Fix V2.2, add annotation that it was found using Fortify

author Daan Sprenkels <dsprenkels@gmail.com>

Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)

committer Daan Sprenkels <dsprenkels@gmail.com>

Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)
author Daan Sprenkels <dsprenkels@gmail.com>
Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)
committer Daan Sprenkels <dsprenkels@gmail.com>
Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)
diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex

index 57a210e..ea7cbe5 100644 (file)
--- a/report/v2_authentication.tex
+++ b/report/v2_authentication.tex
@@ -15,15 +15,19 @@ public (Principle of complete mediation).
  \end{result}
  
  \item
-\pass{}
+\fail{}
  Verify that forms containing credentials are not filled in by
  the application. Pre-filling by the application implies that
  credentials are stored in plaintext or a reversible format,
  which is explicitly prohibited.
  
  \begin{result}
-No credentials (that should not be stored in plain text) are ever filled in by
-the application.
+No credentials that come from the database are pre-filled by the application.
+However, in some forms, the application pre-fills password fields from the
+request's POST data. This is not necesarry.\footnote{This issue was actually
+overlooked when auditing manually, and was found when running the Fortify tool.
+In the initial audit, we only ensured that no internal information (from the
+database) was leaked in this way.}
  \end{result}
  
  \setcounter{enumi}{3}
author	Daan Sprenkels <dsprenkels@gmail.com>
	Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)
committer	Daan Sprenkels <dsprenkels@gmail.com>
	Wed, 16 Nov 2016 11:21:12 +0000 (12:21 +0100)