report/v9_data.tex

   1 \begin{enumerate}[label={9.\arabic*}]
   2         \item\fail{} Verify that all forms containing sensitive information
   3                 have disabled client side caching, including autocomplete
   4                 features.
   5
   6                 \begin{result}
   7                         The login and page/post editing/creation forms post back to the same page, thereby incentivising the browser to cache the form inputs as well. This is as opposed to the common post/redirect/get model (see \url{http://en.wikipedia.org/wiki/Post/Redirect/Get}). Also, the \texttt{Cache-Control} isn't explicitly used anywhere in the CMS to aid the situation. In my test setup, the response does send \texttt{Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0}, but that'll be a default global Apache setting, I think.
   8                 \end{result}
   9
  10         \notapplicable{\item Verify that the list of sensitive data processed by the
  11                 application is identified, and that there is an explicit
  12                 policy for how access to this data must be controlled,
  13                 encrypted and enforced under relevant data protection
  14                 directives.}
  15
  16         \item\pass{} Verify that all sensitive data is sent to the server in the
  17                 HTTP message body or headers (i.e., URL parameters are
  18                 never used to send sensitive data).
  19
  20                 \begin{result}
  21                         With the exception of the install script, which we treat separately as explained above, this is indeed the case.
  22                 \end{result}
  23
  24         \item\fail{} Verify that the application sets appropriate anti-caching
  25                 headers as per the risk of the application, such as the
  26                 following:
  27                 \begin{verbatim}
  28                         Expires: Tue, 03 Jul 2001 06:00:00 GMT
  29                         Last-Modified: {now} GMT
  30                         Cache-Control: no-store, no-cache, must-
  31                         revalidate, max-age=0
  32                         Cache-Control: post-check=0, pre-check=0
  33                         Pragma: no-cache
  34                 \end{verbatim}
  35
  36                 \begin{result}
  37                         Cache control header are never set by the CMS. The fact that headers as these are indeed sent to the broswer in my test setup is probably due to default global Apache settings.
  38                 \end{result}
  39
  40         \item\pass{} Verify that on the server, all cached or temporary copies
  41                 of sensitive data stored are protected from unauthorized
  42                 access or purged/invalidated after the authorized user
  43                 accesses the sensitive data.
  44
  45                 \begin{result}
  46                         Vacuously.
  47                 \end{result}
  48
  49         \notapplicable{\item Verify that there is a method to remove each type of
  50                 sensitive data from the application at the end of the
  51                 required retention policy.}
  52
  53         \item\pass{} Verify the application minimizes the number of
  54                 parameters in a request, such as hidden fields, Ajax
  55                 variables, cookies and header values.
  56
  57                 \begin{result}
  58                         The CMS by no means sends any larger amount of parameters than would be expected, seen as it is but a simple app and mostly lacks extra functionality often leading to this kind of excessive parameter transferring, so I count this as a pass.
  59                 \end{result}
  60
  61         \notapplicable{\item Verify the application has the ability to detect and alert
  62                 on abnormal numbers of requests for data harvesting for
  63                 an example screen scraping.}
  64
  65         \item\pass{} Verify that data stored in client side storage (such as
  66                 HTML5 local storage, session storage, IndexedDB, regular
  67                 cookies or Flash cookies) does not contain sensitive data
  68                 or PII.
  69
  70                 \begin{result}
  71                         Vacuously: data is not stored on the client side.
  72                 \end{result}
  73
  74         \item\pass{} Verify accessing sensitive data is logged, if the data is
  75                 collected under relevant data protection directives or
  76                 where logging of accesses is required.
  77
  78                 \begin{result}
  79                         No logging occurs at all.
  80                 \end{result}
  81
  82         \item\pass{} Verify that sensitive information maintained in memory
  83                 is overwritten with zeros as soon as it no longer required,
  84                 to mitigate memory dumping attacks.
  85
  86                 \begin{result}
  87                         I consider this outside of the scope of the CMS's security requirements, as it is written in, and thus relies on the (memory) security of, PHP.
  88                 \end{result}
  89
  90 \end{enumerate}