report/v5_input.tex

   1 \begin{enumerate}[label={5.\arabic*}]
   2         \item\pass{} Verify that the runtime environment is not susceptible to buffer
   3                 overflows, or that security controls prevent buffer overflows.
   4
   5                 As of \emph{OWASP}'s statement\footnote{\url{%
   6                         https://www.owasp.org/index.php/Buffer_Overflows\#Platforms_Affected}}
   7                 \PHP{} is not surceptible to buffer overflows as long no external
   8                 programs or extensions are used which is not the case.
   9         % They skip 5.2
  10         \addtocounter{enumi}{1}
  11         \item\fail{} Verify that server side input validation failures result in
  12                 request rejection and are logged.
  13
  14                 \texttt{filter\_var} is used for input validation and while errors are
  15                 returned to the user, no logging taking place.
  16         % They skip 5.4
  17         \addtocounter{enumi}{1}
  18         \item\pass{} Verify that input validation routines are enforced on the server
  19                 side.
  20
  21                 Errors are accumulated in an array which, when non-empty, will fail the
  22                 function and report the error.
  23         \notapplicable{\item Verify that a single input validation control is used
  24                 by the application for each type of data that is accepted.}
  25
  26         % They skip 5.7-5.9
  27         \addtocounter{enumi}{3}
  28         \item\fail{} Verify that all SQL queries, HQL, OSQL, NOSQL and stored
  29                 procedures, calling of stored procedures are protected by the
  30                 use of prepared statements or query parameterization, and
  31                 thus not susceptible to SQL injection.
  32
  33                 This is not the case. For example in \srcref{users.php}{45}. However,
  34                 in some cases prepared statements are used, such as is
  35                 \srcref{users.php}{145}.
  36         \item\pass{} Verify that the application is not susceptible to LDAP
  37                 Injection, or that security controls prevent LDAP Injection.
  38
  39                 \LDAP{} is not used, thus the application is not susceptible.
  40         \item\pass{} Verify that the application is not susceptible to OS Command
  41                 Injection, or that security controls prevent OS Command Injection.
  42
  43                 This requirement heavily depends on the configuration of the \PHP{}
  44                 interpreter and database. There are no system commands used but since
  45                 it is trivial to do an \SQL{} injection it might be possible to run
  46                 commands via the database. However, which a sufficiently secure \SQL{}
  47                 config this can not take place.
  48 \end{enumerate}