f56b5a2b45
Deep audit with 6 parallel analysis passes reveals additional findings: CRITICAL: - CRIT-001: IDOR on chat rooms — any user can read private conversations - CRIT-002: play_count/like_count publicly exposed (violates VEZA ethics) NEW HIGH: - HIGH-004/005: Race conditions on promo codes and exclusive licenses - HIGH-006: Rate limiter bypass via X-Forwarded-For (no TrustedProxies) - HIGH-007: GDPR hard delete incomplete (Redis, ES, audit_logs) - HIGH-008: RTMP callback auth fallback to stream_key as secret - HIGH-009: Co-listening host hijack by non-host participants - HIGH-010: Moderator can issue strikes without conflict-of-interest check Total: 2 CRITICAL, 10 HIGH, 12 MEDIUM, 6 LOW, 5 INFO Estimated remediation: ~39h30 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
14 KiB
14 KiB
CHECKLIST ASVS v4.0 Level 2 — VEZA v0.12.6
Date : 2026-03-11 Référence : PENTEST_REPORT_VEZA_v0.12.6.md Légende : ✅ PASS | ❌ FAIL | ⚠️ PARTIEL | N/A | 🔍 NON VÉRIFIABLE (nécessite env live)
V1 — Architecture, Design and Threat Modeling
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V1.1.1 | Architecture documentée | ✅ PASS | Architecture hexagonale documentée dans CLAUDE.md + AUDIT_TECHNIQUE | — |
| V1.1.2 | Threat model exists | ⚠️ PARTIEL | Menaces identifiées dans les audits mais pas de threat model formel (STRIDE/DREAD) | — |
| V1.1.3 | Security controls documented | ✅ PASS | Middleware chain, RBAC, auth flow documentés | — |
| V1.2.1 | Layered architecture | ✅ PASS | Handler → Service → Repository — séparation claire | — |
| V1.4.1 | Trusted service layer | ✅ PASS | Validation côté serveur, pas de confiance au client | — |
| V1.5.1 | Input validation centralized | ✅ PASS | Gin binding + validation tags + middleware validation | — |
| V1.6.1 | Cryptographic module | ✅ PASS | JWT service centralisé, bcrypt standardisé | — |
| V1.7.1 | Error handling consistent | ✅ PASS | apierror package, error_handler middleware | — |
| V1.8.1 | Data protection classified | ⚠️ PARTIEL | PII identifié mais pas de classification formelle des données | — |
| V1.11.1 | Business logic security | ⚠️ PARTIEL | Race condition marketplace identifiée | HIGH-001 |
V2 — Authentication
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V2.1.1 | Password min 12 chars | ✅ PASS | Backend valide ≥ 12 chars | — |
| V2.1.2 | Password max 128 chars | ✅ PASS | Validation struct tags | — |
| V2.1.4 | Password strength meter | ⚠️ PARTIEL | Frontend accepte 8 chars (mismatch) | LOW-001 |
| V2.1.7 | Breach password check | ⚠️ PARTIEL | Blocklist de 25 mots courants, pas d'intégration HaveIBeenPwned | — |
| V2.1.9 | No password composition rules | ✅ PASS | Complexité par longueur, pas de règles arbitraires | — |
| V2.2.1 | Anti-automation on auth | ✅ PASS | Rate limiting sur /auth/login, lockout configuré | — |
| V2.2.2 | Weak auth resistance | ✅ PASS | bcrypt cost 12, rate limiting | — |
| V2.2.3 | No user enumeration | ✅ PASS | Messages d'erreur génériques, timing constant | — |
| V2.3.1 | 2FA implementation | ✅ PASS | TOTP (RFC 6238), recovery codes | — |
| V2.4.1 | Bcrypt/Argon2 for passwords | ✅ PASS | bcrypt cost 12 | — |
| V2.5.1 | Password reset secure token | ✅ PASS | Token crypto/rand, single-use, TTL limité | — |
