The Classic Asp Boilerplate Procject (CAB) is an approach to solve common quality assurance issues like security, maintainability. It also delivers an architecture outline that can be used for future projects.
-
Website Defacement
- All inputs will get sanitized in one place: Function InputHelper.getParameter()
- All text outputs will get encoded in one place: Function OutputHelper.write()
- All url outputs will get encoded in one place: Function OutputHelper.writeURL()
- <%=variable%> is not used. <% output.write(variable) %> is used instead.
- Cookie values must not be shown in the UI
-
Stored XSS
- see 1. Website Defacement
-
SQL Injection
- see 1. Website Defacement
- Only using stored procedures: Model.UserModel.getUserList()
-
DOS
- see 1. Website Defacement
-
CSRF
- Requests will only be sent via HTTP POST: CommunicationHandler.post() in script.js
- Requests can only be used once because with every request the server will send a randomly generated token which will be sent back with the next request from the client: CsrfHelper.getParameter() and CsrfHelper.checkParameter() ond the server and CommunicationHandler.post() in script.js on the client
-
Clickjacking
- Requests will only be sent via HTTP POST: CommunicationHandler.post() in script.js
- Setting X-Frame option in ConfigurationHelper: Response.AddHeader "X-FRAME-OPTIONS", "DENY"
- Adding JavaScript for browser which do not support X-Frame option: + related script block below
-
Information Leakage
- In general errors should not be considered (On Error Resume Next in ConfigurationHelper.asp)
- Application and database errors should not be delivered to the client
-
Content Tampering
- Because URL parameter are not used (see 5. CSRF) they can not be displayed on the page.
-
Cookies not Marked HttpsOnly
- All cookies are accessed via the CookieHelper class
- Usage of cookies not using HttpOnly is prohibitted
TODO
-
Malicious File Upload
- Will not be addressed
-
Insecure Cryptographic Storage
- Fix: Could be addressed by encrypting email addresses but can not be tested with black box tests
-
Information Leakage - Application Error
-
Information Leakage - Database Error
- Fix: SERVER SETTING
-
Session ID remains the same after login
- Fix: Call Session.Abandon() after successfull login
-
Company Password/User/Password Enumeration
- Fix: Display only one error message
-
Weak Password Policy
- Fix: Implement password policy
-
Bruteforce Possible on Login
- Fix: Implement RECAPTCHA
-
Email Address Disclosure
- Fix: Don't display email addresses with @
-
Web Server Version Disclosure from HTTP Header
- Fix Remove header - SERVER SETTING
-
HTTPS only
- Fix: SERVER SETTING
-
Account Lockout
- Fix: Implement logic - e.g. after 10 unsuccessful attempts set account to inactive
- Test: Database Access in _Model.asp
- Define: Error Responses in Error.asp
- Implement: Error Hanlding on client
- Implement output generators (instead of building output in controllers) that take objects and meta information
- JSON
- XML
- HTML
- Implement and use further Get methods in the InputHelper class
- Implement a javascript UI frameworks like dhtmlx + ActivityIndicator
- Inline code documentation could be more extensive