Here, we notice different input fields, so we might think about injection issues such as SQL injection, XSS, and so on. Furthermore, we might consider that since there are multiple parameters passed to the application in the form, there might be hidden parameters that developers forget to remove that we can manipulate or change; this is called Mass assignment.
Additionally, we notice that this form adds values to the database. Therefore, we should consider protection against database flooding attacks.
So, now we have an overview of some possible risks in this function within the application:
a.Does the application validate users' inputs in the form before processing them?
b.Does the application use the users' inputs in other parts of the code as output with proper encoding?
c. Does the application apply protection against flooding requests, for example, CAPTCHA?
d.Etc.
Each of these questions, during the code review, will bring up new questions. For instance, let's consider if the application is implementing input validation—is it correct? Can it be bypassed? And so on.
Conduct Automated Scan
As the second step, we run automated scans on the source code. During this phase, we can perform the following actions:
Conduct an Automated scan of the source code.
Utilize commercial tools such as SonarQube, Fortify SCA, Bandit, GitHub, Checkmarx, etc. This process is known as Static Application Security Testing (SAST). Certain tools require the capability to build applications from the source code as they convert it into an intermediate format. For example, in Fortify SCA, the source code is transformed into Fortify Project Results (FPR) format before analysis.