senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/docs/ASVS_CHECKLIST_v0.12.6.md
senke bc472ead41 feat(v0.12.6): pentest security audit — 3 deliverables 
- PENTEST_REPORT_VEZA_v0.12.6.md: 14 findings (0 CRIT, 2 HIGH, 5 MEDIUM, 4 LOW, 3 INFO), 18 PASS controls
- REMEDIATION_MATRIX_v0.12.6.md: prioritized remediation actions (P1: 4h, P2: 5h, P3: 5.5h)
- ASVS_CHECKLIST_v0.12.6.md: OWASP ASVS Level 2 — 92/101 (91.1%) conformity

Methodology: SAST + manual code review, OWASP Top 10 2021, API Security Top 10 2023

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 16:44:38 +01:00

244 lines
12 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# OWASP ASVS Level 2 Checklist — VEZA v0.12.6
**Date** : 2026-03-13
**Standard** : OWASP Application Security Verification Standard v4.0.3, Level 2
**Scope** : VEZA monorepo (Go backend, Rust stream server, React frontend)
---
## Légende
- ✅ PASS — Contrôle vérifié et conforme
- ⚠️ PARTIAL — Contrôle partiellement implémenté (finding associé)
- ❌ FAIL — Contrôle non conforme (finding associé)
- N/A — Non applicable
---
## V1 — Architecture, Design and Threat Modeling
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V1.1.1 | Application uses a single vetted security architecture | ✅ PASS | Architecture hexagonale, middlewares auth centralisés |
| V1.1.2 | Security controls are applied centrally | ✅ PASS | Auth middleware, rate limit middleware, CORS config centralisée |
| V1.1.3 | Sensitive data is identified and protected | ✅ PASS | `json:"-"` sur passwords, tokens, secrets MFA |
| V1.1.4 | All application components are defined | ✅ PASS | ORIGIN_MASTER_ARCHITECTURE.md documente tous les composants |
| V1.1.5 | High-value business logic flows defined | ✅ PASS | ORIGIN_BUSINESS_LOGIC.md + payment flow tests |
| V1.1.6 | Threat model exists | ⚠️ PARTIAL | ORIGIN_SECURITY_FRAMEWORK.md existe mais pas de threat model formel |
---
## V2 — Authentication
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V2.1.1 | Password min length ≥ 8 | ✅ PASS | Validation de complexité dans password_service.go |
| V2.1.2 | Password max length ≥ 64 | ✅ PASS | Max 72 bytes (bcrypt limit) enforced |
| V2.1.3 | No password truncation | ✅ PASS | Validation explicite de la longueur avant hachage |
| V2.1.4 | Passwords are stored using approved hashing | ⚠️ PARTIAL | bcrypt utilisé mais cost incohérent (10 vs 12) — **MEDIUM-001** |
| V2.1.5 | Password change requires old password | ✅ PASS | `ChangePassword()` vérifie l'ancien mot de passe |
| V2.1.6 | Password breach checking | ✅ PASS | Password history (5 derniers) vérifié |
| V2.2.1 | Anti-automation controls on auth | ✅ PASS | Rate limiting sur login/register |
| V2.2.2 | Weak authenticator resistance | ✅ PASS | Brute-force protection via rate limiting |
| V2.2.3 | Credential recovery resists abuse | ✅ PASS | Password reset tokens limités, expirent |
| V2.3.1 | Session tokens are generated using approved CSPRNG | ✅ PASS | crypto/rand utilisé (19 fichiers) |
| V2.4.1 | MFA available | ✅ PASS | TOTP MFA + recovery codes implémentés |
| V2.5.1 | Tokens not sent as query parameters | ✅ PASS | JWT via cookies HttpOnly |
| V2.5.2 | Token integrity is checked | ✅ PASS | JWT RS256 signature verification |
| V2.5.3 | Stateless tokens include expiry | ✅ PASS | JWT `exp` claim enforced |
| V2.5.4 | JWT algorithm whitelisting | ✅ PASS | RS256 primary, HS256 dev-only fallback |
| V2.7.1 | Passwords are hashed with salt | ✅ PASS | bcrypt inclut le salt automatiquement |
| V2.8.1 | Session management for auth tokens | ✅ PASS | Session service avec revocation, token rotation |
| V2.9.1 | WebAuthn support | ✅ PASS | WebAuthn credentials stored securely (`json:"-"`) |
---
## V3 — Session Management
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V3.1.1 | Application never reveals session tokens in URL | ✅ PASS | Cookies HttpOnly uniquement |
| V3.2.1 | Logout invalidates session | ✅ PASS | Token blacklist + session deletion |
| V3.2.2 | Logout invalidates all sessions option | ✅ PASS | "Revoke all sessions" available |
| V3.2.3 | Session timeout after inactivity | ✅ PASS | Token expiration configured |
| V3.3.1 | Session token is changed after login | ✅ PASS | New JWT issued on each login |
