Question

You’ll sometimes come across the source code of an application you’re attacking. For example, you might be able to extract JavaScript code from a web application, find scripts stored on servers during the recon process, or obtain Java source code from an Android application. If so, you are in luck! Reviewing code is one of the best ways to find vulnerabilities in applications.

攻击应用程序时，有时您会遇到源代码。例如，您可能能够从 Web 应用程序中提取 JavaScript 代码，在侦察过程中找到存储在服务器上的脚本，或从 Android 应用程序中获取 Java 源代码。如果是这样，你就很幸运了！审查代码是发现应用程序漏洞的最佳方法之一。

Instead of testing applications by trying different payloads and attacks, you can locate insecure programming directly by looking for bugs in an application’s source code. Source code review not only is a faster way of finding vulnerabilities, but also helps you learn how to program safely in the future, because you’ll observe the mistakes of others.

不必通过尝试不同的有效载荷和攻击来测试应用程序，你可以直接查找应用程序源代码中的漏洞来定位不安全的编程。源代码审查不仅可以更快地发现漏洞，还可以帮助你学习如何在未来安全编程，因为你会观察到别人犯的错误。

By learning how vulnerabilities manifest themselves in source code, you can develop an intuition about how and why vulnerabilities happen. Learning to conduct source code reviews will eventually help you become a better hacker.

通过学习漏洞如何在源代码中显现，你可以培养出对漏洞出现原因与方式的直觉。学习进行源代码审阅也会帮助你变得更好的黑客。

This chapter introduces strategies that will help you get started reviewing code. We’ll cover what you should look for and walk through example exercises to get your feet wet.

本章介绍了一些策略，可以帮助你开始审查代码。我们将讨论你应该寻找什么，并通过实例练习来帮助你上手。

Remember that, most of the time, you don’t have to be a master programmer to conduct a code review in a particular language. As long as you understand one programming language, you can apply your intuition to review a wide variety of software written in different languages. But understanding the target’s particular language and architecture will allow you to spot more nuanced bugs.

记住，大多数情况下，你不必成为某种语言的大师程序员才能进行代码审查。只要你理解一种编程语言，就可以运用自己的直觉来审查用不同语言编写的各种软件。但是，了解目标语言和架构将使您能够发现更为微妙的缺陷。

---