This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 ReducingAttSurf

From OWASP
Revision as of 20:44, 7 September 2014 by Gary David Robinson (talk | contribs) (Created page with "* Reduce by having all pages HTTPS ** Does this function/feature have to be available over HTTP? * Is the function available to non-authenticated users? * Does the function in...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • Reduce by having all pages HTTPS
    • Does this function/feature have to be available over HTTP?
  • Is the function available to non-authenticated users?
  • Does the function invoke a backend task that could be used to deny other legitimate users?
    • E.g. if the fn writes to a file, or sends an SMS, or causes a CPU intensive calculation, could an attacker write a script to call the fn many times per second and prevent legimate users access to that task?
  • Does new code change the attack surface? Does it open new ports or accept new inputs? Could it be done in a way that does not increase the attack surface?
  • Are searches controlled? Search is a risky operation as it typically queries the database for some criteria and returns the results, if attacker can inject SQL into query then they could access more data than intended
  • Is important data stored separately from trivial data (in DB, file storage, etc)
  • If file uploads are allowed, should they be authenticated? Is there rate limiting? Max file size? Virus checking?
  • If you have admin users with high privilege, are their actions logged/tracked in such a way that they a) can't erase/modify the log and b) can't deny their actions?
    • Are there any alarms or monitoring to spot if they are accessing sensitive data that they shouldn't be?
  • Will changes be compatible with existing countermeasures, or security code, or will new code/countermeasures need to be developed?
  • Is the change attempting to introduce some non-centralized security code module, instead of re-using or extending an existing security module?
  • Is the change adding unnecessary user levels or entitlements that will complicate the attack surface.
  • Is the change storing unnecessary PII or confidential data?
  • Does application configuration cause the attack surface to vary greatly, and is that configuration simple to use and alert the administrator when the attack surface is being expanded?
  • Could the change be done in a different way that would reduce the attack surface, i.e instead of making help items searchable and storing help item text in a database table beside the main username/password store, providing static help text on HTML pages reduces the risk through the 'help' interface.
Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_ReducingAttSurf&oldid=181920"