Overleg:SoftwareSecurity2014/Group 1/Code Scanning

Uit Werkplaats
Ga naar: navigatie, zoeken

Correlating scanning results to ASVS requirements

The following ...

V3.6 Verify that the session id is never disclosed other than in cookie headers; particularly in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.

  • Cookie Security: HTTPOnly not Set - [0 / 1] :
The program creates a cookie in functions.php at line 374, but fails to set the HttpOnly flag to true.
EXPLANATION: most browsers supports the HttpOnly cookie property that prevents client-side scripts from accessing the cookie. Cross-Site Scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. When HttpOnly is not enabled, attackers can more easily access user cookies.
  • Cookie Security: Persistent Cookie - [0 / 2] line 372, 374 :
Storing sensitive data in a persistent cookie can lead to a breach of confidentiality or account compromise.

Looked for the following issues without results: session id in URLs, errors, logs. URL reqriting of session cookies.

V11.1 Verify that redirects do not include unvalidated data.

chris: Found 3 instances of V11.1:
The file functions.php passes unvalidated data to an HTTP redirect function on line 1347. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.


V11.2 Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST.

chris: could not find anything in results. Maybe scan code manually? s/o else should also look at fortify results

V11.3 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8).

chris: nothing

RATS results

User input should be sanitized:

Output to other functions should be sanitized: mail call in email.php, fopen calls in 5 files, fsockopen in email.php

TOCTOU: 4+1 times minimum (the tool stops when it finds once instance in each file)

fixed size local buffer: many times