veza/ASVS_CHECKLIST_v0.12.6.md

# CHECKLIST ASVS v4.0 Level 2 — VEZA v0.12.6

> **Date** : 2026-03-11
> **Référence** : PENTEST_REPORT_VEZA_v0.12.6.md
> **Légende** : ✅ PASS | ❌ FAIL | ⚠️ PARTIEL | N/A | 🔍 NON VÉRIFIABLE (nécessite env live)

---

## V1 — Architecture, Design and Threat Modeling

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V1.1.1 | Architecture documentée | ✅ PASS | Architecture hexagonale documentée dans CLAUDE.md + AUDIT_TECHNIQUE | — |
| V1.1.2 | Threat model exists | ⚠️ PARTIEL | Menaces identifiées dans les audits mais pas de threat model formel (STRIDE/DREAD) | — |
| V1.1.3 | Security controls documented | ✅ PASS | Middleware chain, RBAC, auth flow documentés | — |
| V1.2.1 | Layered architecture | ✅ PASS | Handler → Service → Repository — séparation claire | — |
| V1.4.1 | Trusted service layer | ✅ PASS | Validation côté serveur, pas de confiance au client | — |
| V1.5.1 | Input validation centralized | ✅ PASS | Gin binding + validation tags + middleware validation | — |
| V1.6.1 | Cryptographic module | ✅ PASS | JWT service centralisé, bcrypt standardisé | — |
| V1.7.1 | Error handling consistent | ✅ PASS | apierror package, error_handler middleware | — |
| V1.8.1 | Data protection classified | ⚠️ PARTIEL | PII identifié mais pas de classification formelle des données | — |
| V1.11.1 | Business logic security | ⚠️ PARTIEL | Race condition marketplace identifiée | HIGH-001 |

---

## V2 — Authentication

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V2.1.1 | Password min 12 chars | ✅ PASS | Backend valide ≥ 12 chars | — |
| V2.1.2 | Password max 128 chars | ✅ PASS | Validation struct tags | — |
| V2.1.4 | Password strength meter | ⚠️ PARTIEL | Frontend accepte 8 chars (mismatch) | LOW-001 |
| V2.1.7 | Breach password check | ⚠️ PARTIEL | Blocklist de 25 mots courants, pas d'intégration HaveIBeenPwned | — |
| V2.1.9 | No password composition rules | ✅ PASS | Complexité par longueur, pas de règles arbitraires | — |
| V2.2.1 | Anti-automation on auth | ✅ PASS | Rate limiting sur /auth/login, lockout configuré | — |
| V2.2.2 | Weak auth resistance | ✅ PASS | bcrypt cost 12, rate limiting | — |
| V2.2.3 | No user enumeration | ✅ PASS | Messages d'erreur génériques, timing constant | — |
| V2.3.1 | 2FA implementation | ✅ PASS | TOTP (RFC 6238), recovery codes | — |
| V2.4.1 | Bcrypt/Argon2 for passwords | ✅ PASS | bcrypt cost 12 | — |
| V2.5.1 | Password reset secure token | ✅ PASS | Token crypto/rand, single-use, TTL limité | — |
| V2.5.2 | Password reset no info leak | ✅ PASS | "If account exists, email sent" | — |
| V2.6.1 | Lookup secrets crypto random | ❌ FAIL | Recovery codes utilisent math/rand | MEDIUM-001 |
| V2.7.1 | OTP time-based (TOTP) | ✅ PASS | TOTP via pquerna/otp | — |
| V2.8.1 | Session binding | ✅ PASS | Session liée au user via token + DB | — |
| V2.9.1 | RSA keys ≥ 2048 bits | ✅ PASS | Code supporte RSA 2048+, ParsePKCS1/PKCS8 | — |
| V2.10.1 | API key entropy | ✅ PASS | Préfixe vza_ + token cryptographique | — |

---

## V3 — Session Management

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V3.1.1 | Session token not in URL | ✅ PASS | Cookie httpOnly ou header Authorization | — |
| V3.2.1 | Session bound to user | ✅ PASS | Session DB avec user_id, vérifié à chaque requête | — |
| V3.2.2 | Session invalidated on logout | ✅ PASS | Token blacklist + session delete | — |
| V3.2.3 | Session timeout | ✅ PASS | Access token 5min, refresh 14j/30j | — |
| V3.3.1 | Session invalidated on password change | ✅ PASS | Token version incrémentée → tous les tokens invalidés | — |
| V3.3.2 | Logout invalidates server-side | ✅ PASS | Session supprimée en DB + token blacklist Redis | — |
| V3.4.1 | Cookie secure attributes | ✅ PASS | `COOKIE_SECURE=true, COOKIE_SAME_SITE=strict, COOKIE_HTTP_ONLY=true` en prod | — |
| V3.4.2 | Cookie httpOnly | ✅ PASS | Configuré via env var | — |
| V3.4.3 | Cookie secure flag | ✅ PASS | Configuré via env var | — |
| V3.4.4 | Cookie SameSite | ✅ PASS | SameSite=Strict en production | — |
| V3.5.1 | Token-based session | ✅ PASS | JWT + session DB | — |
| V3.7.1 | Concurrent session limit | ✅ PASS | Session management page, logout-all, logout-others | — |