| V3.4.1 | Cookie-based tokens have Secure flag | ✅ PASS | Auto-secure in production (cors.go:12-18) |
| V3.4.2 | Cookie-based tokens have HttpOnly flag | ✅ PASS | `CookieHttpOnly: true` |
| V3.4.3 | Cookie-based tokens have SameSite attribute | ⚠️ PARTIAL | SameSite=Lax (Strict préférable) — **LOW-001** |
| V3.4.4 | Cookie-based tokens use __Host- prefix | N/A | Non requis pour Level 2 |
| V3.5.1 | Tokens are validated on every request | ✅ PASS | Auth middleware validates JWT on protected routes |
| V3.7.1 | Admin can revoke user sessions | ✅ PASS | Admin session management available |
---
## V4 — Access Control
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V4.1.1 | Principle of least privilege | ✅ PASS | Role-based access (user, creator, moderator, admin) |
| V4.1.2 | Access control applied server-side | ✅ PASS | All auth checks in Go middleware/handlers |
| V4.1.3 | Deny by default | ✅ PASS | Protected routes require explicit auth middleware |
| V4.2.1 | Sensitive data access restricted | ⚠️ PARTIAL | followers_count public — **HIGH-002** |
| V4.2.2 | User can only access own data | ✅ PASS | GDPR export/delete checks user ownership |
| V4.3.1 | Admin functions protected | ✅ PASS | `RequireRole("admin")` middleware |
| V4.3.2 | Users cannot access unauthorized admin APIs | ✅ PASS | Role check in middleware before handler |
---
## V5 — Validation, Sanitization and Encoding
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V5.1.1 | HTTP parameter pollution defense | ✅ PASS | Gin framework handles this natively |
| V5.1.2 | Input validation on all inputs | ✅ PASS | Struct binding with validation tags |
| V5.1.3 | Output encoding for context | ✅ PASS | React auto-escapes, Go JSON marshaling |
| V5.2.1 | Untrusted HTML sanitized | ✅ PASS | No user HTML rendering |
| V5.3.1 | SQL injection prevention | ✅ PASS | Parameterized queries everywhere |
| V5.3.2 | OS command injection prevention | ✅ PASS | No exec.Command with user input |
| V5.3.3 | LDAP injection prevention | N/A | No LDAP used |
| V5.3.4 | XSS prevention | ✅ PASS | React JSX auto-escaping, CSP header |
| V5.3.7 | SSRF prevention | ✅ PASS | No user-controlled URL fetching in backend |
| V5.5.1 | Serialization attacks prevented | ✅ PASS | No deserialization of untrusted data |
---
## V6 — Stored Cryptography
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V6.1.1 | Regulated data encrypted at rest | ✅ PASS | Passwords bcrypt-hashed, tokens hashed |
| V6.2.1 | Approved cryptographic algorithms | ✅ PASS | bcrypt, RS256, HMAC-SHA512, crypto/rand |
| V6.2.2 | Industry-proven crypto libraries | ✅ PASS | Go stdlib crypto, `golang.org/x/crypto` |
| V6.2.3 | Random values from CSPRNG | ✅ PASS | `crypto/rand` exclusively (not math/rand) |
| V6.2.4 | Key rotation supported | ✅ PASS | JWT key rotation documented |
| V6.3.1 | Secrets not in source code | ✅ PASS | `.env.production` uses `${VAR}` templates, gitleaks CI scan |
| V6.4.1 | Key management procedures | ✅ PASS | JWT RSA keys loaded from env/files |
---
## V7 — Error Handling and Logging
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V7.1.1 | Generic error messages to users | ✅ PASS | apierror package with structured errors, no stack traces |
| V7.1.2 | Security-sensitive errors logged | ✅ PASS | Structured JSON logging with zap |
| V7.1.3 | No sensitive data in error responses | ✅ PASS | Error context sanitized |
| V7.2.1 | All auth decisions logged | ✅ PASS | Login success/failure, session revocation logged |
| V7.2.2 | All access control failures logged | ✅ PASS | 401/403 responses logged |
| V7.3.1 | Logs protected from injection | ✅ PASS | Structured logging (zap) prevents log injection |
| V7.4.1 | Sensitive data not logged | ✅ PASS | Passwords, tokens not in log fields |
---
## V8 — Data Protection
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V8.1.1 | PII identified and classified | ✅ PASS | PRIVACY_POLICY.md §2 lists all data |
| V8.1.2 | Sensitive data in transit encrypted | ✅ PASS | HTTPS/TLS enforced, HSTS header |
| V8.2.1 | Sensitive data not in URL | ✅ PASS | Auth via cookies, not URL params |
| V8.2.2 | HTTP caching headers on sensitive data | ✅ PASS | Cache-Control set on auth responses |
| V8.3.1 | Sensitive data removable on request | ✅ PASS | GDPR deletion endpoint functional |
