-
Notifications
You must be signed in to change notification settings - Fork 25
/
vulnerability_testing.txt
53 lines (39 loc) · 2.73 KB
/
vulnerability_testing.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
CODE QUALITY AND VULNERABILITY TESTING
--------------------------------------
We are currently (June 2024) using Snyk and Sonar Cloud, along with occasional reports from tests by University of Melbourne and Bibliothèque Nationale de France.
** SQL Injection
Unsanitized input from an HTTP parameter or database flows into query, where it is used in an SQL query.
This may result in an SQL Injection vulnerability
1) use parameterized queries with help of functions: mysql__insertupdate, mysql__select_param_query, mysql__exec_param_query
2) use intval if applicable
** Path Traversal
Unsanitized input from an HTTP parameter or database flows into file function
where it is used as a path. This may result in a Path Traversal vulnerability
and allow an attacker to manipulate with arbitrary files.
1) php functions realpath or basename
2) use Heurist methods isPathInHeuristUploadFolder, sanitizePath
** Cross-site Scripting (XSS)
Unsanitized input from an HTTP parameter or database flows into the echo statement,
where it is used to render an HTML page returned to the user.
This may result in a Cross-Site Scripting attack (XSS).
1) filter_input, filter_input_array to mediate $_REQUEST
2) htmlentities, htmlspecialchars for print and echo
** Server-Side Request Forgery (SSRF)
Unsanitized input from an HTTP parameter or database flows into file_get_contents or curl, where it
is used as an URL to perform a request. This may result in a Server-Side Request
Forgery vulnerability.
1) filter_input, filter_input_array
--------------------------------------------------------------------------------
** Improper Access Control: Email Content Injection
An attacker could inject HTML or plaintext content from an HTTP header, a database or remote resource
into mail, which is used to generate and send email.
These warnings are ignored since all content is taken from the database, from the Heurist log files or
from the $_SERVER variable (http header) to aid in debugging the system. Emails are sent automatically
to the system administrator (sign ups, bugs, errors, system reports etc.). Emails with content derived
from the database may also be generated by the system administrator.
The only opportunity for other Heurist users to send email is via the "Record reminders" function.
** Information Exposure
An exception object flows to the echo statement and is leaked to the attacker
These warnings are ignored since these are debug information to be sent to system admin about exceptions for email or smarty.
** Origin Validation Error
header("Access-Control-Allow-Origin: *") is required for public API response and iiif presentation