Verify CAT1 STIG Findings

[nealep]

Howdy Folks!

I've taken the liberty of reviewing the CAT 1 STIG vulnerabilities in the Vaulted app. Can you verify my findings? When I was going through the list, I made the following assumptions:

1. OOD was deployed using Keycloak; Keycloak was connected to a central user management system (e.g., Active Directory Federated Services).
2. OOD was deployed using TLS.
3. All other configuration were default.

My outstanding questions are:

• V-70221 - The application must fail to a secure state - I was unable to get the app to such a state easily on my virtual setup. Do any of you have testing infrastructure that could exercise the scenarios listed in the thing?
• V-70255 - The application must not store sensitive information in hidden fields - I didn't find such hidden fields but there may be some lurking somewhere. Can you verify that no sensitive hidden fields exist?
• V-70257 - The application must protect from Cross-Site Scripting (XSS) vulnerabilities - I didn't see any XSS attack tests in the test suite. Would it be possible to add such tests? Can you verify that all the input boxes are using built in input sanitization functions?
• V-70261 - The application must protect from command injection - I didn't see any command injection tests in the test suite. Can you verify that GET variables are properly sanitized?
• V-70267 - The application must not be vulnerable to SQL Injection. - Can you verify that stored procedures are used everywhere and that user-inputs are properly sanitized?
• V-70271 - The application must not be subject to input handling vulnerabilities - Can you verify that user input is sanitized in applicable forms etc?
• V-70365 - The application must have the capability to mark sensitive/classified output when required - As far as I can tell, there's no way to mark application elements with a certain classification. Would it be possible to add guidance to the documentation that says something like 'OOD does not have the ability to mark multiple classification levels at this time. OOD should be deployed on a system configured and properly secured for processing the highest classification level to mitigate the possibility of data spills.'

┆Issue is synchronized with this Asana task by Unito

[ericfranz]

I didn't see any XSS attack tests in the test suite. Would it be possible to add such tests?

What is the recommended way to add such tests that would satisfy V-70257? Are there particular test runners? For example, is this something that a unit test would be insufficient, and rather a test using Selenium, for example, would be desired? Or is something like Rails integration tests good enough (where the tests do not actually execute client side javascript through the browser but may exercise the server API and inspect returned HTML).

In the same way, for having tests for user input in web forms, I wonder generally speaking if we should be itemizing all of the possible ways in a systematic fashion that user input can be provided to the system (through URLs, form submissions, etc.) and then having some type of report on test coverage of that? Obviously it is much easier to do something like that for unit tests - lots of tools provide estimation and its easy if most of the code is refactored into separate functions to identify which ones have no tests.

[nealep]

They don't really specify an automated test runner. They do say that if automated tests are not available:

"If scan results are not available, perform manual testing in various data entry fields to determine if XSS exist. Navigate through the web application as a regular user and identify any data entry fields where data can be input. Input the following strings:

<img src=x onerror="alert(document.cookie);"

If the script pop up box is displayed, or if scan reports show unremediated XSS results and no mitigating steps have been taken, this is a finding."

They do reference OWASP ZAP in a few places. I believe there's a Github Action for running tests that'll include both XSS and other input validations. This blog has a good rundown I think.

[matt257]

discussion needed before proceeding, how can this be automated?