the-web-application-hackers-handbook

Chapter 19 n Finding Vulnerabilities in Source Code 743
Tools for Code Browsing
The methodology we have described for performing a code review essentially
involves reading the source code and searching for patterns indicating the
capture of user input and the use of potentially dangerous APIs. To carry out
a code review effectively, it is preferable to use an intelligent tool to browse the
codebase. You need a tool that understands the code constructs in a particular
language, provides contextual information about specific APIs and expressions,
and facilitates your navigation.
In many languages, you can use one of the available development studios,
such as Visual Studio, NetBeans, or Eclipse. In addition, various generic codebrowsing
tools support numerous languages and are optimized for viewing
of code rather than development. The authors’ preferred tool is Source Insight,
shown in Figure 19-1. It supports easy browsing of the source tree, a versatile
search function, a preview pane to display contextual information about any
selected expression, and speedy navigation through the codebase.
Figure 19-1: Source Insight being used to search and browse the source code for a
web application