From: Mart Lubbers Date: Mon, 17 Oct 2016 13:41:34 +0000 (+0200) Subject: v5 X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=65a7906aba0e57f2e05bad73ce9ba5139b8eab5d;p=ssproject1617.git v5 --- diff --git a/report/.chktexrc b/report/.chktexrc new file mode 100644 index 0000000..69d8ed8 --- /dev/null +++ b/report/.chktexrc @@ -0,0 +1 @@ +WipeArg { \texttt:{} \url:{} } diff --git a/report/preamble.tex b/report/preamble.tex index cc50745..c7a017c 100644 --- a/report/preamble.tex +++ b/report/preamble.tex @@ -1,4 +1,4 @@ -\documentclass[a4paper,titlepage]{article} +\documentclass[draft,a4paper,titlepage]{article} \usepackage{CJKutf8} \usepackage{rutitlepage} @@ -20,9 +20,10 @@ \newcommand{\XML}{\textsc{XML}} \newcommand{\HTML}{\textsc{HTML}} \newcommand{\JSON}{\textsc{JSON}} +\newcommand{\JQuery}{\textsc{JQuery}} % Reference naar de source -\newcommand{\srcref}[2]{\texttt{#1} (line (s) #2)} +\newcommand{\srcref}[2]{{\small\texttt{#1}} (line (s) #2)} % Pass en fail \newcommand{\pass}{\ding{51}} diff --git a/report/v5_input.tex b/report/v5_input.tex index a255deb..51e31d5 100644 --- a/report/v5_input.tex +++ b/report/v5_input.tex @@ -25,14 +25,14 @@ % They skip 5.7-5.9 \addtocounter{enumi}{3} - \item\fail{} Verify that all SQL queries, HQL, OSQL, NOSQL and stored - procedures, calling of stored procedures are protected by the - use of prepared statements or query parameterization, and - thus not susceptible to SQL injection. - - This is not the case. For example in \srcref{users.php}{45}. However, - in some cases prepared statements are used, such as is - \srcref{users.php}{145}. + \item\fail{} Verify that all \SQL{} queries, \texttt{HQL}, \texttt{OSQL}, + \texttt{NOSQL} and stored procedures, calling of stored procedures are + protected by the use of prepared statements or query parameterization, + and thus not susceptible to \SQL{} injection. + + This is not the case. For example in \srcref{classes/users.php}{45}. + However, in some cases prepared statements are used, such as is + \srcref{classes/users.php}{145}. \item\pass{} Verify that the application is not susceptible to LDAP Injection, or that security controls prevent LDAP Injection. @@ -41,7 +41,7 @@ Injection, or that security controls prevent OS Command Injection. This requirement heavily depends on the configuration of the \PHP{} - interpreter and database. There are no system commands used but since + interpreter and database, there are no system commands used but since it is trivial to do an \SQL{} injection it might be possible to run commands via the database. However, which a sufficiently secure \SQL{} config this can not take place. @@ -52,10 +52,11 @@ is a path to a file. Some file inclusion might be possible in the themes. Also in password - recovery (\srcref{system/classes/user.php}{115}) filepaths are - calculated on the hash of the password. All non standard filepaths, - such as admin or theme files, are generated using functions. CMS urls - are parsed using a standard system wide \texttt{parse} function. + recovery\\ + (\srcref{classes/user.php}{115}) filepaths are calculated on the + hash of the password. All non standard filepaths, such as admin or + theme files, are generated using functions. CMS urls are parsed using a + standard system wide \texttt{parse} function. \item\pass{} Verify that the application is not susceptible to common \XML{} attacks, such as XPath query tampering, \XML{} External Entity attacks, and \XML{} injection attacks. @@ -108,13 +109,13 @@ output is not filtered. \item\pass{} Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and - pattern (e.g. credit card numbers or telephone, or validating that two + pattern (e.g.\ credit card numbers or telephone, or validating that two related fields are reasonable, such as validating suburbs and zip or post codes match). Email addresses are validated against \PHP's stander functionality. Note that the \PHP{} email validation is not perfect and some valid - email addresses are rejected(such as email addresses with non-ASCII + email addresses are rejected (such as email addresses with non-ASCII characters). The other requirements are not used. \item\pass{} Verify that unstructured data is sanitized to enforce generic safety measures such as allowed characters and length, and characters @@ -138,10 +139,13 @@ \texttt{.val}. The \JQuery{} framework is used for this. - \item Verify when parsing \JSON{} in browsers, that \text{JSON.parse} is - used to parse \JSON{} on the client. Do not use \texttt{eval()} to - parse \JSON{} on the client. + \item\pass{} Verify when parsing \JSON{} in browsers, that + \texttt{JSON.parse} is used to parse \JSON{} on the client. Do not use + \texttt{eval()} to parse \JSON{} on the client. - \item Verify that authenticated data is cleared from client storage, such - as the browser DOM, after the session is terminated + There is no \JSON{} transfer outside the toolkits. + \item\pass{} Verify that authenticated data is cleared from client storage, + such as the browser DOM, after the session is terminated. + + No DOM storage is used. \end{enumerate}