Overleg:SoftwareSecurity2014/Group 1/Code Scanning
Correlating scanning results to ASVS requirements
The following ...
V3.6 Verify that the session id is never disclosed other than in cookie headers; particularly in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.
- Cookie Security: HTTPOnly not Set - [0 / 1] :
- The program creates a cookie in functions.php at line 374, but fails to set the HttpOnly flag to true.
- EXPLANATION: most browsers supports the HttpOnly cookie property that prevents client-side scripts from accessing the cookie. Cross-Site Scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. When HttpOnly is not enabled, attackers can more easily access user cookies.
- Cookie Security: Persistent Cookie - [0 / 2] line 372, 374 :
- Storing sensitive data in a persistent cookie can lead to a breach of confidentiality or account compromise.
Looked for the following issues without results: session id in URLs, errors, logs. URL reqriting of session cookies.
V11.1 Verify that redirects do not include unvalidated data.
- chris: Found 3 instances of V11.1:
The file functions.php passes unvalidated data to an HTTP redirect function on line 1347. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.
V11.2 Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST.
- chris: could not find anything in results. Maybe scan code manually? s/o else should also look at fortify results
V11.3 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8).
- chris: nothing
RATS results
User input should be sanitized:
Output to other functions should be sanitized: mail call in email.php, fopen calls in 5 files, fsockopen in email.php
TOCTOU: 4+1 times minimum (the tool stops when it finds once instance in each file)
fixed size local buffer: many times