Source Code Security Review
by @quochungto
Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized a...
clawhub install bookforge-source-code-security-reviewπ About This Skill
name: source-code-security-review description: | Perform a systematic white-box security review of web application source code to find exploitable vulnerabilities. Use this skill when: you have authorized access to an application's source code and need to identify security flaws faster or more thoroughly than black-box testing alone; auditing a codebase prior to launch or after a security incident; reviewing open-source or purchased software for embedded vulnerabilities; complementing an active penetration test with source-level analysis. Applies a three-phase methodology: (1) identify all user-input entry points via platform-specific source APIs β Java HttpServletRequest, ASP.NET Request.Params/Form/QueryString, PHP $_GET/$_POST/$_COOKIE/$_REQUEST, Perl CGI param(), JavaScript document.location/URL; (2) trace data flow forward to dangerous sink APIs β Runtime.exec()/Process.Start() for OS command injection, Statement.execute()/mysql_query() for SQL injection, FileInputStream/include() for path traversal, sendRedirect()/header() for open redirect, eval() for script injection; (3) line-by-line close review of authentication, session management, access control, and native code components. Covers 8 vulnerability signature categories: cross-site scripting, SQL injection, path traversal, arbitrary redirection, OS command injection, backdoor passwords, native software bugs (buffer overflow, integer flaw, format string), and incriminating source code comments. Also covers database code components (stored procedures with dynamic SQL) and environment configuration checks (web.xml, Web.config, php.ini). Produces a prioritized findings report with evidence and countermeasures. Maps to CWE-79 (XSS), CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-601 (Open Redirect), CWE-78 (OS Command Injection), CWE-798 (Hardcoded Credentials), CWE-120/121/122 (Buffer Overflow), CWE-134 (Format String). For authorized security review engagements, appsec engineers, and security-minded developers. version: 1.0.0 homepage: https://github.com/bookforge-ai/bookforge-skills/tree/main/books/web-application-hackers-handbook/skills/source-code-security-review metadata: {"openclaw":{"emoji":"π","homepage":"https://github.com/bookforge-ai/bookforge-skills"}} status: draft depends-on: [] source-books: - id: web-application-hackers-handbook title: "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws" authors: ["Dafydd Stuttard", "Marcus Pinto"] edition: 2 chapters: [19] pages: "701-745" tags: [code-review, white-box-testing, source-code-analysis, xss, sql-injection, path-traversal, open-redirect, command-injection, backdoor, buffer-overflow, java, aspnet, php, perl, javascript, penetration-testing, appsec, cwe-79, cwe-89, cwe-22, cwe-601, cwe-78, cwe-798, cwe-120, cwe-134] execution: tier: 1 mode: full inputs: - type: codebase description: "Web application source code β server-side handlers, data access layer, database stored procedures, configuration files (web.xml, Web.config, php.ini), client-side JavaScript" - type: document description: "Build manifests, dependency lists, architecture diagrams β optional but useful for scoping" tools-required: [Read, Grep] tools-optional: [Bash, Write] mcps-required: [] environment: "Run directly against the source code repository. No live application required. Authorized review context required." discovery: goal: "Identify exploitable security vulnerabilities in web application source code using a structured three-phase approach β entry points, dangerous sinks, and line-by-line review of high-risk components β and produce a prioritized findings report" tasks: - "Establish platform and establish custom wrapper awareness before proceeding" - "Map all user-input entry points using platform-specific source APIs" - "Trace data flow from sources to dangerous sink APIs for each vulnerability category" - "Perform line-by-line review of high-risk components: authentication, session management, access control, native code" - "Audit database stored procedures for dynamic SQL construction" - "Review environment configuration files for security-relevant settings" - "Document findings with CWE mapping, severity, evidence, and countermeasures" audience: roles: ["penetration-tester", "application-security-engineer", "security-minded-developer"] experience: "intermediate-to-advanced β assumes familiarity with at least one server-side web platform (Java, .NET, PHP, Perl) and common web vulnerability classes" triggers: - "Penetration test engagement where source code access has been granted" - "Security audit of a web application prior to production deployment" - "Reviewing an open-source project or purchased component for embedded vulnerabilities" - "Root-cause analysis after a security incident β understanding how the vulnerability existed in code" - "Supplementing automated SAST tool output with manual verification" not_for: - "Black-box behavioral testing without source access β use the relevant black-box testing skills" - "Infrastructure or network security review β different scope" - "Mobile application source review β different platform APIs"
Source Code Security Review
When to Use
You have authorized access to a web application's source code and need to find security vulnerabilities systematically.
