SoftwareSecurity2012/Group 3

Uit Werkplaats
< SoftwareSecurity2012
Versie door Erik Poll (overleg | bijdragen) op 19 mrt 2013 om 18:16
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Group nr. 3

Group members:

  • Adrian Garcia Ramirez
  • Murad Gurbanov
  • Stan Damen
  • Dima van de Wouw

all from university TUE

Topic: V6: Output Encoding/Escaping (HTML)

V6 requirements for our group

  • V6.1 Verify that all untrusted data thatare output to HTML (including HTML elements, HTML attributes, javascript data values, CSS blocks, and URI attributes) are properly escaped for the applicable context.
  • V6.2 Verify that all output encoding/escaping controls are implemented on the server side.
  • V6.3 Verify that output encoding/escaping controls encode all characters not known to be safe for the intended interpreter.
  • V6.7 Verify that all untrusted data that are included in operating system command parameters are escaped properly.
  • V6.8 Verify that all untrusted data that are output to any interpreters not specifically listed above are escaped properly.

Email address output validation

Additionally, we looked at the question whether email addresses were validated (escaped/encoded) properly.

Deliverables

The log should be a chronological list of who has been doing what, with dates.
Also useful to document decisions on who will be doing what, and by when.
This should discuss the results of the code scanning. Insofar as possible, put the focus on these from the point of view of the Verfication Requirements your group is looking at, but also point out, but then briefly, findings that might be interesting for other groups.
Describe your impressions about the tools, in capabilities, limitations, etc.
Also, did you learn anything about specific security vulnerabilities from using them?
This should give your verdict for each requirement (Pass/Fail/Don't know) with motivation, and an indication of what you did to reach this verdict.
Describe the sort of documentation you would have wanted about phpbb, to make your security review easier.
This can be design decisions, description of the overall architecture and organisation, policies used in the application, styles or guidelines adhered to in the actual coding.
Reflect on the whole process of doing a code review, or "Application Security Verification", in the way you did.


Create more sub-pages if you want, of course