\item\pass{} Verify that the runtime environment is not susceptible to buffer
overflows, or that security controls prevent buffer overflows.
\item\pass{} Verify that the runtime environment is not susceptible to buffer
overflows, or that security controls prevent buffer overflows.
As of \emph{OWASP}'s statement\footnote{\url{%
https://www.owasp.org/index.php/Buffer_Overflows\#Platforms_Affected}}
\PHP{} is not surceptible to buffer overflows as long no external
programs or extensions are used which is not the case.
As of \emph{OWASP}'s statement\footnote{\url{%
https://www.owasp.org/index.php/Buffer_Overflows\#Platforms_Affected}}
\PHP{} is not surceptible to buffer overflows as long no external
programs or extensions are used which is not the case.
Errors are accumulated in an array which, when non-empty, will fail the
function and report the error.
Errors are accumulated in an array which, when non-empty, will fail the
function and report the error.
\notapplicable{\item Verify that a single input validation control is used
by the application for each type of data that is accepted.}
% They skip 5.7-5.9
\addtocounter{enumi}{3}
\notapplicable{\item Verify that a single input validation control is used
by the application for each type of data that is accepted.}
% They skip 5.7-5.9
\addtocounter{enumi}{3}
- \item\fail{} Verify that all \SQL{} queries, \texttt{HQL}, \texttt{OSQL},
- \texttt{NOSQL} and stored procedures, calling of stored procedures are
+ \item\fail{} Verify that all \SQL{} queries, \code{HQL}, \code{OSQL},
+ \code{NOSQL} and stored procedures, calling of stored procedures are
protected by the use of prepared statements or query parameterization,
and thus not susceptible to \SQL{} injection.
protected by the use of prepared statements or query parameterization,
and thus not susceptible to \SQL{} injection.
This is not the case. For example in \srcref{classes/users.php}{45}.
However, in some cases prepared statements are used, such as is
\srcref{classes/users.php}{145}.
This is not the case. For example in \srcref{classes/users.php}{45}.
However, in some cases prepared statements are used, such as is
\srcref{classes/users.php}{145}.
\item\pass{} Verify that the application is not susceptible to OS Command
Injection, or that security controls prevent OS Command Injection.
\item\pass{} Verify that the application is not susceptible to OS Command
Injection, or that security controls prevent OS Command Injection.
This requirement heavily depends on the configuration of the \PHP{}
interpreter and database, there are no system commands used but since
it is trivial to do an \SQL{} injection it might be possible to run
commands via the database. However, which a sufficiently secure \SQL{}
config this can not take place.
This requirement heavily depends on the configuration of the \PHP{}
interpreter and database, there are no system commands used but since
it is trivial to do an \SQL{} injection it might be possible to run
commands via the database. However, which a sufficiently secure \SQL{}
config this can not take place.
\item\pass{} Verify that the application is not susceptible to Remote File
Inclusion (RFI) or Local File Inclusion (LFI) when content is used that
is a path to a file.
\item\pass{} Verify that the application is not susceptible to Remote File
Inclusion (RFI) or Local File Inclusion (LFI) when content is used that
is a path to a file.
Some file inclusion might be possible in the themes. Also in password
recovery\\
(\srcref{classes/user.php}{115}) filepaths are calculated on the
hash of the password. All non standard filepaths, such as admin or
Some file inclusion might be possible in the themes. Also in password
recovery\\
(\srcref{classes/user.php}{115}) filepaths are calculated on the
hash of the password. All non standard filepaths, such as admin or
- theme files, are generated using functions. CMS urls are parsed using a
- standard system wide \texttt{parse} function.
+ theme files, are generated using functions. \CMS{} urls are parsed using a
+ standard system wide \code{parse} function.
+ \end{result}
+
\item\pass{} Verify that the application is not susceptible to common
\XML{} attacks, such as XPath query tampering, \XML{} External Entity
\item\pass{} Verify that the application is not susceptible to common
\XML{} attacks, such as XPath query tampering, \XML{} External Entity
\item\fail{} Ensure that all string variables placed into \HTML{} or other
web client code is either properly contextually encoded manually, or
utilize templates that automatically encode contextually to ensure the
application is not susceptible to reflected, stored and DOM Cross-Site
\item\fail{} Ensure that all string variables placed into \HTML{} or other
web client code is either properly contextually encoded manually, or
utilize templates that automatically encode contextually to ensure the
application is not susceptible to reflected, stored and DOM Cross-Site
\item\pass{} If the application framework allows automatic mass parameter
assignment (also called automatic variable binding) from the inbound
request to a model, verify that security sensitive fields such as
``accountBalance'', ``role'' or ``password'' are protected from
malicious automatic binding.
