From 618969fc2cca36305745df72fdedd56fdde7b567 Mon Sep 17 00:00:00 2001 From: Daan Sprenkels Date: Tue, 8 Nov 2016 16:39:55 +0100 Subject: [PATCH] Finished authentication --- report/v2_authentication.tex | 121 ++++++++++++++++++++++++++--------- 1 file changed, 91 insertions(+), 30 deletions(-) diff --git a/report/v2_authentication.tex b/report/v2_authentication.tex index adfc0f8..d58f562 100644 --- a/report/v2_authentication.tex +++ b/report/v2_authentication.tex @@ -163,16 +163,27 @@ that the new password is not sent in clear text to the user. information. \end{result} -\TODO{\item - +\item +\fail{} Verify that information enumeration is not possible via -login, password reset, or forgot account functionality.} +login, password reset, or forgot account functionality. -\TODO{\item +\begin{result} + All these forms are vulnerable to SQL injection attacks. So any information + can leak any information from the database. +\end{result} +\item +\pass{} Verify there are no default passwords in use for the application framework or any components used by the -application (such as “admin/password”).} +application (such as “admin/password”). + +\begin{result} + No secrets are initialized by predefined values. The admin user will have + username \texttt{admin} by default. This is no secret and therefore not + considered unsafe. +\end{result} \item \fail{} @@ -192,81 +203,131 @@ attacks. \end{itemize} \end{result} -\TODO{\item - +\item +\fail{} Verify that all authentication credentials for accessing services external to the application are encrypted and -stored in a protected location.} +stored in a protected location. -\TODO{\item +\begin{result} + The database credentials are hardcoded in \texttt{config.php}. While it + would be better to pass secrets as environment variables, this is not + really bad practice. + + However, the installation instructions state the following: + \begin{verbatim} +Change the file permissions to allow all users write access to the folder +you extracted testcms to. + \end{verbatim} + This implies making the configuration file readable for all users on the + system. This information should not be accessible for any user other than + running the PHP script. +\end{result} +\item +\pass{} Verify that forgotten password and other recovery paths use a TOTP or other soft token, mobile push, or other offline recovery mechanism. Use of a random value in an -e-mail or SMS should be a last resort and is known weak.} +e-mail or SMS should be a last resort and is known weak. -\TODO{\item +\begin{result} + The password recovery path uses a random looking token. It is sent over + e-mail, which is considered weak (but not unsafe). +\end{result} +\notapplicable{\item Verify that account lockout is divided into soft and hard lock status, and these are not mutually exclusive. If an account is temporarily soft locked out due to a brute force -attack, this should not reset the hard lock status.} +attack, this should not reset the hard lock status. -\TODO{\item +% The application has not implemented any lockout mechanisms. +} +\notapplicable{\item Verify that if shared knowledge based questions (also known as "secret questions") are required, the questions do not violate privacy laws and are sufficiently strong to protect accounts from malicious recovery.} -\TODO{\item - +\item +\fail{} Verify that the system can be configured to disallow the -use of a configurable number of previous passwords.} +use of a configurable number of previous passwords. -\TODO{\item +\begin{result} + The system does not remember any previously used passwords and does not + require variation in the use of different passwords. +\end{result} +\notapplicable{\item Verify that risk based re-authentication, two factor or transaction signing is in place for high value transactions.} -\TODO{\item +% There are no (really) risk based action or which re-authentication would be +% fit +\item +\fail{} Verify that measures are in place to block the use of -commonly chosen passwords and weak passphrases.} +commonly chosen passwords and weak passphrases. -\TODO{\item +\begin{result} + No password strengthening measures are implemented. The app should + use some password strength estimator like \texttt{zxcvbn}. +\end{result} +\item +\fail{} Verify that all authentication challenges, whether successful or failed, should respond in the same average -response time.} +response time. -\TODO{\item +\begin{result} + String comparisation for checking password hases and password reset tokens + are not in constant time. +\end{result} +\item +\fail{} Verify that secrets, API keys, and passwords are not included in the source code, or online source code -repositories.} +repositories. -\setcounter{enumi}{30} +\begin{result} + The database credentials are hard coded in \texttt{config.php}. These + credentials should ideally be passed using environment variables. +\end{result} -\TODO{\item +\setcounter{enumi}{30} +\notapplicable{\item Verify that if an application allows users to authenticate, they can authenticate using two-factor authentication or other strong authentication, or any similar scheme that provides protection against username + password disclosure.} -\TODO{\item - +\item +\fail{} Verify that administrative interfaces are not accessible to -untrusted parties.} +untrusted parties. -\TODO{\item +\begin{result} + Any authenticated user is allowed to view and use the administrative + interface. A separation should be made between administrators and normal + users. +\end{result} +\item +\pass{} Browser autocomplete, and integration with password managers are permitted unless prohibited by risk based policy. -} +\begin{result} + Browser autocomplete functionality is not restricted in any way. +\end{result} \end{enumerate} -- 2.20.1