Findings

1. SQL Injection

Description

Recommendation

2. Insecure Direct Object Reference (IDOR)

Description

Recommendation

Notes for you/your team

Behavior

• What does it do? (business purpose)
• Who does it do this for? (internal / external customer base)
• What kind of information will it hold?
• What are the different types of roles?
• What aspects concern your client/customer/staff the most?

• Framework & Language - Rails/Ruby, Django/Python, mux/Golang
• 3rd party components, Examples:
  • Billing libraries (rubygem, npm, jar, etc.)
  • JavaScript widgets - (marketing tracking, sales chat widget)
  • Reliant upon other applications - such as receiving webhook events
• Datastore - Postgresql, MySQL, Memcache, Redis, Mongodb, etc.

Tech Stack

Brainstorming / Risks

• Here is what the feature or product is supposed to do... what might go wrong?
• Okay - based on the tech stack, I've realized that the:
  • ORM - Does SQLi in this way
  • Template language introduces XSS in this way

Checklist of things to review

Inspection Areas

Checklist