This skill applies when:
The foundational insight: Black-box testing is powerful but incomplete. Automated fuzzing can send hundreds of test cases per minute, but it cannot identify a backdoor password that only activates for a specific hardcoded value, a condition-guarded XSS that only triggers when a secondary parameter equals "3", or a buffer overflow buried in a native helper library. Source code review finds a different population of vulnerabilities than black-box testing. The two approaches are strongest when combined β code review guides where to probe interactively; interactive testing confirms whether code-level findings are actually exploitable.
Before starting: Establish the extent of any custom wrappers, library extensions, or application-specific abstractions around standard APIs. Applications may implement their own session storage, input sanitization utilities, or database access layers. Understanding these customizations is essential β a call to a custom safeQuery() wrapper may or may not prevent SQL injection depending on its implementation.
Authorized review only. This skill is for security professionals with explicit written authorization.
Context and Input Gathering
Required Context
pom.xml / build.gradle (Java), *.csproj / Web.config (ASP.NET), *.php files, *.pl files, package.json (Node.js/JS)Observable Context (gather from codebase)
web.xml, Web.config, php.ini, .htaccesssanitize, validate, encode, escape, filterRuntime.exec / Process.StartProcess
Phase 1 β Map User-Input Entry Points
ACTION: Grep the codebase for platform-specific source APIs. Every location where user-controlled data enters the application is a potential source of tainted data. Build a catalog of entry points before tracing data flows.
WHY: Vulnerabilities arise when user-controlled data reaches a dangerous operation without proper validation or encoding. You cannot trace data flow without first knowing all the places data enters. Applications frequently receive input through less-obvious channels β HTTP headers, cookies, session-derived data from user registration, even the URL path itself. Missing an entry point means missing all vulnerabilities that originate from it.
AGENT: EXECUTES β Grep for platform-specific source APIs:
Java (HttpServletRequest / ServletRequest):
getParameter|getParameterNames|getParameterValues|getParameterMap
getQueryString|getHeader|getHeaders|getHeaderNames
getRequestURI|getRequestURL|getCookies|getRequestedSessionId
getInputStream|getReader|getRemoteUser|getUserPrincipal
ASP.NET (System.Web.HttpRequest):
Request\.Params|Request\.Item|Request\.Form|Request\.QueryString
Request\.ServerVariables|Request\.Headers|Request\.Url|Request\.RawUrl
Request\.UrlReferrer|Request\.Cookies|Request\.BinaryRead
Request\.Browser|Request\.UserAgent|Request\.AcceptTypes
PHP:
\$_GET|\$_POST|\$_COOKIE|\$_REQUEST|\$_FILES|\$_SERVER
\$HTTP_GET_VARS|\$HTTP_POST_VARS|\$HTTP_COOKIE_VARS
\$GLOBALS
Note: if register_globals is enabled in php.ini, any variable name may receive request parameter values. Line-by-line review is then required to track all uses of uninitialized variables.Perl (CGI.pm):
->param\(|->param_fetch\(|->Vars\b|->cookie\(|->raw_cookie\(
->query_string\b|->referer\b|->self_url\b|->url\b
ReadParse
JavaScript (DOM sources):
document\.location|document\.URL|document\.URLUnencoded|document\.referrer
window\.location|location\.search|location\.hash|location\.href
NOTE: Also search for $GLOBALS (PHP), any class names ending in Request, HttpContext, HttpInput, or equivalent β applications commonly abstract input access behind wrapper classes.
