% They skip 5.7-5.9
\addtocounter{enumi}{3}
- \item\fail{} Verify that all SQL queries, HQL, OSQL, NOSQL and stored
- procedures, calling of stored procedures are protected by the
- use of prepared statements or query parameterization, and
- thus not susceptible to SQL injection.
-
- This is not the case. For example in \srcref{users.php}{45}. However,
- in some cases prepared statements are used, such as is
- \srcref{users.php}{145}.
+ \item\fail{} Verify that all \SQL{} queries, \texttt{HQL}, \texttt{OSQL},
+ \texttt{NOSQL} and stored procedures, calling of stored procedures are
+ protected by the use of prepared statements or query parameterization,
+ and thus not susceptible to \SQL{} injection.
+
+ This is not the case. For example in \srcref{classes/users.php}{45}.
+ However, in some cases prepared statements are used, such as is
+ \srcref{classes/users.php}{145}.
\item\pass{} Verify that the application is not susceptible to LDAP
Injection, or that security controls prevent LDAP Injection.
Injection, or that security controls prevent OS Command Injection.
This requirement heavily depends on the configuration of the \PHP{}
- interpreter and database. There are no system commands used but since
+ interpreter and database, there are no system commands used but since
it is trivial to do an \SQL{} injection it might be possible to run
commands via the database. However, which a sufficiently secure \SQL{}
config this can not take place.
is a path to a file.
Some file inclusion might be possible in the themes. Also in password
- recovery (\srcref{system/classes/user.php}{115}) filepaths are
- calculated on the hash of the password. All non standard filepaths,
- such as admin or theme files, are generated using functions. CMS urls
- are parsed using a standard system wide \texttt{parse} function.
+ recovery\\
+ (\srcref{classes/user.php}{115}) filepaths are calculated on the
+ hash of the password. All non standard filepaths, such as admin or
+ theme files, are generated using functions. CMS urls are parsed using a
+ standard system wide \texttt{parse} function.
\item\pass{} Verify that the application is not susceptible to common
\XML{} attacks, such as XPath query tampering, \XML{} External Entity
attacks, and \XML{} injection attacks.
output is not filtered.
\item\pass{} Verify that structured data is strongly typed and validated
against a defined schema including allowed characters, length and
- pattern (e.g. credit card numbers or telephone, or validating that two
+ pattern (e.g.\ credit card numbers or telephone, or validating that two
related fields are reasonable, such as validating suburbs and zip or
post codes match).
Email addresses are validated against \PHP's stander functionality.
Note that the \PHP{} email validation is not perfect and some valid
- email addresses are rejected(such as email addresses with non-ASCII
+ email addresses are rejected (such as email addresses with non-ASCII
characters). The other requirements are not used.
\item\pass{} Verify that unstructured data is sanitized to enforce generic
safety measures such as allowed characters and length, and characters
\texttt{.val}.
The \JQuery{} framework is used for this.
- \item Verify when parsing \JSON{} in browsers, that \text{JSON.parse} is
- used to parse \JSON{} on the client. Do not use \texttt{eval()} to
- parse \JSON{} on the client.
+ \item\pass{} Verify when parsing \JSON{} in browsers, that
+ \texttt{JSON.parse} is used to parse \JSON{} on the client. Do not use
+ \texttt{eval()} to parse \JSON{} on the client.
- \item Verify that authenticated data is cleared from client storage, such
- as the browser DOM, after the session is terminated
+ There is no \JSON{} transfer outside the toolkits.
+ \item\pass{} Verify that authenticated data is cleared from client storage,
+ such as the browser DOM, after the session is terminated.
+
+ No DOM storage is used.
\end{enumerate}