report/v4_access.tex

   1 \begin{enumerate}[label={4.\arabic*}]
   2
   3 \item
   4 \TODO{}
   5 Verify that the principle of least privilege exists - users
   6 should only be able to access functions, data files, URLs,
   7 controllers, services, and other resources, for which they
   8 possess specific authorization. This implies protection
   9 against spoofing and elevation of privilege.
  10
  11 \addtocounter{enumi}{2}
  12 \item
  13 \TODO{}
  14 Verify that access to sensitive records is protected, such
  15 that only authorized objects or data is accessible to each
  16 user (for example, protect against users tampering with a
  17 parameter to see or alter another user's account).
  18
  19 \item
  20 \fail{}
  21 Verify that directory browsing is disabled unless
  22 deliberately desired. Additionally, applications should not
  23 allow discovery or disclosure of file or directory metadata,
  24 such as \code{Thumbs.db}, \code{.DS\_Store}, \code{.git} or \code{.svn} folders.
  25
  26 \begin{result}
  27 \begin{itemize}[leftmargin=*]
  28   \item \code{.gitignore} accessible, as well as any other dot-preceded file (except \code{.htaccess} itself by default Apache rules), as well as files such as \code{Thumbs.db} and \code{.DS\_Store}.
  29   \item Directory contents were listed in my simple setup. A global apache setting may disable by default, but the \code{.htaccess} file doesn't explicitly disable (with \code{Options -Indexes}), so that the CMS's codebase basically enables the listing by default.
  30 \end{itemize}
  31 \end{result}
  32
  33 \addtocounter{enumi}{2}
  34 \item
  35 \TODO{}
  36 Verify that access controls fail securely.
  37
  38 \item
  39 \TODO{}
  40 Verify that the same access control rules implied by the
  41 presentation layer are enforced on the server side.
  42
  43 \item
  44 \TODO{}
  45 Verify that all user and data attributes and policy
  46 information used by access controls cannot be
  47 manipulated by end users unless specifically authorized.
  48
  49 \notapplicable{
  50 \item
  51 Verify that there is a centralized mechanism (including
  52 libraries that call external authorization services) for
  53 protecting access to each type of protected resource.
  54 }
  55
  56 \item
  57 \fail{}
  58 Verify that all access control decisions can be logged and
  59 all failed decisions are logged.
  60
  61 \begin{result}
  62 No such decision logging present. There is only a minor amount of logging, and this is related to not finding content (pages and articles).
  63 \end{result}
  64
  65 \item
  66 \fail{}
  67 Verify that the application or framework uses strong
  68 random anti-CSRF tokens or has another transaction
  69 protection mechanism.
  70
  71 \begin{result}
  72 There is no transation protection mechanism at all.
  73 \end{result}
  74
  75 \item
  76 \fail{}
  77 Verify the system can protect against aggregate or
  78 continuous access of secured functions, resources, or
  79 data. For example, consider the use of a resource
  80 governor to limit the number of edits per hour or to
  81 prevent the entire database from being scraped by an
  82 individual user.
  83
  84 \begin{result}
  85 No such prevention present.
  86 \end{result}
  87
  88 \item
  89 \TODO{}
  90 Verify the application has additional authorization (such
  91 as step up or adaptive authentication) for lower value
  92 systems, and / or segregation of duties for high value
  93 applications to enforce anti-fraud controls as per the risk
  94 of application and past fraud.
  95
  96 (nope)
  97
  98 \item
  99 \TODO{}
 100 Verify that the application correctly enforces context-
 101 sensitive authorisation so as to not allow unauthorised
 102 manipulation by means of parameter tampering.
 103
 104 (nope)
 105
 106 \end{enumerate}