Phase 2 β Trace Data Flow to Dangerous Sinks (Signature Scanning)
ACTION: For each vulnerability category below, grep for the dangerous sink APIs. For each hit, trace backward to determine whether user-controlled data from Phase 1 sources flows into that sink without adequate validation or encoding. Confirm or dismiss each candidate finding.
WHY: Signature scanning targets the highest-density locations of potential vulnerabilities first. A hard-coded SQL query fragment like "SELECT appearing in application code is almost always part of a SQL injectionβvulnerable pattern. An eval() call receiving user input is almost always dangerous. This approach finds low-hanging fruit quickly, leaving remaining time for the subtler line-by-line review in Phase 3.
#### 2.1 β Cross-Site Scripting (XSS)
Grep for output APIs that write user data to responses:
Java: response.getWriter().print|println|write, out.print|println, .InnerHtml, response.setHeader
ASP.NET: Response.Write|Response.Output.Write, \.InnerHtml\s*=, \.InnerText\s*=
PHP: echo\b|print\b|printf\b|vprintf\b, =
JavaScript (DOM sinks):
document\.write\(|document\.writeln\(|\.innerHTML\s*=
eval\(|window\.execScript\(|window\.setInterval\(|window\.setTimeout\(
Pattern to find: User input from a Phase 1 source is incorporated into HTML output without HTML-encoding. Example:
// Vulnerable: m_pageTitle set from request.getParameter("title") and
// later written into a element without encoding
m_pageTitle = request.getParameter("title");
Trace m_pageTitle forward β if it is written to a response element or used to construct a link/HTML fragment without HtmlEncode() / escapeHtml() / HtmlUtils.htmlEscape(), this is a confirmed XSS.Grep for SQL fragment strings to find XSS in query-string construction:
"SELECT |"INSERT |"DELETE |" WHERE |" AND |" OR |" ORDER BY
These patterns are case-insensitive; also search lowercase. The surrounding whitespace and quote distinguish SQL keyword strings from ordinary concatenated strings.NOTE on filter-based mitigations: If a filter exists that blocks certain XSS payloads in the query string, trace it carefully. Filters applied to the wrong parameter, or applied before the vulnerable parameter is read, provide no protection.
#### 2.2 β SQL Injection
Grep for raw SQL execution APIs:
Java: createStatement|Statement\.execute|Statement\.executeQuery|Statement\.executeUpdate
ASP.NET: SqlCommand|OleDbCommand|OdbcCommand|SqlDataAdapter|\.CommandText\s*=
PHP: mysql_query|mssql_query|pg_query|mysqli_query
Perl: ->selectall_arrayref|->do\b
For each hit, check whether the SQL string is constructed by concatenating user-controlled data. The presence of string fragments like " WHERE + variable or "SELECT * FROM + variable adjacent to a createStatement / execute call is a strong indicator.
Contrast with safe patterns: Presence of prepareStatement (Java), .Parameters.Add (ASP.NET), mysqli->prepare / stmt->bind_param (PHP), or ->prepare / ->execute (Perl) indicates parameterized queries β confirm that the prepared statement is actually used with bound parameters, not that the SQL string itself still incorporates concatenated user input before being prepared.
Database stored procedures: Extend this search to stored procedure definitions (.sql files, embedded SQL strings). A web application calling a parameterized stored procedure is safe only if the procedure itself does not construct dynamic SQL from its parameters. Search stored procedure code for dynamic SQL execution keywords: EXEC (MS-SQL, Sybase), EXECUTE IMMEDIATE (Oracle), EXEC SQL (DB2). If user-supplied procedure parameters are concatenated into these dynamic SQL strings, SQL injection exists in the database tier even when the application tier uses parameterized calls.
