From 2ef9a68b3bb4325db2bfea2eb729faa03a776366 Mon Sep 17 00:00:00 2001 From: W Date: Thu, 20 Oct 2016 16:51:13 +0200 Subject: [PATCH] add sections 3 and 7 --- report/report.tex | 4 +++ report/v3_session.tex | 70 +++++++++++++++++++++++++++++++++++++ report/v7_cryptography.tex | 71 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 145 insertions(+) create mode 100644 report/v3_session.tex create mode 100644 report/v7_cryptography.tex diff --git a/report/report.tex b/report/report.tex index c4f7fcf..3adc272 100644 --- a/report/report.tex +++ b/report/report.tex @@ -9,6 +9,7 @@ \subsection{Authentication} \subsection{Session Management} +\input{v3_session.tex} \subsection{Access Control} \input{v4_access.tex} @@ -16,7 +17,10 @@ \subsection{Input Validation \& Output Encoding/Escaping} \input{v5_input.tex} +\addtocounter{subsection}{1} + \subsection{Cryptography at rest} +\input{v7_cryptography.tex} \subsection{Error Handling \& logging} diff --git a/report/v3_session.tex b/report/v3_session.tex new file mode 100644 index 0000000..9e066cc --- /dev/null +++ b/report/v3_session.tex @@ -0,0 +1,70 @@ +\begin{enumerate}[label={3.\arabic*}] + + \item + \TODO{} + Verify that there is no custom session manager, or that the custom session + manager is resistant against all common session management attacks. + + \item + \TODO{} + Verify that sessions are invalidated when the user logs out. + + \item + \TODO{} + Verify that sessions timeout after a specified period of inactivity. + + \notapplicable{ + \item + Verify that sessions timeout after an administratively-configurable + maximum time period regardless of activity (an absolute timeout). + } + + \item + \TODO{} + Verify that all pages that require authentication have easy and visible + access to logout functionality. + + \item + \TODO{} + Verify that the session id is never disclosed in URLs, error messages, or + logs. This includes verifying that the application does not support URL + rewriting of session cookies. + + \item + \TODO{} + Verify that all successful authentication and re-authentication generates + a new session and session id. + + \notapplicable{ + \item + Verify that only session ids generated by the application framework are + recognized as active by the application. + } + + \item + \TODO{} + Verify that session ids are sufficiently long, random and unique across the + correct active session base. + + \item + \TODO{} + Verify that session ids stored in cookies have their path set to an + appropriately restrictive value for the application, and authentication + session tokens additionally set the “HttpOnly” and “secure” attributes. + + \item + \TODO{} + Verify that the application limits the number of active concurrent sessions. + + \item + \TODO{} + Verify that an active session list is displayed in the account profile or + similar of each user. The user should be able to terminate any active + session. + + \item + \TODO{} + Verify the user is prompted with the option to terminate all other active + sessions after a successful change password process. + +\end{enumerate} diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex new file mode 100644 index 0000000..b2a3876 --- /dev/null +++ b/report/v7_cryptography.tex @@ -0,0 +1,71 @@ +\begin{enumerate}[label={7.\arabic*}] + + \addtocounter{enumi}{1} + \item + \TODO{} + Verify that all cryptographic modules fail securely, and errors are handled + in a way that does not enable oracle padding. + + \addtocounter{enumi}{3} + \notapplicable{ + \item + Verify that all random numbers, random file names, random GUIDs, and random + strings are generated using the cryptographic module’s approved random + number generator when these random values are intended to be not guessable + by an attacker. + } + + \item + \TODO{} + Verify that cryptographic algorithms used by the application have been + validated against FIPS 140-2 or an equivalent standard. + + \notapplicable{ + \item + Verify that cryptographic modules operate in their approved mode according + to their published security policies. + } + + \notapplicable{ + \item + Verify that there is an explicit policy for how cryptographic keys are + managed (e.g., generated, distributed, revoked, and expired). Verify that + this key lifecycle is properly enforced. + } + + \addtocounter{enumi}{1} + \notapplicable{ + \item + Verify that all consumers of cryptographic services do not have direct + access to key material. Isolate cryptographic processes, including master + secrets and consider the use of a virtualized or physical hardware key vault + (HSM). + } + + \notapplicable{ + \item + \textit{Personally Identifiable Information} should be stored encrypted at + rest and ensure that communication goes via protected channels. + } + + \notapplicable{ + \item + Verify that sensitive passwords or key material maintained in memory is + overwritten with zeros as soon as it no longer required, to mitigate memory + dumping attacks. + } + + \notapplicable{ + \item + Verify that all keys and passwords are replaceable, and are generated or + replaced at installation time. + } + + \notapplicable{ + \item + Verify that random numbers are created with proper entropy even when the + application is under heavy load, or that the application degrades gracefully + in such circumstance. + } + +\end{enumerate} -- 2.20.1