Findings
1. SQL Injection
Description
Recommendation
2. Insecure Direct Object Reference (IDOR)
Description
Recommendation
Notes for you/your team
Behavior
- What does it do? (business purpose)
- Who does it do this for? (internal / external customer base)
- What kind of information will it hold?
- What are the different types of roles?
- What aspects concern your client/customer/staff the most?
- Framework & Language - Rails/Ruby, Django/Python, mux/Golang
- 3rd party components, Examples:
- Billing libraries (rubygem, npm, jar, etc.)
- JavaScript widgets - (marketing tracking, sales chat widget)
- Reliant upon other applications - such as receiving webhook events
- Datastore - Postgresql, MySQL, Memcache, Redis, Mongodb, etc.
Tech Stack
Brainstorming / Risks
- Here is what the feature or product is supposed to do... what might go wrong?
- Okay - based on the tech stack, I've realized that the:
- ORM - Does SQLi in this way
- Template language introduces XSS in this way
Checklist of things to review
Inspection Areas
Checklist