#### 2.3 β Path Traversal
Grep for filesystem APIs:
Java: new File\(|FileInputStream|FileOutputStream|FileReader|FileWriter
ASP.NET: System\.IO\.File\.|FileStream\(|StreamReader\(|StreamWriter\(
PHP: fopen\(|readfile\(|file\(|fpassthru\(|include\(|require\(|include_once\(|require_once\(
Perl: open\s*\(|sysopen\s*\(
For each hit, determine whether the filename parameter incorporates user-controlled data. The most common pattern is user data appended to a hard-coded base directory:
FileStream fs = new FileStream("C:\\temp\\" + userInput, FileMode.Open);
This is vulnerable if userInput is not canonicalized and verified to not contain .. sequences.For PHP include() / require(): Also check whether the included file path can resolve to a remote URL (if allow_url_include is enabled in php.ini). Remote File Inclusion (RFI) produces arbitrary code execution.
Grep for filename-related parameter names as a quick surface finder:
AttachName|filename|filepath|file=|path=|template=|page=|include=
#### 2.4 β Arbitrary Redirection
Grep for redirect APIs:
Java: sendRedirect\(|setStatus\(|addHeader\(
ASP.NET: HttpResponse\.Redirect\(|Response\.Status|Response\.StatusCode|Response\.AddHeader|Server\.Transfer
Note: Server.Transfer changes the page processed server-side without issuing an HTTP redirect, so it cannot be exploited for external redirects β but it can still be used for internal access control bypass.
PHP: http_redirect\(|header\s*\(.*Location|HttpMessage::setResponseCode|HttpMessage::setHeaders
Perl: ->redirect\(
For each hit, check whether the redirect URL string is constructed from user-controllable data (e.g., a refURL query string parameter, a ReturnUrl form field). Also check client-side JavaScript for redirect patterns:
document.location = target;
window.location.href = url;
Trace whether the URL value originates from a DOM source (document.URL, document.referrer, location.search). After-validation canonicalization is a common bypass path β if the code calls unescape() after checking for //, the check can be bypassed with double-encoded slashes (%25252f%25252f).#### 2.5 β OS Command Injection
Grep for OS command execution APIs:
Java: Runtime\.getRuntime\(\)\.exec|Runtime\.exec\(
ASP.NET: Process\.Start\(|ProcessStartInfo
PHP: \bexec\s*\(|passthru\(|popen\(|proc_open\(|shell_exec\(|system\(, and the backtick operator ` command
Perl: system\s*\(|\bexec\s*\(|qx/|qx\(, and the backtick operator
C/C++ (native components): system\(|popen\(|execve\(|execl\(
For each hit, determine whether user-controlled data forms part of the command string. In Java, Runtime.exec(string) interprets shell metacharacters if the argument is a single string β but Runtime.exec(String[]) with arguments passed as separate array elements does not. Partial control of the command string may still be exploitable via argument injection (injecting command-line flags rather than shell metacharacters).
#### 2.6 β Backdoor Passwords and Hidden Debug Functions
Grep for hardcoded credential patterns in authentication logic:
equals\(".*"\)|\.equals\('.*'\)|==\s*["']
password.*==|password.*equals|"admin"|"password"|"secret"
Grep for incriminating source code comments:
// bug|// problem|// bad|// hope|// todo|// fix|// overflow
// crash|// inject|// xss|// trust|# bug|# hack|# fixme
todo|# xxx
These comment searches often surface developer-acknowledged vulnerabilities that were never resolved, temporary workarounds that became permanent, or security test code that was never removed. Example from production code:
char buf[200]; // I hope this is big enough
strcpy(buf, userinput);
Also look for: Unreferenced functions accessible via hidden URL parameters, debug=1 style logic branches, IP address allowlists that bypass authentication.