| V2.5.2 | Password reset no info leak | ✅ PASS | "If account exists, email sent" | — |
| V2.6.1 | Lookup secrets crypto random | ❌ FAIL | Recovery codes utilisent math/rand | MEDIUM-001 |
| V2.7.1 | OTP time-based (TOTP) | ✅ PASS | TOTP via pquerna/otp | — |
| V2.8.1 | Session binding | ✅ PASS | Session liée au user via token + DB | — |
| V2.9.1 | RSA keys ≥ 2048 bits | ✅ PASS | Code supporte RSA 2048+, ParsePKCS1/PKCS8 | — |
| V2.10.1 | API key entropy | ✅ PASS | Préfixe vza_ + token cryptographique | — |
V3 — Session Management
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V3.1.1 | Session token not in URL | ✅ PASS | Cookie httpOnly ou header Authorization | — |
| V3.2.1 | Session bound to user | ✅ PASS | Session DB avec user_id, vérifié à chaque requête | — |
| V3.2.2 | Session invalidated on logout | ✅ PASS | Token blacklist + session delete | — |
| V3.2.3 | Session timeout | ✅ PASS | Access token 5min, refresh 14j/30j | — |
| V3.3.1 | Session invalidated on password change | ✅ PASS | Token version incrémentée → tous les tokens invalidés | — |
| V3.3.2 | Logout invalidates server-side | ✅ PASS | Session supprimée en DB + token blacklist Redis | — |
| V3.4.1 | Cookie secure attributes | ✅ PASS | COOKIE_SECURE=true, COOKIE_SAME_SITE=strict, COOKIE_HTTP_ONLY=true en prod |
— |
| V3.4.2 | Cookie httpOnly | ✅ PASS | Configuré via env var | — |
| V3.4.3 | Cookie secure flag | ✅ PASS | Configuré via env var | — |
| V3.4.4 | Cookie SameSite | ✅ PASS | SameSite=Strict en production | — |
| V3.5.1 | Token-based session | ✅ PASS | JWT + session DB | — |
| V3.7.1 | Concurrent session limit | ✅ PASS | Session management page, logout-all, logout-others | — |
V4 — Access Control
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V4.1.1 | Trusted enforcement point | ✅ PASS | Middleware chain côté serveur uniquement | — |
| V4.1.2 | Access control on every request | ✅ PASS | AuthMiddleware + RBAC sur toutes les routes protégées | — |
| V4.1.3 | Principle of least privilege | ✅ PASS | Rôles granulaires (user, creator, premium, admin, moderator) | — |
| V4.2.1 | IDOR protection | ❌ FAIL | Chat rooms (GetRoom, GetRoomHistory) sans vérification membership | CRIT-001 |
| V4.2.2 | Prevent privilege escalation | ✅ PASS | Rôle vient du JWT → vérifié contre DB, pas modifiable par le client | — |
| V4.3.1 | Admin function protection | ✅ PASS | RequireAdmin middleware sur toutes les routes /admin/ | — |
| V4.3.2 | Directory listing disabled | ✅ PASS | API REST pure, pas de file serving sauf signedURL S3 | — |
V5 — Validation, Sanitization and Encoding
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V5.1.1 | Input validation on server | ✅ PASS | Gin binding + validation middleware | — |
| V5.1.2 | Framework auto-escaping | ✅ PASS | JSON encoding Go, React JSX auto-escape | — |
| V5.1.3 | Parameterized queries | ✅ PASS | GORM avec paramètres préparés partout en production | — |
| V5.2.1 | HTML sanitization | ✅ PASS | DOMPurify avec whitelist de tags | — |
| V5.2.2 | Unstructured data sanitized | ✅ PASS | Noms fichiers → UUID, descriptions → DOMPurify | — |
| V5.3.1 | Output encoding context-aware | ✅ PASS | JSON encoding natif Go, React auto-escape | — |