| V8.3.2 | Data export available | ✅ PASS | GDPR export endpoint (JSON, 48h) |
| V8.3.4 | Data retention policy defined | ✅ PASS | PRIVACY_POLICY.md §7 — retention table |
---
## V9 — Communication
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V9.1.1 | TLS for all connections | ✅ PASS | HTTPS enforced, HSTS |
| V9.1.2 | TLS 1.2+ only | ✅ PASS | Go net/http defaults to TLS 1.2+ |
| V9.1.3 | Strong cipher suites | ✅ PASS | Go stdlib uses modern ciphers |
| V9.2.1 | Webhook signature verification | ✅ PASS | HMAC-SHA512 with hmac.Equal() |
---
## V10 — Malicious Code
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V10.1.1 | No malicious code (backdoors, etc.) | ✅ PASS | No suspicious patterns found |
| V10.2.1 | No time bombs | ✅ PASS | No scheduled destructive operations |
| V10.3.1 | Source code review performed | ✅ PASS | This audit |
---
## V11 — Business Logic
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V11.1.1 | Business logic flow enforced server-side | ✅ PASS | Payment flow, payout flow verified |
| V11.1.2 | Business logic limits enforced | ✅ PASS | Rate limits, pagination limits |
| V11.1.3 | Anti-automation on business-critical functions | ✅ PASS | Rate limiting on payments, uploads |
| V11.1.4 | Ethical business logic verified | ⚠️ PARTIAL | Backend track metrics hidden, but API leaks followers/post likes — **HIGH-002, MEDIUM-004** |
---
## V12 — Files and Resources
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V12.1.1 | File upload size limits | ✅ PASS | Upload validation service with size limits |
| V12.1.2 | File type validation | ✅ PASS | `ValidateFile()` checks file types |
| V12.1.3 | File stored outside webroot | ✅ PASS | MinIO/S3 object storage |
| V12.3.1 | User-submitted filenames sanitized | ✅ PASS | UUID-based storage paths |
| V12.4.1 | No path traversal | ✅ PASS | No user input in file system paths |
---
## V13 — API and Web Service
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V13.1.1 | All API endpoints require auth or are explicitly public | ✅ PASS | Auth middleware on protected routes |
| V13.1.2 | API uses standard auth mechanisms | ✅ PASS | JWT bearer tokens |
| V13.1.3 | No unnecessary API exposure | ✅ PASS | Metrics endpoint protected |
| V13.2.1 | Rate limiting on all APIs | ⚠️ PARTIAL | Rate limit bypassable via IP spoofing — **HIGH-001** |
| V13.2.2 | API schema validation | ✅ PASS | Gin binding validation |
| V13.3.1 | Pagination implemented | ✅ PASS | Keyset pagination with limits |
| V13.4.1 | CORS properly configured | ⚠️ PARTIAL | HTTP origins in .env.production — **MEDIUM-003** |
---
## V14 — Configuration
| # | Contrôle | Statut | Notes |
|---|----------|--------|-------|
| V14.1.1 | Server configuration hardened | ✅ PASS | Security headers (HSTS, CSP, X-Frame-Options) |
| V14.2.1 | Dependency integrity | ⚠️ PARTIAL | GitHub Actions not all pinned by SHA — **MEDIUM-002** |
| V14.2.2 | No known vulnerabilities in dependencies | ✅ PASS | Trivy scans in CI, cargo audit, npm audit |
| V14.3.1 | Security headers set | ✅ PASS | HSTS, CSP, COEP, COOP |
| V14.4.1 | No default credentials | ✅ PASS | `.env.production` uses templates |
| V14.5.1 | HTTP security headers | ✅ PASS | X-Content-Type-Options, Referrer-Policy |
---
## Résumé ASVS
| Catégorie | Total | ✅ PASS | ⚠️ PARTIAL | ❌ FAIL | N/A |
|-----------|-------|---------|------------|--------|--------|
| V1 Architecture | 6 | 5 | 1 | 0 | 0 |
| V2 Authentication | 18 | 17 | 1 | 0 | 0 |
| V3 Session Mgmt | 11 | 10 | 1 | 0 | 0 |
| V4 Access Control | 7 | 6 | 1 | 0 | 0 |
| V5 Validation | 10 | 9 | 0 | 0 | 1 |
| V6 Cryptography | 7 | 7 | 0 | 0 | 0 |
| V7 Error Handling | 7 | 7 | 0 | 0 | 0 |
| V8 Data Protection | 7 | 7 | 0 | 0 | 0 |
| V9 Communication | 4 | 4 | 0 | 0 | 0 |
| V10 Malicious Code | 3 | 3 | 0 | 0 | 0 |
| V11 Business Logic | 4 | 3 | 1 | 0 | 0 |
| V12 Files | 5 | 5 | 0 | 0 | 0 |
| V13 API | 6 | 4 | 2 | 0 | 0 |
| V14 Configuration | 6 | 5 | 1 | 0 | 0 |
| **Total** | **101** | **92** | **9** | **0** | **1** |
**Taux de conformité ASVS Level 2** : **92/101 (91.1%)**
Les 9 contrôles partiels sont tous associés à des findings documentés dans le rapport de pentest avec des remédiations concrètes.
---
*Checklist ASVS générée le 2026-03-13 — VEZA v0.12.6*
Reference in a new issue View git blame Copy permalink