Code Review Snippets
·Nov 27, 2022·
1 min read
I am currently working on getting better code reviews considering I am doing whitebox testing on a regular basis now. This will mostly be a dump of my notes as I research new things and will grow over time.
This PHP function is vulnerable to type juggling considering it may use loose comparisons if the function is used incorrectly.
$values = array("naruto","sasuke","rock lee","gaara"); var_dump(in_array(0, $values));
This is obviously not the case considering 0 is not in the array, so a third parameter should be added to the function so that is uses strict comparisons.
$values = array("naruto","sasuke","rock lee","gaara"); var_dump(in_array(0, $values, true));
MessageDigest hasher = MessageDigest.getInstance("SHA-256");
SHA-256 is used by itself without an
HMAC, it is vulnerable to a length extension vulnerability. If you know one hash, you can create new hashes without knowing the secret by adding data to the digest.