| V5.3.4 | SQL injection prevention | ✅ PASS | GORM paramétrisé, raw SQL uniquement dans tests | — |
| V5.3.7 | OS command injection prevention | ✅ PASS | ValidateExecPath + exec.CommandContext | — |
| V5.3.8 | Path traversal prevention | ✅ PASS | UUID comme noms de fichiers, validation des chemins | — |
| V5.5.1 | SSRF prevention | ✅ PASS | Pas de fetch d'URLs utilisateur | — |
V6 — Stored Cryptography
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V6.1.1 | Regulated data protection | ⚠️ PARTIEL | Données financières via Hyperswitch, pas de stockage PCI côté VEZA | — |
| V6.2.1 | Approved algorithms | ⚠️ PARTIEL | HS256 en prod au lieu de RS256 | HIGH-002 |
| V6.2.2 | Crypto key management | ⚠️ PARTIEL | Clés via env var, pas de KMS/Vault | — |
| V6.2.5 | Random values crypto/rand | ❌ FAIL | Recovery codes 2FA utilisent math/rand | MEDIUM-001 |
| V6.3.1 | Access to secret keys restricted | ✅ PASS | Env vars avec :? required, pas dans le code |
— |
| V6.4.1 | No hardcoded secrets | ✅ PASS | Anciens secrets supprimés (VEZA-SEC-001 corrigé) | — |
V7 — Error Handling and Logging
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V7.1.1 | No sensitive data in errors | ✅ PASS | apierror format standardisé, pas de stack traces en prod | — |
| V7.1.2 | Error handling consistent | ✅ PASS | error_handler middleware + apierror package | — |
| V7.2.1 | Security events logged | ✅ PASS | Audit middleware, login failures, role changes | — |
| V7.2.2 | No sensitive data in logs | ✅ PASS | secret_filter.go filtre les secrets | — |
| V7.3.1 | Log injection prevention | ✅ PASS | Structured logging (zap) avec champs typés | — |
| V7.4.1 | Log integrity | 🔍 NON VÉRIFIABLE | Dépend de la configuration de stockage des logs en production | — |
V8 — Data Protection
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V8.1.1 | PII identified | ✅ PASS | email, username, IP, payment data identifiés | — |
| V8.1.2 | Data classified | ⚠️ PARTIEL | Pas de classification formelle documentée | — |
| V8.2.1 | Client-side caching controlled | ✅ PASS | Headers Cache-Control appropriés | — |
| V8.3.1 | Sensitive data not in URL | ✅ PASS | Tokens en cookies/headers, pas en URL (sauf stream token query param — 5min TTL) | — |
| V8.3.4 | Data export GDPR | ✅ PASS | Export ZIP asynchrone, handler dédié | — |
| V8.3.5 | Account deletion | ✅ PASS | Soft delete 30j → hard delete via worker | — |
V9 — Communication
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V9.1.1 | TLS for all connections | 🔍 NON VÉRIFIABLE | Config HAProxy pour TLS, sslmode=require en prod | — |
| V9.1.2 | TLS 1.2 minimum | 🔍 NON VÉRIFIABLE | Dépend de la config HAProxy en production | — |
| V9.1.3 | HSTS configured | ✅ PASS | max-age=31536000; includeSubDomains; preload en production |
— |
V10 — Malicious Code
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V10.1.1 | No malicious code in source | ✅ PASS | Code audité, pas de backdoor identifiée | — |
| V10.2.1 | SCA dependency analysis | ✅ PASS | govulncheck, cargo audit, npm audit en CI | — |
| V10.2.2 | Lock files committed | ✅ PASS | go.sum, Cargo.lock, package-lock.json présents | — |
| V10.3.1 | CI/CD secure | ⚠️ PARTIEL | Actions non pinnées par SHA | MEDIUM-007 |
