From: Kelley van Evert Date: Wed, 19 Oct 2016 15:15:18 +0000 (+0200) Subject: Added V4: Access Control (work in progress) X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=20e903f2b0b34d248789d8b600116a064d1b53ea;p=ssproject1617.git Added V4: Access Control (work in progress) --- diff --git a/report/v4_access.tex b/report/v4_access.tex new file mode 100644 index 0000000..f5a80fb --- /dev/null +++ b/report/v4_access.tex @@ -0,0 +1,106 @@ +\begin{enumerate}[label={4.\arabic*}] + +\item +\TODO{} +Verify that the principle of least privilege exists - users +should only be able to access functions, data files, URLs, +controllers, services, and other resources, for which they +possess specific authorization. This implies protection +against spoofing and elevation of privilege. + +\addtocounter{enumi}{2} +\item +\TODO{} +Verify that access to sensitive records is protected, such +that only authorized objects or data is accessible to each +user (for example, protect against users tampering with a +parameter to see or alter another user's account). + +\item +\fail{} +Verify that directory browsing is disabled unless +deliberately desired. Additionally, applications should not +allow discovery or disclosure of file or directory metadata, +such as \code{Thumbs.db}, \code{.DS\_Store}, \code{.git} or \code{.svn} folders. + +\begin{result} +\begin{itemize}[leftmargin=*] + \item \code{.gitignore} accessible, as well as any other dot-preceded file (except \code{.htaccess} itself by default Apache rules), as well as files such as \code{Thumbs.db} and \code{.DS\_Store}. + \item Directory contents were listed in my simple setup. A global apache setting may disable by default, but the \code{.htaccess} file doesn't explicitly disable (with \code{Options -Indexes}), so that the CMS's codebase basically enables the listing by default. +\end{itemize} +\end{result} + +\addtocounter{enumi}{2} +\item +\TODO{} +Verify that access controls fail securely. + +\item +\TODO{} +Verify that the same access control rules implied by the +presentation layer are enforced on the server side. + +\item +\TODO{} +Verify that all user and data attributes and policy +information used by access controls cannot be +manipulated by end users unless specifically authorized. + +\notapplicable{ +\item +Verify that there is a centralized mechanism (including +libraries that call external authorization services) for +protecting access to each type of protected resource. +} + +\item +\fail{} +Verify that all access control decisions can be logged and +all failed decisions are logged. + +\begin{result} +No such decision logging present. There is only a minor amount of logging, and this is related to not finding content (pages and articles). +\end{result} + +\item +\fail{} +Verify that the application or framework uses strong +random anti-CSRF tokens or has another transaction +protection mechanism. + +\begin{result} +There is no transation protection mechanism at all. +\end{result} + +\item +\fail{} +Verify the system can protect against aggregate or +continuous access of secured functions, resources, or +data. For example, consider the use of a resource +governor to limit the number of edits per hour or to +prevent the entire database from being scraped by an +individual user. + +\begin{result} +No such prevention present. +\end{result} + +\item +\TODO{} +Verify the application has additional authorization (such +as step up or adaptive authentication) for lower value +systems, and / or segregation of duties for high value +applications to enforce anti-fraud controls as per the risk +of application and past fraud. + +(nope) + +\item +\TODO{} +Verify that the application correctly enforces context- +sensitive authorisation so as to not allow unauthorised +manipulation by means of parameter tampering. + +(nope) + +\end{enumerate}