AppSecSchool:
How to review a library?

Enjoy our additional free content from our channel

How to review a library?

In today's session, we venture deep into the realm of library code review, a vital process in securing application structures and safeguarding user data. The focal point of this discussion is to furnish you with a practical guide to get started and progressively master the skill of code review.

First off, transitioning from patch reviews to library reviews necessitates a foundational understanding of the library or protocol at hand. It is recommended to choose a library or format you are well-acquainted with to facilitate a smoother review process. For instance, leveraging knowledge from PentesterLab exercises on JWT could be a valuable starting point if you have engaged in such activities previously.

In cases where you are unfamiliar with the format, take time to understand it thoroughly before delving into the review process. Over time, you will find that you can effortlessly decipher formats simply by examining the code.

A handy tool to have during this process is a sequence diagram, particularly when reviewing a library integral to a protocol, as it aids in quick comprehension of the protocol steps during the review.

An essential part of the review process involves debugging the library, a task where good old printf debugging comes to play. The emphasis here is on the practical application, encouraging learners to run the code in the library instead of solely focusing on a "pure code review".

As we delve deeper, the need to understand and track the code flow becomes apparent. Identifying the entry points where methods or functions interact with user-controlled data is crucial at this juncture. For those working on a JWT library, this would typically involve monitoring the full token.

The initial focus should be on understanding the ongoing processes rather than bug hunting. It is a stage of observation, a time to note potential weaknesses and appreciate the preventative measures instituted by the developer.

With a grasp of one library, the learning can extend to another library executing similar functions, preferably in the same language. The experience accrued from the first review will undeniably make subsequent reviews easier.

An engaging part of this learning process is playing "Spot the Difference" where you critically analyze what is done similarly or differently between two libraries. This involves keen observations on security checks and understanding how minor modifications can substantially affect security.

It is important to note that the goal here is not just to uncover vulnerabilities but to understand code organization, patterns, and security check structures deeply.

As you grow in this journey, grey box testing emerges as a thrilling advancement to comprehend exploitability further. It establishes a rhythmic dance between code review and grey box testing, enhancing understanding through a reciprocal relationship.

In conclusion, the process of library code review is a journey of learning and growth, an exploration into the depths of application security where numerous undiscovered vulnerabilities await your expertise.