From 11f60376ef15f5e3288c81c05bb597a6faac6062 Mon Sep 17 00:00:00 2001 From: Mart Lubbers Date: Mon, 17 Oct 2016 11:15:12 +0200 Subject: [PATCH] v5 done --- report/preamble.tex | 12 ++++++++++-- report/v5_input.tex | 28 +++++++++++++++++++++------- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/report/preamble.tex b/report/preamble.tex index 6059be3..0030c2b 100644 --- a/report/preamble.tex +++ b/report/preamble.tex @@ -4,6 +4,7 @@ \usepackage{geometry} \usepackage{hyperref} \usepackage{enumitem} +\usepackage{pifont} \usepackage[dvipsnames]{xcolor} \hypersetup{hidelinks, pdftitle={OWASP ASVS Souce Code Review Project}} @@ -11,10 +12,17 @@ % Als een criterium niet applicable is (we doen alleen 1 en 2) \newcommand{\notapplicable}[1]{{\color{Gray} #1}} -% Php +% Tools afkortingen \newcommand{\PHP}{\textsc{PHP}} +\newcommand{\SQL}{\textsc{SQL}} +\newcommand{\LDAP}{\textsc{LDAP}} + % Reference naar de source -\newcommand{\srcref}[2]{\footnote{As in \texttt{#1} line (s) \texttt{#2}}} +\newcommand{\srcref}[2]{\texttt{#1} (line (s) #2)} + +% Pass en fail +\newcommand{\pass}{\ding{51}} +\newcommand{\fail}{\ding{55}} \renewcommand\thesubsection{V\arabic{subsection}} diff --git a/report/v5_input.tex b/report/v5_input.tex index f585720..3660b54 100644 --- a/report/v5_input.tex +++ b/report/v5_input.tex @@ -1,5 +1,5 @@ \begin{enumerate}[label={5.\arabic*}] - \item Verify that the runtime environment is not susceptible to buffer + \item\pass{} Verify that the runtime environment is not susceptible to buffer overflows, or that security controls prevent buffer overflows. As of \emph{OWASP}'s statement\footnote{\url{% @@ -8,27 +8,41 @@ programs or extensions are used which is not the case. % They skip 5.2 \addtocounter{enumi}{1} - \item Verify that server side input validation failures result in + \item\fail{} Verify that server side input validation failures result in request rejection and are logged. + \texttt{filter\_var} is used for input validation and while errors are + returned to the user, no logging taking place. % They skip 5.4 \addtocounter{enumi}{1} - \item Verify that input validation routines are enforced on the server + \item\pass{} Verify that input validation routines are enforced on the server side. - \item\notapplicable{Verify that a single input validation control is used + Errors are accumulated in an array which, when non-empty, will fail the + function and report the error. + \notapplicable{\item Verify that a single input validation control is used by the application for each type of data that is accepted.} % They skip 5.7-5.9 \addtocounter{enumi}{3} - \item Verify that all SQL queries, HQL, OSQL, NOSQL and stored + \item\fail{} Verify that all SQL queries, HQL, OSQL, NOSQL and stored procedures, calling of stored procedures are protected by the use of prepared statements or query parameterization, and thus not susceptible to SQL injection. - \item Verify that the application is not susceptible to LDAP + This is not the case. For example in \srcref{users.php}{45}. However, + in some cases prepared statements are used, such as is + \srcref{users.php}{145}. + \item\pass{} Verify that the application is not susceptible to LDAP Injection, or that security controls prevent LDAP Injection. - \item Verify that the application is not susceptible to OS Command + \LDAP{} is not used, thus the application is not susceptible. + \item\pass{} Verify that the application is not susceptible to OS Command Injection, or that security controls prevent OS Command Injection. + + This requirement heavily depends on the configuration of the \PHP{} + interpreter and database. There are no system commands used but since + it is trivial to do an \SQL{} injection it might be possible to run + commands via the database. However, which a sufficiently secure \SQL{} + config this can not take place. \end{enumerate} -- 2.20.1