script>self.__next_f.push([1,"\u003ctable style=\"width:100%;border-collapse:collapse;border:1px solid #1e1e3f;border-radius:8px;overflow:hidden;font-size:.9em\"\u003e\u003cthead\u003e\u003ctr style=\"background:#0a0a1c\"\u003e\u003cth style=\"padding:12px 16px;text-align:left;color:#818cf8;font-weight:700;border-bottom:2px solid #6366f130\"\u003eTrigger\u003c/th\u003e\u003cth style=\"padding:12px 16px;text-align:left;color:#818cf8;font-weight:700;border-bottom:2px solid #6366f130\"\u003eAction\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003eThis skill applies when:\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e- A penetration test or security audit includes source code access, and you want to find more vulnerabilities faster than black-box alone\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e- You need to identify backdoor passwords, hardcoded credentials, or logic flaws that are invisible to behavioral testing\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e- A black-box test revealed anomalous behavior and you want to trace its root cause in code\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e- You are reviewing an open-source component before integrating it into production\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e**The foundational insight:** Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals `\"3\"`, or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β€” code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e**Before starting:** Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β€” a call to a custom `safeQuery()` wrapper may or may not prevent SQL injection depending on its implementation.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e**Authorized review only.** This skill is for security professionals with explicit written authorization.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd style=\"padding:12px 16px;border-bottom:1px solid #1e1e3f;color:#94a3b8\" colspan=\"2\"\u003e---\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"])</script><script>self.__next_f.push([1,"24:[\"$\",\"section\",null,{\"className\":\"skill-card\",\"style\":{\"marginBottom\":20},\"children\":[[\"$\",\"h2\",null,{\"style\":{\"color\":\"#f8fafc\",\"fontSize\":\"1.2em\",\"fontWeight\":800,\"margin\":\"0 0 16px\",\"display\":\"flex\",\"alignItems\":\"center\",\"gap\":8},\"children\":\"⚑ When to Use\"}],[\"$\",\"div\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"$27\"}}]]}]\n28:T30f2,"])</script><script>self.__next_f.push([1,"\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Penetration test with source access β€” Java banking application\u003c/strong\u003e\nTrigger: \"We're granting you source access for this pentest. The application handles fund transfers and user account management.\"\nProcess:\n1. Phase 1: Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003egetParameter\u003c/code\u003e β€” finds 47 call sites. Note \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003erequest.getParameter(\"title\")\u003c/code\u003e stored in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003em_pageTitle\u003c/code\u003e field in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ePageController.java:88\u003c/code\u003e.\n2. Phase 2.1 (XSS): Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eInnerHtml\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eobjCell.InnerHtml = link\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eReportView.java:204\u003c/code\u003e. Trace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003elink\u003c/code\u003e backward β€” constructed by string concatenation from \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHttpUtility.UrlDecode(Request.QueryString[\"refURL\"])\u003c/code\u003e without HTML-encoding. Confirmed reflected XSS (CWE-79, High). Also trace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003em_pageTitle\u003c/code\u003e forward β€” finds it written into \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e\u003ctitle\u003e\u003c/code\u003e element in template renderer without encoding. Second XSS confirmed, conditionally triggerable (requires \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003etype=3\u003c/code\u003e).\n3. Phase 2.2 (SQL injection): Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ecreateStatement\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003es.executeQuery(\"SELECT name, accno FROM TblCustomers WHERE \" + SqlWhere)\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eCustomerSearch.java:156\u003c/code\u003e. \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eSqlWhere\u003c/code\u003e is built from \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eRequest.QueryString[\"CID\"]\u003c/code\u003e. Confirmed SQL injection (CWE-89, Critical).\n4. Phase 2.6 (Backdoor): Line-by-line review of \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eAuthService.java\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eif (checkCredentials(up, password) || \"oculiomnium\".equals(password)) return up;\u003c/code\u003e. Hardcoded backdoor password grants access to any account (CWE-798, Critical).\nOutput: 3 findings β€” Critical SQL injection, Critical backdoor password, High XSS (x2). Countermeasures: replace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ecreateStatement\u003c/code\u003e with \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eprepareStatement\u003c/code\u003e; remove hardcoded password; HTML-encode all output via \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eHtmlUtils.htmlEscape()\u003c/code\u003e.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Pre-launch PHP e-commerce application review\u003c/strong\u003e\nTrigger: \"We're launching next month. Please review our PHP codebase for security issues before we go live.\"\nProcess:\n1. Phase 1: Grep for PHP input sources β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$_GET\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$_POST\u003c/code\u003e, \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$_COOKIE\u003c/code\u003e in 23 files. Check \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e β€” \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eregister_globals = On\u003c/code\u003e on their dev server; flag immediately.