repositories
/
ssproject1617.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
076d55f
)
Fix V2.2, add annotation that it was found using Fortify
author
Daan Sprenkels
<dsprenkels@gmail.com>
Wed, 16 Nov 2016 11:21:12 +0000
(12:21 +0100)
committer
Daan Sprenkels
<dsprenkels@gmail.com>
Wed, 16 Nov 2016 11:21:12 +0000
(12:21 +0100)
report/v2_authentication.tex
patch
|
blob
|
history
diff --git
a/report/v2_authentication.tex
b/report/v2_authentication.tex
index
57a210e
..
ea7cbe5
100644
(file)
--- a/
report/v2_authentication.tex
+++ b/
report/v2_authentication.tex
@@
-15,15
+15,19
@@
public (Principle of complete mediation).
\end{result}
\item
\end{result}
\item
-\
pass
{}
+\
fail
{}
Verify that forms containing credentials are not filled in by
the application. Pre-filling by the application implies that
credentials are stored in plaintext or a reversible format,
which is explicitly prohibited.
\begin{result}
Verify that forms containing credentials are not filled in by
the application. Pre-filling by the application implies that
credentials are stored in plaintext or a reversible format,
which is explicitly prohibited.
\begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
\end{result}
\setcounter{enumi}{3}
\end{result}
\setcounter{enumi}{3}