danielcuthbert
commented
5 years ago 19.8 | Verify that third party components come from trusted repositories. | | | ✓ | 3.0 |
is a bit vague. define trusted? is it one that has been audited on a regular basis? what about the likes of npm, pip, git etc?
i get what this is trying to be, but it's not as clear as it should be and needs some additional thought on how to do that.
19.1 I would add disabling unneeded functionality as well to this
19.3 I think this is applicable to L1 as well
Might want to add:
Verify that all parsers used by the application such as XML parsers are configured to prevent external entity attacks
One of the items not explicitly mentioned is ensuring that backup artifacts and backup files (such as database backups, .bak files or ~ files from someone viewing the source code of a given file on the server, etc.) are not accessible (bfac - https://github.com/mazen160/bfac - looks for these as does Burp Suite's Content Discovery - https://portswigger.net/burp/help/suite_functions_contentdiscovery - and other tools, etc.)
I think we can either:
Here is some suggested wording:
"Verify that the web tier is configured to serve only files with specific file extensions to prevent un-intentional information and source code leakage. For example, .bak, .swp and and similar extensions commonly used by editors should not be served by the web tier."
Add a link to:
XML External Entity (XXE) Prevention Cheat Sheet https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet