Skip to content

Latest commit

 

History

History
167 lines (130 loc) · 8.33 KB

mitigations.md

File metadata and controls

167 lines (130 loc) · 8.33 KB

Mitigation Strategies Analysis for bcosca/fatfree

Mitigation Strategy: Context-Aware Template Sanitization and Escaping (F3 Template Engine)

  • Description:

    1. Identify User Inputs: Identify all data sources passed to F3 templates.
    2. Pre-Validation: Validate input format before using F3's escaping.
    3. Context-Specific Escaping: Use the correct F3 escaping function based on context:
      • {{ @variable | esc }} (or $f3->esc($variable)) for HTML content.
      • {{ @variable | encode }} for HTML attributes.
      • {{ @variable | stringify }} for JSON (useful for JavaScript).
      • raw(): Use extremely rarely, with documented justification.
    4. Consider HTML Purifier (Integration with F3): For complex HTML sanitization, integrate HTML Purifier, configuring it with a whitelist of safe tags/attributes. This is used with F3, but not a direct F3 feature.
    5. JavaScript/CSS Escaping (with F3 context): If embedding user data within <script> or <style> tags, use appropriate escaping libraries, understanding how F3 handles these contexts.
    6. Regular Audits: Review F3 template code for proper escaping.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS): (Severity: High)
    • Template Injection: (Severity: High)
    • HTML Injection: (Severity: Medium)

  • Impact:

    • XSS: Risk reduction: Very High.
    • Template Injection: Risk reduction: Very High.
    • HTML Injection: Risk reduction: High.

  • Currently Implemented:

    • Basic {{ @variable | esc }} usage.
    • Some pre-validation.

  • Missing Implementation:

    • Consistent context-specific escaping.
    • HTML Purifier integration.
    • Consistent JavaScript/CSS escaping.
    • Regular template audits.

Mitigation Strategy: Strict Route Definitions and Parameter Validation (F3 Routing)

  • Description:

    1. Explicit Routes: Define routes with specific parameters and types (e.g., /user/@id:int). Avoid wildcards (*).
    2. Use F3's filter(): Within route handlers, use $f3->filter($params['parameter_name'], 'filter_type') for type/format validation.
    3. Custom Validation (within F3 context): Create custom validation functions or use a library, applying business logic within the F3 route handler.
    4. Whitelist Approach (within F3 context): If a parameter has limited valid values, use a whitelist within the F3 route handler.
    5. Avoid Direct PARAMS Access: Use $f3->get('PARAMS.parameter_name') followed by immediate validation.
    6. Error Handling (F3's error()): Use $f3->error() to return appropriate HTTP error codes (400, 404) for invalid parameters.

  • Threats Mitigated:

    • Parameter Tampering: (Severity: Medium)
    • SQL Injection (Indirectly): (Severity: High)
    • NoSQL Injection (Indirectly): (Severity: High)
    • Denial of Service (DoS): (Severity: Medium)

  • Impact:

    • Parameter Tampering: Risk reduction: High.
    • SQL/NoSQL Injection: Risk reduction: Medium.
    • DoS: Risk reduction: Medium.

  • Currently Implemented:

    • Some explicit parameters.
    • Some filter() usage.

  • Missing Implementation:

    • Consistent filter()/custom validation.
    • Widespread whitelist approach.
    • Avoidance of direct PARAMS access.
    • Consistent error handling.

Mitigation Strategy: Secure Database Interactions with F3's ORMs (Axon, Jig)

  • Description:

    1. Use F3's ORMs: Leverage Axon or Jig for database interactions.
    2. Parameterized Queries (via ORMs): Use the ORM's methods, which inherently use parameterized queries:
      • Axon: $user->load(['username = ?', $username]);
      • Jig: $user->load(['username' => $username]);
    3. Input Validation (Pre-ORM, within F3 context): Validate input before passing it to the ORM, using F3's filter() or custom validation within the route handler or controller.
    4. Database-Specific Escaping (with F3 ORM): If constructing complex queries or using database-specific functions through the ORM, be aware of any special character escaping needs.

  • Threats Mitigated:

    • SQL Injection: (Severity: Critical)

  • Impact:

    • SQL Injection: Risk reduction: Very High.

  • Currently Implemented:

    • F3's ORMs are used.
    • Parameterized queries are generally used.

  • Missing Implementation:

    • Consistent pre-ORM input validation.

Mitigation Strategy: Secure Session Management (F3's SESSION)

  • Description:

    1. Secure Configuration (F3's config.ini):
      • session.cookie_secure = true (HTTPS only)
      • session.cookie_httponly = true
      • session.use_strict_mode = true
      • session.use_only_cookies = true
      • Set appropriate session.cookie_lifetime and session.gc_maxlifetime.
    2. Session Regeneration (F3's reroute()): Use $f3->reroute() after privilege changes (login, logout) to regenerate the session ID.
    3. Session Validation (within F3 request context): On each request, verify session validity using F3's session data.
    4. Secure Data Storage (with F3's SESSION): Encrypt sensitive data stored in $f3->get('SESSION'). Consider a database-backed session store (configured through F3).

  • Threats Mitigated:

    • Session Hijacking: (Severity: High)
    • Session Fixation: (Severity: High)
    • Cross-Site Scripting (XSS) (Indirectly): (Severity: High)

  • Impact:

    • Session Hijacking: Risk reduction: High.
    • Session Fixation: Risk reduction: High.
    • XSS: Risk reduction: Medium.

  • Currently Implemented:

    • session.cookie_httponly = true
    • session.use_only_cookies = true

  • Missing Implementation:

    • session.cookie_secure = true (requires HTTPS).
    • session.use_strict_mode = true
    • Consistent session regeneration.
    • Robust session validation.
    • Encryption of sensitive session data.

Mitigation Strategy: CSRF Protection with F3's CSRF Plugin

  • Description:

    1. Enable F3's CSRF Plugin: Ensure the plugin is enabled and configured.
    2. Include Token in Forms (F3 helpers): Use the plugin's helpers to include the CSRF token in all relevant forms (POST, PUT, DELETE).
    3. Automatic Validation (F3 plugin): Rely on the plugin's automatic token validation.

  • Threats Mitigated:

    • Cross-Site Request Forgery (CSRF): (Severity: High)

  • Impact:

    • CSRF: Risk reduction: Very High.

  • Currently Implemented:

    • Plugin is enabled.
    • Tokens in some forms.

  • Missing Implementation:

    • Consistent token inclusion in all relevant forms.

Mitigation Strategy: Secure Error Handling (F3's ONERROR)

  • Description:

    1. Custom Error Handler (F3's ONERROR): Use $f3->set('ONERROR', ...) to create a custom error handler that:
      • Logs detailed error information (using F3's logging, if available).
      • Displays a generic error message to the user (using F3's templating).
    2. Detailed Logging (with F3 context): Log errors, warnings, and security events, including F3-specific context (user ID, IP from $f3->get('IP'), etc.).
    3. Disable Stack Traces (F3's DEBUG): Ensure $f3->set('DEBUG', 0); in production to prevent stack trace exposure.

  • Threats Mitigated:

    • Information Disclosure: (Severity: Medium)

  • Impact:

    • Information Disclosure: Risk reduction: High.

  • Currently Implemented:

    • Basic error logging.

  • Missing Implementation:

    • Consistent custom error handler.
    • Detailed logging with F3 context.
    • Guaranteed disabling of stack traces in production.