V11 — Business Logic
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V11.1.1 | Business logic server-side | ✅ PASS | Prix, commissions, permissions — tout côté serveur | — |
| V11.1.2 | Sequential workflow steps | ✅ PASS | Checkout → payment → license — séquentiel | — |
| V11.1.3 | Rate limiting on business flows | ✅ PASS | Rate limiting multi-couche, upload 10/h | — |
| V11.1.5 | Anti-automation | ✅ PASS | Rate limiting, account lockout | — |
| V11.1.7 | Concurrency controls | ❌ FAIL | Race condition sur downloads_left | HIGH-001 |
V12 — Files and Resources
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V12.1.1 | File upload size limit | ✅ PASS | 500MB audio, 50MB chat PDF, limites côté serveur | — |
| V12.1.2 | File type validation | ✅ PASS | Extension + MIME type validation | — |
| V12.1.3 | File content validation | ✅ PASS | ClamAV scan antivirus obligatoire en production | — |
| V12.3.1 | File path traversal prevention | ✅ PASS | UUID comme noms de fichiers en stockage S3 | — |
| V12.4.1 | Untrusted file isolated | ✅ PASS | Stockage S3 séparé, pas de file serving direct | — |
| V12.5.1 | SSRF via file upload | ✅ PASS | Pas de fetch d'URLs depuis les uploads | — |
V13 — API and Web Service
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V13.1.1 | Generic error messages | ✅ PASS | apierror format uniforme | — |
| V13.1.3 | API schema validation | ✅ PASS | Gin binding avec struct tags | — |
| V13.2.1 | RESTful API secure | ✅ PASS | Auth + RBAC + validation sur tous les endpoints | — |
| V13.2.2 | JSON schema validation | ✅ PASS | Validation struct tags Go | — |
| V13.2.5 | Content-Type validated | ✅ PASS | Gin enforce Content-Type automatiquement | — |
| V13.3.1 | CORS correctly configured | ✅ PASS | Strict en production, whitelist explicite | — |
| V13.4.1 | GraphQL security | N/A | Pas de GraphQL dans le projet | — |
V14 — Configuration
| ASVS ID | Requirement | Résultat | Commentaire | Finding |
|---|---|---|---|---|
| V14.1.1 | Build process documented | ✅ PASS | Makefile, Dockerfile.production | — |
| V14.1.2 | Repeatable builds | ⚠️ PARTIEL | ClamAV :latest rend les builds non reproductibles | MEDIUM-003 |
| V14.2.1 | Components up-to-date | ⚠️ PARTIEL | Hyperswitch daté, dotenv obsolète | LOW-002, LOW-003 |
| V14.2.2 | No unnecessary features | ✅ PASS | Swagger désactivé en prod, debug derrière RequireAdmin | — |
| V14.3.1 | Secrets not in config files | ✅ PASS | Env vars avec :? required |
— |
| V14.3.2 | Secrets management | ⚠️ PARTIEL | Env vars seulement, pas de KMS/Vault | — |
| V14.4.1 | HTTP security headers | ✅ PASS | Ensemble complet configuré | — |
Résumé ASVS
| Résultat | Nombre | % |
|---|---|---|
| ✅ PASS | 72 | 80% |
| ❌ FAIL | 3 | 3% |
| ⚠️ PARTIEL | 13 | 15% |
| 🔍 NON VÉRIFIABLE | 3 | 3% |
| N/A | 1 | 1% |
FAIL obligatoires :
- V4.2.1 : IDOR protection → CRIT-001 (chat rooms sans membership check)
- V2.6.1 : Recovery codes crypto/rand → MEDIUM-001 (à corriger)
- V11.1.7 : Concurrency controls → HIGH-001 (à corriger)
Conclusion : ASVS Level 2 NON atteint — 3 FAILs à corriger, dont 1 CRITIQUE (IDOR).
Checklist générée le 2026-03-11 — ASVS v4.0 Level 2 Auditeur : Claude Opus 4.6