#### 2.7 β Native Software Bugs (C/C++ components)
Buffer overflow β grep for unchecked buffer manipulation APIs:
\bstrcpy\b|\bstrcat\b|\bmemcpy\b|\bsprintf\b|\bgets\b|\bscanf\b
Also: their wide-character variants (wcscpy, wcscat, swprintf). For each hit, verify whether the destination buffer is large enough to accommodate the source data, and whether the source length is bounded. Even strncpy can be misused β check whether the size argument is strlen(src) rather than sizeof(dst) (the former still overflows if src exceeds dst's size).Integer vulnerabilities β grep for signed/unsigned comparisons:
len\s*<\s*sizeof|size\s*<\s*sizeof|length\s*<\s*sizeof
If len is a signed integer compared to sizeof() (which returns an unsigned size_t), a user-supplied negative value for len passes the check and causes the subsequent unchecked copy to overwrite memory.Format string vulnerabilities β grep for uncontrolled format strings:
\bprintf\s*(\s*[^"]\|fprintf\s*(\s*[^"][^,]\|syslog\s*(\s*[^,]*,\s*[^"]
The dangerous pattern is printf(userInput) instead of printf("%s", userInput). If the format string parameter is user-controllable, the attacker controls format specifiers β %n writes to arbitrary memory addresses, enabling code execution.
Phase 3 β Line-by-Line Review of High-Risk Components
ACTION: Select the components listed below for close sequential reading. The goal is not to find every vulnerability via signatures, but to understand the security logic and find flaws in its design or implementation β race conditions, time-of-check/time-of-use issues, bypasses enabled by edge cases, incorrect trust assumptions.
WHY: Many serious vulnerabilities are not detectable by grep β they require understanding the surrounding logic. An authentication bypass may exist because a conditional check that should be
&& is ||. A session fixation vulnerability requires reading the session initialization flow end-to-end. These subtler issues are common in precisely the most security-critical code.Components to read line-by-line:
1. Authentication mechanisms β login logic, password comparison, account lockout, password reset flow, multi-factor verification. Look for: timing-based username enumeration, bypass conditions (OR instead of AND in credential checks), hardcoded fallback credentials, insecure token generation for password reset.
2. Session management β session token generation, storage, validation, and invalidation. Look for: use of
java.util.Random (predictable) instead of SecureRandom, session tokens derived from user-controllable data, session fixation (token not rotated after login), logout that does not invalidate the server-side session.3. Access control β per-resource authorization checks, role validation. Look for: missing checks on sensitive endpoints, checks that rely on client-supplied role data, checks placed after the sensitive operation rather than before.
4. Application-wide input validation utilities β any class or function named
sanitize, validate, encode, escape. Look for: allowlist vs denylist (denylists are almost always bypassable), post-validation canonicalization (decoding after checking), validation applied to the wrong parameter.5. Interfaces to external components β database connections, OS command helpers, file access wrappers, LDAP queries. Confirm that parameterization is consistently applied and that no code path bypasses the wrapper.
6. Native code (C/C++) integration points β any JNI, P/Invoke, or C extension boundary where Java/.NET managed data crosses into unmanaged memory. Data length and character set assumptions made in managed code may not hold in native code.
Phase 4 β Environment Configuration Review
ACTION: Read the platform configuration files and check the security-relevant settings below.
