1 \begin{enumerate
}[label=
{4.
\arabic*
}]
5 Verify that the principle of least privilege exists - users
6 should only be able to access functions, data files, URLs,
7 controllers, services, and other resources, for which they
8 possess specific authorization. This implies protection
9 against spoofing and elevation of privilege.
11 \addtocounter{enumi
}{2}
14 Verify that access to sensitive records is protected, such
15 that only authorized objects or data is accessible to each
16 user (for example, protect against users tampering with a
17 parameter to see or alter another user's account).
21 Verify that directory browsing is disabled unless
22 deliberately desired. Additionally, applications should not
23 allow discovery or disclosure of file or directory metadata,
24 such as
\code{Thumbs.db
},
\code{.DS
\_Store},
\code{.git
} or
\code{.svn
} folders.
27 \begin{itemize
}[leftmargin=*
]
28 \item \code{.gitignore
} accessible, as well as any other dot-preceded file (except
\code{.htaccess
} itself by default Apache rules), as well as files such as
\code{Thumbs.db
} and
\code{.DS
\_Store}.
29 \item Directory contents were listed in my simple setup. A global apache setting may disable by default, but the
\code{.htaccess
} file doesn't explicitly disable (with
\code{Options -Indexes
}), so that the CMS's codebase basically enables the listing by default.
33 \addtocounter{enumi
}{2}
36 Verify that access controls fail securely.
40 Verify that the same access control rules implied by the
41 presentation layer are enforced on the server side.
45 Verify that all user and data attributes and policy
46 information used by access controls cannot be
47 manipulated by end users unless specifically authorized.
51 Verify that there is a centralized mechanism (including
52 libraries that call external authorization services) for
53 protecting access to each type of protected resource.
58 Verify that all access control decisions can be logged and
59 all failed decisions are logged.
62 No such decision logging present. There is only a minor amount of logging, and this is related to not finding content (pages and articles).
67 Verify that the application or framework uses strong
68 random anti-CSRF tokens or has another transaction
72 There is no transation protection mechanism at all.
77 Verify the system can protect against aggregate or
78 continuous access of secured functions, resources, or
79 data. For example, consider the use of a resource
80 governor to limit the number of edits per hour or to
81 prevent the entire database from being scraped by an
85 No such prevention present.
90 Verify the application has additional authorization (such
91 as step up or adaptive authentication) for lower value
92 systems, and / or segregation of duties for high value
93 applications to enforce anti-fraud controls as per the risk
94 of application and past fraud.
100 Verify that the application correctly enforces context-
101 sensitive authorisation so as to not allow unauthorised
102 manipulation by means of parameter tampering.