From: Daan Sprenkels Date: Wed, 16 Nov 2016 11:21:12 +0000 (+0100) Subject: Fix V2.2, add annotation that it was found using Fortify X-Git-Url: https://git.martlubbers.net/?a=commitdiff_plain;h=ab07a45a03cd0b93541d8238e6006441158f5230;p=ssproject1617.git Fix V2.2, add annotation that it was found using Fortify --- diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex index 57a210e..ea7cbe5 100644 --- a/report/v2_authentication.tex +++ b/report/v2_authentication.tex @@ -15,15 +15,19 @@ public (Principle of complete mediation). \end{result} \item -\pass{} +\fail{} Verify that forms containing credentials are not filled in by the application. Pre-filling by the application implies that credentials are stored in plaintext or a reversible format, which is explicitly prohibited. \begin{result} -No credentials (that should not be stored in plain text) are ever filled in by -the application. +No credentials that come from the database are pre-filled by the application. +However, in some forms, the application pre-fills password fields from the +request's POST data. This is not necesarry.\footnote{This issue was actually +overlooked when auditing manually, and was found when running the Fortify tool. +In the initial audit, we only ensured that no internal information (from the +database) was leaked in this way.} \end{result} \setcounter{enumi}{3}