From 5c10132126ff30cdc8083783da9a4db10b0f5c0b Mon Sep 17 00:00:00 2001 From: Kelley van Evert Date: Fri, 25 Nov 2016 09:54:31 +0100 Subject: [PATCH] updated [3] table --- report/fortify.tex | 77 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/report/fortify.tex b/report/fortify.tex index 28cbb27..898597b 100644 --- a/report/fortify.tex +++ b/report/fortify.tex @@ -7,7 +7,7 @@ Fortify's results can be summarized to the following: \begin{enumerate}[label=(\Alph*)] \item 50 cases of \XSS{} vurnerabilities, all labeled \textbf{critical}, because none of the \CMS{}'s forms include nonces / protection against \XSS{} is indeed missing. \item \textbf{Password management}. In a user password reset form in \code{reset.php}, if the resetting fails, the password the user just entered reappears in the password field. This is not a database-retrieved password, and hence not actually as \textbf{critical} as Fortify labels it, but of course bad practice nonetheless. - \item In the \textbf{privact violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier. + \item In the \textbf{privacy violation} category, Fortify found errors and warnings printed back to the browser, and labelled it \textbf{critical}. However, this happens in the installer script, which we have decided to treat separately, as explained earlier. \item \textbf{\SQL{} injection} attacks are possible on the installer script, labelled \textbf{critical}. Yet again: the installer script. \item \textbf{Cookie security}: the \code{HttpOnly} header is not set, labelled \textbf{high}. \item \textbf{Privacy violation}: \HTML{} forms don't disable autocompletion. Labelled \textbf{high}. However, autocompletion of \HTML{} forms by means of the \code{autocompletion="none"} attribute notoriously doesn't really work. The larger problem is that the post/redirect/get pattern is not followed, as stated above at our analysis of OWASP requirement (9.1). @@ -42,53 +42,52 @@ For this reason, Fortify was nowhere near able to identifying all the problems w \begin{table}[th!] \centering %\renewcommand{\arraystretch}{1} -\begin{tabular}{@{}lllllllllll@{}} +\begin{tabular}{@{}llllllllll@{}} \toprule \# & \textbf{V2} & \textbf{V3} & \textbf{V4} & -\textbf{V5} & +\textbf{V5 (6)} & \textbf{V7} & \textbf{V8} & \textbf{V9} & -\textbf{V12} & -\textbf{V17} \\ +\textbf{V11} \\ \midrule -% V2 V3 V4 V5 V7 V8 V9 V12 V17 - 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X & \TODO \\ - 2 & \F{B}\p & \p & & & \p & \p & & \p & \TODO \\ - 3 & & \X & & \X & & \X & \p & & \TODO \\ - 4 & \p & & \p & & & \X & \X & \X & \TODO \\ - 5 & & \p & \p & \p & & \p & \p & \p & \TODO \\ - 6 & \X & \p & & & & \p & & \X & \TODO \\ - 7 & \p & \X & & & \TODO & \p & \p & \X & \TODO \\ - 8 & \p & & \p & & & & & \X & \\ - 9 & \X & \p & \X & & & & \p & & \TODO \\ -10 & & \X & \p & \X & & \X & \p & & \TODO \\ -11 & & \p & & \p & & & \p & & \TODO \\ -12 & \X & \X & \X & \p & & & & & \\ -13 & \X & \X & \F{A}\X & \p & & \X & & & \\ -14 & & & \X & \p & & & & & \\ -15 & & & \X & \X & & & & & \\ -16 & \X & & \X & \p & & & & & \\ -17 & \p & & & \p & & & & & \\ -18 & \X & & & \X & & & & & \\ -19 & \p & & & \X & & & & & \\ -20 & \X & & & \p & & & & & \\ -21 & \X & & & \p & & & & & \\ -22 & \p & & & \X & & & & & \\ -23 & & & & \X & & & & & \\ -24 & & & & \p & & & & & \\ -25 & \X & & & \p & & & & & \\ -26 & & & & \p & & & & & \\ -27 & \X & & & & & & & & \\ -28 & \X & & & & & & & & \\ -29 & \X & & & & & & & & \\ -30 & & & & & & & & & \\ -31 & & & & & & & & & \\ -32 & \X & & & & & & & & \\ -33 & \p & & & & & & & & \\ +% V2 V3 V4 V5 V7 V8 V9 V11 + 1 & \X & \p & \p & \p & & \X & \F{B}\X & \X \\ + 2 & \F{B}\p & \p & & & \p & \p & & \p \\ + 3 & & \X & & \X & & \X & \p & \\ + 4 & \p & & \p & & & \X & \X & \X \\ + 5 & & \p & \p & \p & & \p & \p & \p \\ + 6 & \X & \p & & & \X & \p & & \X \\ + 7 & \p & \X & & & \p & \p & \p & \X \\ + 8 & \p & & \p & & & & & \X \\ + 9 & \X & \p & \X & & \p & & \p & \\ +10 & & \X & \p & \X & & \X & \p & \\ +11 & & \p & & \p & & & \p & \\ +12 & \X & \X & \X & \p & \X & & & \\ +13 & \X & \X & \F{A}\X & \p & \X & \X & & \\ +14 & & & \X & \p & \p & & & \\ +15 & & & \X & \X & & & & \\ +16 & \X & & \X & \p & & & & \\ +17 & \p & & & \p & & & & \\ +18 & \X & & & \X & & & & \\ +19 & \p & & & \X & & & & \\ +20 & \X & & & \p & & & & \\ +21 & \X & & & \p & & & & \\ +22 & \p & & & \X & & & & \\ +23 & & & & \X & & & & \\ +24 & & & & \p & & & & \\ +25 & \X & & & \p & & & & \\ +26 & & & & \p & & & & \\ +27 & \X & & & & & & & \\ +28 & \X & & & & & & & \\ +29 & \X & & & & & & & \\ +30 & & & & & & & & \\ +31 & & & & & & & & \\ +32 & \X & & & & & & & \\ +33 & \p & & & & & & & \\ \bottomrule \end{tabular} \caption{Summary of our results. Fortify's findings are outlined and labelled, see our analysis above.} -- 2.20.1