---

## V4 — Access Control

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V4.1.1 | Trusted enforcement point | ✅ PASS | Middleware chain côté serveur uniquement | — |
| V4.1.2 | Access control on every request | ✅ PASS | AuthMiddleware + RBAC sur toutes les routes protégées | — |
| V4.1.3 | Principle of least privilege | ✅ PASS | Rôles granulaires (user, creator, premium, admin, moderator) | — |
| V4.2.1 | IDOR protection | ❌ FAIL | Chat rooms (GetRoom, GetRoomHistory) sans vérification membership | CRIT-001 |
| V4.2.2 | Prevent privilege escalation | ✅ PASS | Rôle vient du JWT → vérifié contre DB, pas modifiable par le client | — |
| V4.3.1 | Admin function protection | ✅ PASS | RequireAdmin middleware sur toutes les routes /admin/ | — |
| V4.3.2 | Directory listing disabled | ✅ PASS | API REST pure, pas de file serving sauf signedURL S3 | — |

---

## V5 — Validation, Sanitization and Encoding

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V5.1.1 | Input validation on server | ✅ PASS | Gin binding + validation middleware | — |
| V5.1.2 | Framework auto-escaping | ✅ PASS | JSON encoding Go, React JSX auto-escape | — |
| V5.1.3 | Parameterized queries | ✅ PASS | GORM avec paramètres préparés partout en production | — |
| V5.2.1 | HTML sanitization | ✅ PASS | DOMPurify avec whitelist de tags | — |
| V5.2.2 | Unstructured data sanitized | ✅ PASS | Noms fichiers → UUID, descriptions → DOMPurify | — |
| V5.3.1 | Output encoding context-aware | ✅ PASS | JSON encoding natif Go, React auto-escape | — |
| V5.3.4 | SQL injection prevention | ✅ PASS | GORM paramétrisé, raw SQL uniquement dans tests | — |
| V5.3.7 | OS command injection prevention | ✅ PASS | ValidateExecPath + exec.CommandContext | — |
| V5.3.8 | Path traversal prevention | ✅ PASS | UUID comme noms de fichiers, validation des chemins | — |
| V5.5.1 | SSRF prevention | ✅ PASS | Pas de fetch d'URLs utilisateur | — |

---

## V6 — Stored Cryptography

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V6.1.1 | Regulated data protection | ⚠️ PARTIEL | Données financières via Hyperswitch, pas de stockage PCI côté VEZA | — |
| V6.2.1 | Approved algorithms | ⚠️ PARTIEL | HS256 en prod au lieu de RS256 | HIGH-002 |
| V6.2.2 | Crypto key management | ⚠️ PARTIEL | Clés via env var, pas de KMS/Vault | — |
| V6.2.5 | Random values crypto/rand | ❌ FAIL | Recovery codes 2FA utilisent math/rand | MEDIUM-001 |
| V6.3.1 | Access to secret keys restricted | ✅ PASS | Env vars avec `:?` required, pas dans le code | — |
| V6.4.1 | No hardcoded secrets | ✅ PASS | Anciens secrets supprimés (VEZA-SEC-001 corrigé) | — |

---

## V7 — Error Handling and Logging

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V7.1.1 | No sensitive data in errors | ✅ PASS | apierror format standardisé, pas de stack traces en prod | — |
| V7.1.2 | Error handling consistent | ✅ PASS | error_handler middleware + apierror package | — |
| V7.2.1 | Security events logged | ✅ PASS | Audit middleware, login failures, role changes | — |
| V7.2.2 | No sensitive data in logs | ✅ PASS | secret_filter.go filtre les secrets | — |
| V7.3.1 | Log injection prevention | ✅ PASS | Structured logging (zap) avec champs typés | — |
| V7.4.1 | Log integrity | 🔍 NON VÉRIFIABLE | Dépend de la configuration de stockage des logs en production | — |

---

## V8 — Data Protection

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V8.1.1 | PII identified | ✅ PASS | email, username, IP, payment data identifiés | — |
| V8.1.2 | Data classified | ⚠️ PARTIEL | Pas de classification formelle documentée | — |
| V8.2.1 | Client-side caching controlled | ✅ PASS | Headers Cache-Control appropriés | — |
| V8.3.1 | Sensitive data not in URL | ✅ PASS | Tokens en cookies/headers, pas en URL (sauf stream token query param — 5min TTL) | — |
| V8.3.4 | Data export GDPR | ✅ PASS | Export ZIP asynchrone, handler dédié | — |
| V8.3.5 | Account deletion | ✅ PASS | Soft delete 30j → hard delete via worker | — |