WHY: A perfectly written application can be made insecure by a misconfigured environment. Debug mode enabled in production exposes stack traces that reveal internal paths, class names, and database credentials. Permissive PHP
register_globals creates uninitialized variable injection vectors that do not appear in the application source. Insecure cookie flags allow session token theft.Java β
web.xml:
login-config: verify authentication method; if forms-based, check action is j_security_check with correct parameter names (j_username, j_password)
security-constraint with url-pattern: verify all sensitive paths are covered; gaps mean unauthenticated access
session-config session-timeout: overly long or zero timeout increases session hijacking window
error-page: verify error codes map to custom pages (not stack traces)
init-param: check listings is false and debug is 0ASP.NET β
Web.config:
httpCookies httpOnlyCookies="true": prevents JavaScript cookie theft; requireSSL="true" prevents cookie transmission over HTTP
sessionState timeout: session lifetime
compilation debug="false": debug symbols expose internals
customErrors mode="On" or "RemoteOnly": prevents detailed error disclosure to users
httpRuntime enableHeaderChecking="true" (default): request header injection defense; enableVersionHeader="false": prevents version disclosurePHP β
php.ini:
register_globals = Off: if On, all request parameters become global variables β mandatory Off for any application not specifically designed for it
display_errors = Off: prevents PHP errors from leaking to users; use log_errors + error_log instead
allow_url_fopen and allow_url_include: if On, include() can load remote URLs β Remote File Inclusion vector
magic_quotes_gpc: if On, single quotes in request parameters are auto-escaped β affects SQL injection testability; however magic quotes do not prevent numeric injection or second-order injection (data read from DB is unescaped); removed in PHP 6
safe_mode: if On, restricts shell_exec, exec execution paths β but bypassable; not a security panacea; removed in PHP 6
file_uploads and upload_tmp_dir: confirm uploaded files are stored in a non-web-accessible temporary pathPerl: Check for taint mode (
-T flag in shebang #!/usr/bin/perl -T). Taint mode marks all user input as tainted and prevents tainted data from reaching dangerous functions (eval, system, exec, open) without explicit pattern-match untainting. If taint mode is not enabled, no framework-level protection exists against injection. If it is enabled, verify the untainting regexes are sufficiently restrictive β overly broad patterns (e.g., (.*)) that extract arbitrary content defeat the protection.
Phase 5 β Document Findings
ACTION: For each confirmed vulnerability, record: vulnerability class, CWE identifier, severity, file path and line number(s), evidence (code snippet showing source β sink flow), and countermeasure.
Severity guidance:
Critical: OS command injection with code execution, SQL injection with data access or authentication bypass, Remote File Inclusion, backdoor credentials
High: Arbitrary file read via path traversal, XSS in authenticated context or on sensitive page, SQL injection limited to read-only data, stored XSS
Medium: Reflected XSS in unauthenticated context, open redirect, Local File Inclusion, insecure direct object reference
Low: Incriminating comments, configuration weaknesses without direct exploitability, verbose error disclosure Output format:
## Source Code Security Review β [Application Name]
Date: [date] | Reviewer: [name] | Platform: [Java/PHP/etc]
Scope: [files or modules reviewed]FINDING-001 β [Vulnerability Class] β [File:Line]
CWE: CWE-XX
Severity: [Critical | High | Medium | Low]
Location: [path/to/file.java:42]
Evidence: [2-5 line code snippet showing the vulnerable pattern]
Root cause: [1-2 sentences]
Countermeasure: [specific fix] Coverage Summary
[Table: Phase | Files Reviewed | Findings]
Inputs
Web application source code (all server-side files, client-side JavaScript, database scripts)
Platform configuration files ( web.xml, Web.config, php.ini)
Any existing SAST tool output (to focus manual effort on what tools miss)
Scope definition: modules in scope, time budget Outputs
A Source Code Security Review Report with:
Per-finding entries (class, CWE, severity, location, evidence, countermeasure)
Coverage summary (phases completed, files reviewed, findings count by severity)
Prioritized remediation list
Key Principles
White-box finds a different population of bugs than black-box. Backdoor passwords, condition-guarded logic flaws, and vulnerabilities that only activate for specific secondary parameter values are nearly impossible to find by fuzzing. Code review is not a replacement for behavioral testing β it is a complement that finds what fuzzing cannot. Trace the full data flow β source to sink. A dangerous API call is only a vulnerability if user-controlled data reaches it without adequate sanitization. Conversely, a piece of code that stores user data in a class field and later passes that field to a dangerous API is vulnerable even if the dangerous API call looks harmless in isolation. Never confirm or dismiss a finding without tracing the full path. Denylists fail; allowlists don't. Filters that block known-bad patterns ( ../,