For you to move up the skill ladder when it comes to web application testing, I believe that learning how to read code and understand it will make a huge difference in understanding the vulnerabilities better and ultimately helping you to discover more vulnerabilities.
In today's blog, I will highlight the steps I took in learning code review. I will include the resources I used in each step. Hope you will find it useful in your learning journey.
Step 1
Learn the different types of front-end and back-end technologies used in web application development. Many different frameworks exist and developers use, and I think it is important to be aware of these frameworks. The video below is very long, but it gives you insight and explanations on many different frameworks.
Resource:
Step 2
Learn the basics of coding, you don't need to be a wizard from the get-go. Start by learning JavaScript and PHP. In this case, I recommend these two because they align with the applications used in the next step. I choose Codecademy to learn because it gives the learner challenges and small projects to complete but obviously, there are lot of videos on YouTube as well.
Resources:
Step 3
It's time to dive deep and practice. My recommendation is to use the Damn Vulnerable Web Application (DVWA) and Goof - Snyk's vulnerable application. There are others out there you can use, but I found these to have what I was looking for. The first application is written in PHP using a relational database, while the second is written in Node.js using a NoSQL database, allowing you to practice SQL injection techniques and exposure to different types of programming languages.
Resources:
DVWA: digininja/DVWA: Damn Vulnerable Web Application (DVWA) (github.com)
Goof: snyk-labs/nodejs-goof: Super vulnerable todo list application (github.com)
DVWA has a "View Source" option where you can see the source code for each challenge level but I used a different path on learning why the code is vulnerable and possible fixes.
The next step is to install VS Code and import the applications source code and install Snyk from the extension library. Once you installed the extension follow the steps to finish the setup.
Once Snyk is installed, this will scan the source code and highlight vulnerabilities, along with best practices, data flow and examples of code on how to fix them.
As a beginner, you won't understand all of the issues, so you'll need explanations on what the code does and why it's vulnerable.The easiest way to do this is to copy and paste the code snippet into ChatGPT and ask for an explanation.
I am at the beginning of my code review journey, but I have found that it is a good method of learning for me personally and I hope that it will be beneficial to you as well.
Thanks for reading, stay curious and see you next time.