Common Security Issues Found in Code Review

Security is is our main concern as we review customer code. Every HackerOne reviewer is expected to thoroughly examine the code in every review for security issues. This includes both the code that's part of a proposed change as well as any existing code in the review's files.

Security issues can commonly be found using the help of automated tools, but also through manual code review. To take a look at some of the tools available for reviewers in our community, check out the following guide:

Common security-related issues caught by HackerOne reviewers include (but are not limited to) things like:

• Known security vulnerabilities associated with a project's dependencies (and packages bundled with those dependencies).

• Credentials hard-coded in source code.

• Missing authorization or able to access information across accounts if code is abused.

• Areas vulnerable to SQL injection attacks.

• Ineffective, or missing, encryption of sensitive information.

• Use of insecure cryptography.

• Cryptography methods not abiding by framework best practices.

• Improper credential/role management.

• CRLF injection and XSS vulnerabilities. Ensuring user-supplied data is sanitized/neutralized appropriately.

• File systems vulnerable to directory traversal.

• Opportunities for unwanted information leakage.

• Committing real user data in tests.

• Improper integration of 3rd party tools.

As with any feedback comment, links to external resources/documentation are highly encouraged.