SCP [83, 134, 135, 136, 137, 153, 158, 160, 161, 162,] Cornucopia - Communication Security, Data Protection, Access Control #127
Description
These are SCP coding practices used during Cornucopia threat modeling sessions that we could add here.
Communication Security
SCP [153] Turn off directory listings
I would say this is similar to ASVS 13.4.3
SCP [153] is referred to in CJ and VE2.
Suggestion: Turn off directory listings
SCP [158] Prevent disclosure of your directory structure in the robots.txt file by placing directories not intended for public indexing into an isolated parent directory. Then "Disallow" that entire parent directory in the robots.txt file rather than Disallowing each individual directory
Mentioned in Recommended, in-scope mechanisms and Review Webserver Metafiles for Information Leakage
SCP [158] is referred to in VE2
Suggestion: Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, the X-Robots-Tag response header or a robots html meta tag
SCP [160] Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is required, utilize a well-vetted authentication mechanism
Mentioned in Test Network Infrastructure Configuration and Test HTTP Methods.
SCP [160] is referred to in C8
Suggestion: Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is required, utilize a well-vetted authentication mechanism
SCP [161] If the web server handles both HTTP 1.0 and 1.1, ensure that both are configured in a similar manor or insure that you understand any difference that may exist (e.g. handling of extended HTTP methods)
SCP [162] Remove unnecessary information from HTTP response headers related to the OS, web-server version and application frameworks
I would say this is similar to ASVS 13.4.5
SCP [161] is referred to in C8.
SCP [162] is referred to in VE2,
Suggestion: Remove unnecessary information from HTTP response headers related to the OS, web-server version and application frameworks unless implemented to confuse an attacker
Access Control
SCP [83] Restrict access to files or other resources, including those outside the application's direct control
We could also add to it that it should be restricted using an allowlist. Something that is mentioned in ASVS 13.2.4, 13.2.5.
SCP [83] is referred to in AZ5
Suggesting to add: Restrict access to files or other resources, including those outside the application's direct control using an allow list or the equivalent thereof.
Data Protection
SCP [134] Protect server-side source-code from being downloaded by a user
I would say this is similar to ASVS 13.4.1
SCP [134] is referred to in C3.
Suggesting to add: Ensure the .git, .svn folders or any source control metadata aren't deployed together alongside the application in away that makes these directly accessible externally or indirectly through the application
SCP [135] Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client. This includes embedding in insecure formats like: MS viewstate, Adobe flash or compiled code
I would say this is similar to ASVS 13.3.1
SCP [134] is referred to in CR8.
Suggestion: Do not store passwords, secrets, connection strings, key material, secret management integrations or other sensitive information in clear text or in any non-cryptographically secure manner on the client, in source code, or build artifacts.
SCP [136] Remove comments in user accessible production code that may reveal backend system or other
sensitive information
SCP [137] Remove unnecessary application and system documentation as this can reveal useful information to attackers
I would say this is similar to ASVS 13.4.5
SCP [136] is referred to in VE2.
SCP [137] is referred to in VE2 and CJ .
Suggestion: Remove or restrict access to internal application and system documentation (such as for internal APIs) as this can reveal backend system or other useful information to attackers