White-Box Testing
Intermediate

Source Code Review & SAST

Source code review (white-box testing) involves analyzing application source code to identify security vulnerabilities before they reach production. Static Application Security Testing (SAST) automates this process, but manual review by security experts remains essential for complex logic flaws.

White-Box vs Black-Box

Unlike black-box penetration testing (no source code), white-box testing provides full visibility into the codebase, enabling detection of subtle logic flaws, race conditions, and insecure defaults that may not be exploitable externally.

Code Review Methodology

1. Reconnaissance

Understand the application architecture, frameworks used, and data flow. Identify entry points and trust boundaries.

2. Automated Scanning

Run SAST tools (SonarQube, Semgrep, CodeQL) to identify low-hanging fruit and focus areas for manual review.

3. Manual Review

Focus on authentication, authorization, input validation, cryptography, and business logic. Trace data flow from untrusted sources.

4. Validation

Attempt to exploit identified vulnerabilities in a test environment to confirm exploitability and impact.

5. Remediation Guidance

Provide developers with secure code examples and specific fixes, not just "vulnerable to XSS".

Common Vulnerability Patterns

Injection Flaws

  • • SQL injection (concatenated queries)
  • • Command injection (os.system, subprocess)
  • • LDAP/NoSQL injection
  • • Template injection (Jinja2, Twig)

Authentication/Authorization

  • • Hardcoded credentials
  • • Weak password policies
  • • Missing authorization checks
  • • Insecure session management

Cryptography Issues

  • • Weak algorithms (MD5, SHA1)
  • • Hardcoded encryption keys
  • • Insecure random number generation
  • • Missing certificate validation

Business Logic Flaws

  • • Race conditions
  • • Price manipulation
  • • Workflow bypasses
  • • Insecure deserialization

SAST Tool Comparison

Tool Cost Languages Best For
SonarQube Free/Paid 30+ languages CI/CD integration, code quality
Semgrep Free (OSS) 20+ languages Fast, custom rules, low false positives
CodeQL Free (GitHub) 10+ languages Deep analysis, GitHub integration
Checkmarx Commercial 25+ languages Enterprise, comprehensive reporting

Reduce False Positives

SAST tools generate many false positives. Focus on high-severity findings first, and tune rules based on your application's architecture. Manual validation is essential.

Guide Contents

📖
1

SAST Fundamentals

Introduction to static application security testing methodology.
👁️
2

Manual Code Review

Techniques for manual secure code review and vulnerability identification.
3

Java/Spring Security

Common vulnerabilities in Java applications and Spring Framework.
🔷
4

C#/.NET Security

Security issues in .NET applications including deserialization.
🐍
5

Python Security

Python-specific vulnerabilities including pickle and SSTI.
📦
6

JavaScript/Node.js

Client and server-side JavaScript security issues.
🐹
7

Go Security

Security considerations for Go applications.
🔧
8

SAST Tools

Automated static analysis tools and configuration.
9

Remediation Guidance

Secure coding patterns and fix recommendations.

Related Topics

Web Penetration Testing

API Pentesting

Remediation Guidance