X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv5_input.tex;h=31a94be5f7683c276a3f33df5b4b0886a8864e73;hb=af25f63fbee0be2789af6b0915b06ed7377f8469;hp=5e8142962602e89cc5498ffcd5b2dd5fa199ccdd;hpb=076d55f5ef92dca4c39a88ea191c15620bb8cd9e;p=ssproject1617.git diff --git a/report/v5_input.tex b/report/v5_input.tex index 5e81429..31a94be 100644 --- a/report/v5_input.tex +++ b/report/v5_input.tex @@ -3,9 +3,9 @@ overflows, or that security controls prevent buffer overflows. \begin{result} - As of \emph{OWASP}'s statement\footnote{\url{% + As of OWASP's statement\footnote{\url{% https://www.owasp.org/index.php/Buffer_Overflows\#Platforms_Affected}} - \PHP{} is not surceptible to buffer overflows as long no external + \PHP{} is not susceptible to buffer overflows as long no external programs or extensions are used which is not the case. \end{result} @@ -36,7 +36,7 @@ \addtocounter{enumi}{3} \item\fail{} Verify that all \SQL{} queries, \code{HQL}, \code{OSQL}, \code{NOSQL} and stored procedures, calling of stored procedures are - protected by the use of prepared statements or query parameterization, + protected by the use of prepared statements or query parametrization, and thus not susceptible to \SQL{} injection. \begin{result} @@ -59,8 +59,8 @@ This requirement heavily depends on the configuration of the \PHP{} interpreter and database, there are no system commands used but since it is trivial to do an \SQL{} injection it might be possible to run - commands via the database. However, which a sufficiently secure \SQL{} - config this can not take place. + commands via the database. However, with a sufficiently secure \SQL{} + configuration this can not take place. \end{result} \item\pass{} Verify that the application is not susceptible to Remote File @@ -134,7 +134,7 @@ \item\fail{} Verify that all input data is validated, not only \HTML{} form fields but all sources of input such as \REST{} calls, query parameters, \HTTP{} headers, cookies, batch files, \RSS{} feeds, etc; using positive - validation (whitelisting), then lesser forms of validation such as + validation (white-listing), then lesser forms of validation such as greylisting (eliminating known bad strings), or rejecting bad inputs (blacklisting). @@ -151,7 +151,7 @@ post codes match). \begin{result} - Email addresses are validated against \PHP's stander functionality. + Email addresses are validated against \PHP's standard functionality. Note that the \PHP{} email validation is not perfect and some valid email addresses are rejected (such as email addresses with non-ASCII characters). The other requirements are not used.