\usepackage{geometry}
\usepackage{hyperref}
\usepackage{enumitem}
+\usepackage{pifont}
\usepackage[dvipsnames]{xcolor}
\hypersetup{hidelinks, pdftitle={OWASP ASVS Souce Code Review Project}}
% Als een criterium niet applicable is (we doen alleen 1 en 2)
\newcommand{\notapplicable}[1]{{\color{Gray} #1}}
-% Php
+% Tools afkortingen
\newcommand{\PHP}{\textsc{PHP}}
+\newcommand{\SQL}{\textsc{SQL}}
+\newcommand{\LDAP}{\textsc{LDAP}}
+
% Reference naar de source
-\newcommand{\srcref}[2]{\footnote{As in \texttt{#1} line (s) \texttt{#2}}}
+\newcommand{\srcref}[2]{\texttt{#1} (line (s) #2)}
+
+% Pass en fail
+\newcommand{\pass}{\ding{51}}
+\newcommand{\fail}{\ding{55}}
\renewcommand\thesubsection{V\arabic{subsection}}
\begin{enumerate}[label={5.\arabic*}]
- \item Verify that the runtime environment is not susceptible to buffer
+ \item\pass{} Verify that the runtime environment is not susceptible to buffer
overflows, or that security controls prevent buffer overflows.
As of \emph{OWASP}'s statement\footnote{\url{%
programs or extensions are used which is not the case.
% They skip 5.2
\addtocounter{enumi}{1}
- \item Verify that server side input validation failures result in
+ \item\fail{} Verify that server side input validation failures result in
request rejection and are logged.
+ \texttt{filter\_var} is used for input validation and while errors are
+ returned to the user, no logging taking place.
% They skip 5.4
\addtocounter{enumi}{1}
- \item Verify that input validation routines are enforced on the server
+ \item\pass{} Verify that input validation routines are enforced on the server
side.
- \item\notapplicable{Verify that a single input validation control is used
+ Errors are accumulated in an array which, when non-empty, will fail the
+ function and report the error.
+ \notapplicable{\item Verify that a single input validation control is used
by the application for each type of data that is accepted.}
% They skip 5.7-5.9
\addtocounter{enumi}{3}
- \item Verify that all SQL queries, HQL, OSQL, NOSQL and stored
+ \item\fail{} Verify that all SQL queries, HQL, OSQL, NOSQL and stored
procedures, calling of stored procedures are protected by the
use of prepared statements or query parameterization, and
thus not susceptible to SQL injection.
- \item Verify that the application is not susceptible to LDAP
+ This is not the case. For example in \srcref{users.php}{45}. However,
+ in some cases prepared statements are used, such as is
+ \srcref{users.php}{145}.
+ \item\pass{} Verify that the application is not susceptible to LDAP
Injection, or that security controls prevent LDAP Injection.
- \item Verify that the application is not susceptible to OS Command
+ \LDAP{} is not used, thus the application is not susceptible.
+ \item\pass{} Verify that the application is not susceptible to OS Command
Injection, or that security controls prevent OS Command Injection.
+
+ This requirement heavily depends on the configuration of the \PHP{}
+ interpreter and database. There are no system commands used but since
+ it is trivial to do an \SQL{} injection it might be possible to run
+ commands via the database. However, which a sufficiently secure \SQL{}
+ config this can not take place.
\end{enumerate}
repositories / ssproject1617.git / commitdiff