\item\pass{} If the application framework allows automatic mass parameter
assignment (also called automatic variable binding) from the inbound
request to a model, verify that security sensitive fields such as
``accountBalance'', ``role'' or ``password'' are protected from
malicious automatic binding.
however, defaults are always given and there is no possibility of
accidentally binding extra variables. Also the variables are in an
array.
however, defaults are always given and there is no possibility of
accidentally binding extra variables. Also the variables are in an
array.
cookies, headers, environment, etc.)
cookies, headers, environment, etc.)
The system explicitly makes a difference with the different input
types. As said in the previous item, the function that does this
parameter parsing is system wide and uses defaults and filters unwanted
parameters.
The system explicitly makes a difference with the different input
types. As said in the previous item, the function that does this
parameter parsing is system wide and uses defaults and filters unwanted
parameters.
\item\fail{} Verify that client side validation is used as a second line of
defense, in addition to server side validation.
\item\fail{} Verify that client side validation is used as a second line of
defense, in addition to server side validation.
There is client side validation on comments in the email section. There
is no validation for the comments itself to check for malafide \HTML{}.
In the admin panel the email address is not validated.
There is client side validation on comments in the email section. There
is no validation for the comments itself to check for malafide \HTML{}.
In the admin panel the email address is not validated.
- fields but all sources of input such as REST calls, query parameters,
- HTTP headers, cookies, batch files, RSS feeds, etc; using positive
+ fields but all sources of input such as \REST{} calls, query parameters,
+ \HTTP{} headers, cookies, batch files, \RSS{} feeds, etc; using positive
validation (whitelisting), then lesser forms of validation such as
greylisting (eliminating known bad strings), or rejecting bad inputs
(blacklisting).
validation (whitelisting), then lesser forms of validation such as
greylisting (eliminating known bad strings), or rejecting bad inputs
(blacklisting).
\item\pass{} Verify that structured data is strongly typed and validated
against a defined schema including allowed characters, length and
pattern (e.g.\ credit card numbers or telephone, or validating that two
related fields are reasonable, such as validating suburbs and zip or
\item\pass{} Verify that structured data is strongly typed and validated
against a defined schema including allowed characters, length and
pattern (e.g.\ credit card numbers or telephone, or validating that two
related fields are reasonable, such as validating suburbs and zip or
Email addresses are validated against \PHP's stander functionality.
Note that the \PHP{} email validation is not perfect and some valid
email addresses are rejected (such as email addresses with non-ASCII
characters). The other requirements are not used.
Email addresses are validated against \PHP's stander functionality.
Note that the \PHP{} email validation is not perfect and some valid
email addresses are rejected (such as email addresses with non-ASCII
characters). The other requirements are not used.
\item\pass{} Verify that unstructured data is sanitized to enforce generic
safety measures such as allowed characters and length, and characters
potentially harmful in given context should be escaped (e.g.\ natural
names with Unicode or apostrophes, such as
\begin{CJK}{UTF8}{min}ねこ\end{CJK} or O'Hara)
\item\pass{} Verify that unstructured data is sanitized to enforce generic
safety measures such as allowed characters and length, and characters
potentially harmful in given context should be escaped (e.g.\ natural
names with Unicode or apostrophes, such as
\begin{CJK}{UTF8}{min}ねこ\end{CJK} or O'Hara)
\item\fail{} Make sure untrusted \HTML{} from WYSIWYG editors or similar are
properly sanitized with an \HTML{} sanitizer and handle it
\item\fail{} Make sure untrusted \HTML{} from WYSIWYG editors or similar are
properly sanitized with an \HTML{} sanitizer and handle it
\item\fail{} For auto-escaping template technology, if UI escaping is disabled,
ensure that \HTML{} sanitization is enabled instead.
\item\fail{} For auto-escaping template technology, if UI escaping is disabled,
ensure that \HTML{} sanitization is enabled instead.
- \texttt{JSON.parse} is used to parse \JSON{} on the client. Do not use
- \texttt{eval()} to parse \JSON{} on the client.
+ \code{JSON.parse} is used to parse \JSON{} on the client. Do not use
+ \code{eval()} to parse \JSON{} on the client.
\item\pass{} Verify that authenticated data is cleared from client storage,
such as the browser DOM, after the session is terminated.
\item\pass{} Verify that authenticated data is cleared from client storage,
such as the browser DOM, after the session is terminated.