--- /dev/null
+\begin{enumerate}[label={4.\arabic*}]
+
+\item
+\TODO{}
+Verify that the principle of least privilege exists - users
+should only be able to access functions, data files, URLs,
+controllers, services, and other resources, for which they
+possess specific authorization. This implies protection
+against spoofing and elevation of privilege.
+
+\addtocounter{enumi}{2}
+\item
+\TODO{}
+Verify that access to sensitive records is protected, such
+that only authorized objects or data is accessible to each
+user (for example, protect against users tampering with a
+parameter to see or alter another user's account).
+
+\item
+\fail{}
+Verify that directory browsing is disabled unless
+deliberately desired. Additionally, applications should not
+allow discovery or disclosure of file or directory metadata,
+such as \code{Thumbs.db}, \code{.DS\_Store}, \code{.git} or \code{.svn} folders.
+
+\begin{result}
+\begin{itemize}[leftmargin=*]
+ \item \code{.gitignore} accessible, as well as any other dot-preceded file (except \code{.htaccess} itself by default Apache rules), as well as files such as \code{Thumbs.db} and \code{.DS\_Store}.
+ \item Directory contents were listed in my simple setup. A global apache setting may disable by default, but the \code{.htaccess} file doesn't explicitly disable (with \code{Options -Indexes}), so that the CMS's codebase basically enables the listing by default.
+\end{itemize}
+\end{result}
+
+\addtocounter{enumi}{2}
+\item
+\TODO{}
+Verify that access controls fail securely.
+
+\item
+\TODO{}
+Verify that the same access control rules implied by the
+presentation layer are enforced on the server side.
+
+\item
+\TODO{}
+Verify that all user and data attributes and policy
+information used by access controls cannot be
+manipulated by end users unless specifically authorized.
+
+\notapplicable{
+\item
+Verify that there is a centralized mechanism (including
+libraries that call external authorization services) for
+protecting access to each type of protected resource.
+}
+
+\item
+\fail{}
+Verify that all access control decisions can be logged and
+all failed decisions are logged.
+
+\begin{result}
+No such decision logging present. There is only a minor amount of logging, and this is related to not finding content (pages and articles).
+\end{result}
+
+\item
+\fail{}
+Verify that the application or framework uses strong
+random anti-CSRF tokens or has another transaction
+protection mechanism.
+
+\begin{result}
+There is no transation protection mechanism at all.
+\end{result}
+
+\item
+\fail{}
+Verify the system can protect against aggregate or
+continuous access of secured functions, resources, or
+data. For example, consider the use of a resource
+governor to limit the number of edits per hour or to
+prevent the entire database from being scraped by an
+individual user.
+
+\begin{result}
+No such prevention present.
+\end{result}
+
+\item
+\TODO{}
+Verify the application has additional authorization (such
+as step up or adaptive authentication) for lower value
+systems, and / or segregation of duties for high value
+applications to enforce anti-fraud controls as per the risk
+of application and past fraud.
+
+(nope)
+
+\item
+\TODO{}
+Verify that the application correctly enforces context-
+sensitive authorisation so as to not allow unauthorised
+manipulation by means of parameter tampering.
+
+(nope)
+
+\end{enumerate}
repositories / ssproject1617.git / commitdiff