---

## V9 — Communication

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V9.1.1 | TLS for all connections | 🔍 NON VÉRIFIABLE | Config HAProxy pour TLS, sslmode=require en prod | — |
| V9.1.2 | TLS 1.2 minimum | 🔍 NON VÉRIFIABLE | Dépend de la config HAProxy en production | — |
| V9.1.3 | HSTS configured | ✅ PASS | `max-age=31536000; includeSubDomains; preload` en production | — |

---

## V10 — Malicious Code

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V10.1.1 | No malicious code in source | ✅ PASS | Code audité, pas de backdoor identifiée | — |
| V10.2.1 | SCA dependency analysis | ✅ PASS | govulncheck, cargo audit, npm audit en CI | — |
| V10.2.2 | Lock files committed | ✅ PASS | go.sum, Cargo.lock, package-lock.json présents | — |
| V10.3.1 | CI/CD secure | ⚠️ PARTIEL | Actions non pinnées par SHA | MEDIUM-007 |

---

## V11 — Business Logic

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V11.1.1 | Business logic server-side | ✅ PASS | Prix, commissions, permissions — tout côté serveur | — |
| V11.1.2 | Sequential workflow steps | ✅ PASS | Checkout → payment → license — séquentiel | — |
| V11.1.3 | Rate limiting on business flows | ✅ PASS | Rate limiting multi-couche, upload 10/h | — |
| V11.1.5 | Anti-automation | ✅ PASS | Rate limiting, account lockout | — |
| V11.1.7 | Concurrency controls | ❌ FAIL | Race condition sur downloads_left | HIGH-001 |

---

## V12 — Files and Resources

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V12.1.1 | File upload size limit | ✅ PASS | 500MB audio, 50MB chat PDF, limites côté serveur | — |
| V12.1.2 | File type validation | ✅ PASS | Extension + MIME type validation | — |
| V12.1.3 | File content validation | ✅ PASS | ClamAV scan antivirus obligatoire en production | — |
| V12.3.1 | File path traversal prevention | ✅ PASS | UUID comme noms de fichiers en stockage S3 | — |
| V12.4.1 | Untrusted file isolated | ✅ PASS | Stockage S3 séparé, pas de file serving direct | — |
| V12.5.1 | SSRF via file upload | ✅ PASS | Pas de fetch d'URLs depuis les uploads | — |

---

## V13 — API and Web Service

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V13.1.1 | Generic error messages | ✅ PASS | apierror format uniforme | — |
| V13.1.3 | API schema validation | ✅ PASS | Gin binding avec struct tags | — |
| V13.2.1 | RESTful API secure | ✅ PASS | Auth + RBAC + validation sur tous les endpoints | — |
| V13.2.2 | JSON schema validation | ✅ PASS | Validation struct tags Go | — |
| V13.2.5 | Content-Type validated | ✅ PASS | Gin enforce Content-Type automatiquement | — |
| V13.3.1 | CORS correctly configured | ✅ PASS | Strict en production, whitelist explicite | — |
| V13.4.1 | GraphQL security | N/A | Pas de GraphQL dans le projet | — |

---

## V14 — Configuration

| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---------|-------------|----------|-------------|---------|
| V14.1.1 | Build process documented | ✅ PASS | Makefile, Dockerfile.production | — |
| V14.1.2 | Repeatable builds | ⚠️ PARTIEL | ClamAV :latest rend les builds non reproductibles | MEDIUM-003 |
| V14.2.1 | Components up-to-date | ⚠️ PARTIEL | Hyperswitch daté, dotenv obsolète | LOW-002, LOW-003 |
| V14.2.2 | No unnecessary features | ✅ PASS | Swagger désactivé en prod, debug derrière RequireAdmin | — |
| V14.3.1 | Secrets not in config files | ✅ PASS | Env vars avec `:?` required | — |
| V14.3.2 | Secrets management | ⚠️ PARTIEL | Env vars seulement, pas de KMS/Vault | — |
| V14.4.1 | HTTP security headers | ✅ PASS | Ensemble complet configuré | — |

---

## Résumé ASVS

| Résultat | Nombre | % |
|----------|--------|---|
| ✅ PASS | 72 | 80% |
| ❌ FAIL | 3 | 3% |
| ⚠️ PARTIEL | 13 | 15% |
| 🔍 NON VÉRIFIABLE | 3 | 3% |
| N/A | 1 | 1% |

**FAIL obligatoires** :
- V4.2.1 : IDOR protection → **CRIT-001** (chat rooms sans membership check)
- V2.6.1 : Recovery codes crypto/rand → **MEDIUM-001** (à corriger)
- V11.1.7 : Concurrency controls → **HIGH-001** (à corriger)

**Conclusion** : ASVS Level 2 NON atteint — 3 FAILs à corriger, dont 1 CRITIQUE (IDOR).

---

*Checklist générée le 2026-03-11 — ASVS v4.0 Level 2*
*Auditeur : Claude Opus 4.6*