search

OWASP / www-project-thick-client-application-security-verification-standard

OWASP Thick Client Application Security Verification Standard
https://owasp.org/www-project-thick-client-application-security-verification-standard/
Creative Commons Attribution Share Alike 4.0 International
15 stars 3 forks source link

Should DLL Hijacking be a single item? #7

Open JeffreyShran opened 2 months ago

JeffreyShran commented 2 months ago

as suggested in #6 by @matreurai

Note : I've seen in TASVS-STORAGE a category specific to a specific vulnerability (DLL Hijacking). I think this should be modified as the testing standard is not made for specific vulnerabilities in my opinion. Additionally, these items are explaining a type of attack and do not provide any guidance to what to test or how to prevent/mitigate risks of such attacks. The equivalent in the Web Application Security Verification Standard would be to add an item as such: "Cross-Site Scripting Category - Blind cross-site scripting (XSS) is a variant of stored XSS where the malicious payload is executed in a different context or application than where it was originally injected.". I don't think this make sense in the context of a Verification Standard.

matreurai commented 2 months ago

I don't think an item should be created for "DLL Hijacking" specifically, but I do think various items could be addressing risks related to that type of attacks, including all variants. I believe items should reflect tests or checkup testers should go over in order to minimize the risks for a type of attack. As an example for DLL Hijacking: Item 1 - Identify and look for DLLs loading from unexpected locations using Process Explorer with appropriate filters such as "NAME NOT FOUND" to reduce risks of DLL Hijacking. Item 2 - Verify the use of fully qualified paths when loading DLLs to reduce risks of DLL Hijacking, Item 3 - Verify the current working directory was removed from the DLL search path (SetDllDirectory("");) to reduce risks of DLL Hijacking. Item 4 - Make sure safe process search mode is enabled (SetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT);) to reduce risks of DLL Hijacking Item 5 - Thick client should digitally sign legitimate DLLs to reduce risks of DLL Hijacking etc...

JeffreyShran commented 2 months ago

my only fear here is we are moving the standard to becoming more of a testing guide.

I would say that as a first step we should decide at a higher level if we want to itemize tests as you describe across the standard or do we want to leave that detail out (or maybe into the definition of a test item) and then re-align the whole document with that decision in mind.

What do you think @matreurai?