\n2. Phase 2.3 (Path traversal + RFI): Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003einclude(\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003einclude($_GET['page'] . '.php')\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emain.php:12\u003c/code\u003e. No \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_include\u003c/code\u003e check in code. Check \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e β€” \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_include = 1\u003c/code\u003e. Confirmed Remote File Inclusion (CWE-98, Critical). Also: \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_fopen = 1\u003c/code\u003e and \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edisplay_errors = On\u003c/code\u003e in production config.\n3. Phase 2.2 (SQL injection): Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysql_query(\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysql_query(\"SELECT * FROM users WHERE username = '$username' AND password = '$password'\")\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003elogin.php:34\u003c/code\u003e. Variables from \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e$_POST\u003c/code\u003e without escaping. Confirmed SQL injection (CWE-89, Critical). \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emagic_quotes_gpc = Off\u003c/code\u003e confirms no runtime escaping active.\n4. Phase 2.5 (OS command injection): Grep for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eexec(\u003c/code\u003e β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eexec(\"convert \" . $_POST['filename'] . \" -resize 100x100 output.jpg\")\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eimage.php:67\u003c/code\u003e. Confirmed OS command injection via shell metacharacters (CWE-78, Critical).\n5. Phase 4 (Config): \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edisplay_errors = On\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ephp.ini\u003c/code\u003e β€” leaks stack traces and DB credentials to users (Low). \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eregister_globals = On\u003c/code\u003e β€” creates uninitialized variable injection vectors (High).\nOutput: 3 Critical findings, 1 High, 1 Low. Countermeasures: disable \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_include\u003c/code\u003e and \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eallow_url_fopen\u003c/code\u003e; replace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysql_query\u003c/code\u003e with \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003emysqli-\u003eprepare\u003c/code\u003e; replace shell \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eexec\u003c/code\u003e with ImageMagick PHP extension API; set \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003edisplay_errors = Off\u003c/code\u003e + \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003elog_errors = On\u003c/code\u003e; set \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eregister_globals = Off\u003c/code\u003e.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003cstrong style=\"color:#e5e7eb\"\u003eScenario: Security audit of a PHP/JavaScript SPA β€” focus on client-side and database tier\u003c/strong\u003e\nTrigger: \"Our application is a single-page app with a PHP API backend. We've had a report of potential DOM-based XSS and we want to understand our stored procedure security posture.\"\nProcess:\n1. Phase 2.1 (DOM XSS): Grep JavaScript for DOM sources and sinks β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eurl = document.URL; index = url.indexOf('?redir='); target = unescape(url.substring(index + 7, url.length)); document.location = target;\u003c/code\u003e in \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eredirect.js:22\u003c/code\u003e. Script checks for \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e//\u003c/code\u003e to block absolute URLs but calls \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eunescape()\u003c/code\u003e afterward. Confirmed DOM-based open redirect and XSS via \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e?redir=%2500javascript:alert(1)\u003c/code\u003e (CWE-601 + CWE-79, High). Post-validation canonicalization bypass.\n2. Phase 2.2 (Stored procedure SQL injection): Review \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e.sql\u003c/code\u003e migration files β€” finds \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eCREATE PROCEDURE show_current_orders (@name varchar(400) = NULL) AS DECLARE @sql nvarchar(4000) SELECT @sql = 'SELECT id_num, searchstring FROM searchorders WHERE ' + 'searchstring = ''' + @name + ''''; EXEC (@sql) GO\u003c/code\u003e. Even if the application calls this procedure with a parameterized API, the procedure itself constructs dynamic SQL from \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003e@name\u003c/code\u003e β€” confirmed stored procedure SQL injection (CWE-89, High).\n3. Phase 3 (Session management): Line-by-line review of \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eTokenGenerator.java\u003c/code\u003e β€” uses \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ejava.util.Random\u003c/code\u003e (not cryptographically secure) to generate session tokens. Session tokens are predictable given sufficient samples (CWE-338, High).\nOutput: 3 High findings β€” DOM-based XSS/redirect, stored procedure SQL injection, predictable session tokens. Countermeasures: remove \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003eunescape()\u003c/code\u003e call from redirect script; rewrite stored procedure using \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003esp_executesql\u003c/code\u003e with parameterized query; replace \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ejava.util.Random\u003c/code\u003e with \u003ccode style=\"background:#0d0d1e;color:#a5f3fc;padding:1px 5px;border-radius:3px;font-size:.88em\"\u003ejava.security.SecureRandom\u003c/code\u003e.\u003c/p\u003e\u003cp style=\"margin:8px 0\"\u003e\u003chr style=\"border:none;border-top:1px solid #1e1e3f;margin:12px 0\"\u003e\u003c/p\u003e"])</script><script>self.__next_f.push([1,"25:[\"$\",\"section\",null,{\"className\":\"skill-card\",\"style\":{\"marginBottom\":20},\"children\":[[\"$\",\"h2\",null,{\"style\":{\"color\":\"#f8fafc\",\"fontSize\":\"1.2em\",\"fontWeight\":800,\"margin\":\"0 0 16px\",\"display\":\"flex\",\"alignItems\":\"center\",\"gap\":8},\"children\":\"πŸ’‘ Examples\"}],[\"$\",\"div\",null,{\"style\":{\"fontSize\":\".92em\",\"color\":\"#94a3b8\",\"lineHeight\":1.75},\"dangerouslySetInnerHTML\":{\"__html\":\"$28\"}}]]}]\n26:[\"$\",\"div\",null,{\"className\":\"two-col-side\",\"children\":[\"$\",\"$L29\",null,{\"category\":\"clawhub\",\"currentSlug\":\"bookforge-source-code-security-review\",\"name\":\"Source Code Security Review\",\"tags\":[\"security\",\"legal\"]}]}]\n"])</script></body></html>