Checklist Item Template

From Guidance Share

Jump to: navigation, search

Contents

Template

  • Template
  • Title
  • Applies To
  • What to Check For
  • Why
  • How To Check
  • How To Fix
  • Problem Example
  • Solution Example
  • Additional Resources
  • Related Items


Test Cases

Title

Test Cases

  • Title is in the form of a check?(fuel full? light on?)

Applies To

Test Cases

  • Do you list technology and version? (e.g. ASP.NET 2.0)


What to Check For

Test Cases

  • Does this section describe the essence of the checklist item?
  • Is it a tight description - no more than 2 or 3 sentences?
  • Is it clear to the reader what action they need to take in order to be in compliance?


Why

Test Cases

  • Does this section explain the consequences of ignoring the checklist item?


How To Check

Test Cases

  • Is this section broken into discrete steps? (ideally numbered 1,2,3)
  • Is each step actionable?
  • Is all necessary information included to be succesful?(Important information should be inline, not linked to.)


How to Fix

Test Cases

  • Is this section broken into discrete steps? (ideally numbered 1,2,3)
  • Is each step actionable?
  • Is all necessary information included to be succesful? (Important information should be inline, not linked to.)


Problem Example

Test Cases

  • Does the example show what the problem looks like in the real world?
  • If there are multiple common problem instances are they all described?
  • If this is a design checklist item is the example illustrated with images and text?
  • If this is an implementation checklist item is the example in code?


Solution Example

Test Cases

  • Does the example show the resulting solution if the problem example is fixed?
  • If this is a design checklist item is the example illustrated with images and text?
  • If this is an implementation checklist item is the example in code?


Additional Resources

Test Cases

  • Are the links from trusted sites?
  • Are the links correct in context of the checklist?


Related Items

Test Cases

  • Are the correct items linked in context of the checklist?


Additional Tests to Consider When Writing a Checklist Item

Test Cases

  • Does the title read like a checklist item (Noun then State). For example "Fuel is full" or "Brakes are off"?
  • Does the title use conditions as appropriate (if 'this' then 'that')


Example

Generic Error Pages with Harmless Messages are Returned to the Client

Applies to

  • ASP.NET 1.1


What to Check For

Check to ensure that error messages to the client don't result in disclosure of sensitive application details such as:

  • Code structure
  • Database structure
  • Connection strings
  • Credentials


Why

Disclosing application details may give an attacker just the information he needs to succeed in exploiting a vulnerability in your application.


How to Check

  • Check to ensure that the mode attribute of the <customErrors> element to On, so that all callers receive filtered exception information.
  • Check to ensure that the <customErrors> section of the Web.config file has been set to specify a default error page to display.


How to Fix

To return a generic error page, configure the <customErrors> element as follows:

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />


The error page should include a suitably generic error message, possibly with additional support details. The name of the page that generated the error is passed to the error page through the aspxerrorpath query parameter.


You can also use multiple error pages for different types of errors. For example:

<customErrors mode="On" defaultRedirect="YourErrorPage.htm">
  <error statusCode="404" redirect="YourNotFoundPage.htm"/> 
  <error statusCode="500" redirect="YourInternalErrorPage.htm"/> 
</customErrors>


For individual pages you can supply an error page using the following page-level attribute:


<% @ Page ErrorPage="YourErrorPage" %> 


Problem Example

An ASP.NET application has code to connect to a SQL database. However, the application does not have a generic error page specified. As a result, when the connection times out application details are revealed to the client in the exception.


Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
Exception Details: System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)
Source Error: 
Line 216:
Line 217: if (conn.State != ConnectionState.Open)
Line 218: conn.Open();
Line 219:
Line 220: cmd.Connection = conn;


Solution Example

An ASP.NET application has code to connect to a SQL database. Since it has set the mode attribute of the <customErrors> element to On only generic error information is displayed when the SQL connection times out.


Additional Resources

Related Items

  • Guideline: Return Generic Error Messages to Client
Personal tools