docs: update OWASP TOP 10 items

Author: kenjis

user_guide_src/source/concepts/security.rst

@@ -19,101 +19,126 @@ the CodeIgniter provisions to address the problem.
     :local:
     :depth: 1
 
-************
-A1 Injection
-************
+******************************
+A01:2021 Broken Access Control
+******************************
 
-An injection is the inappropriate insertion of partial or complete data via
-the input data from the client to the application. Attack vectors include SQL,
-XML, ORM, code & buffer overflows.
+Insecure Direct Object References occur when an application provides direct
+access to objects based on user-supplied input. As a result of this vulnerability
+attackers can bypass authorization and access resources in the system directly,
+for example database records or files.
+
+Sensitive data must be protected when it is transmitted through the network.
+Such data can include user credentials and credit cards. As a rule of thumb,
+if data must be protected when it is stored, it must be protected also during
+transmission.
+
+CSRF is an attack that forces an end user to execute unwanted actions on a web
+application in which he/she is currently authenticated.
 
 OWASP recommendations
 =====================
 
-- Presentation: set correct content type, character set & locale
-- Submission: validate fields and provide feedback
-- Controller: sanitize input; positive input validation using correct character set
-- Model: parameterized queries
+- Presentation: don't expose internal data; use random reference maps
+- Controller: obtain data from trusted sources or random reference maps
+- Model: validate user roles before updating data
+
+- Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
+- Controller: validate users and roles; validate CSRF tokens
+- Model: validate roles
+
+- Presentation: validate users and roles; send CSRF tokens
+- Controller: validate users and roles; validate CSRF tokens
+- Model: validate roles
 
 CodeIgniter provisions
 ======================
 
-- :ref:`urls-uri-security`
-- :ref:`invalidchars` filter
 - :doc:`../libraries/validation` library
-- :doc:`HTTP library <../incoming/incomingrequest>` provides for :ref:`input field filtering <incomingrequest-filtering-input-data>` & content metadata
+- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
+- Easy to add third party authentication
 
-*********************************************
-A2 Weak authentication and session management
-*********************************************
+- :ref:`Public <application-structure-public>` folder, with application and system outside
+- :doc:`Security </libraries/security>` library provides for :ref:`CSRF validation <cross-site-request-forgery>`
 
-Inadequate authentication or improper session management can lead to a user
-getting more privileges than they are entitled to.
+*******************************
+A02:2021 Cryptographic Failures
+*******************************
+
+Sensitive data must be protected when it is transmitted through the network.
+Such data can include user credentials and credit cards. As a rule of thumb,
+if data must be protected when it is stored, it must be protected also during
+transmission.
 
 OWASP recommendations
 =====================
 
-- Presentation: validate authentication & role; send CSRF token with forms
-- Design: only use built-in session management
-- Controller: validate user, role, CSRF token
-- Model: validate role
-- Tip: consider the use of a request governor
+- Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
+- Controller: use strong ciphers and hashes
+- Model: mandate strong encrypted communications with servers
 
 CodeIgniter provisions
 ======================
 
-- :doc:`Session <../libraries/sessions>` library
-- :doc:`Security </libraries/security>` library provides for CSRF validation
-- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
-- Easy to add third party authentication
+- The config for global secure access (``Config\App::$forceGlobalSecureRequests``)
+- :php:func:`force_https()` function
+- :doc:`../libraries/encryption`
+- The :ref:`database config <database-config-explanation-of-values>` (``encrypt``)
+
+******************
+A03:2021 Injection
+******************
 
-*****************************
-A3 Cross Site Scripting (XSS)
-*****************************
+An injection is the inappropriate insertion of partial or complete data via
+the input data from the client to the application. Attack vectors include SQL,
+XML, ORM, code & buffer overflows.
 
 Insufficient input validation where one user can add content to a web site
 that can be malicious when viewed by other users to the web site.
 
 OWASP recommendations
 =====================
 
+- Presentation: set correct content type, character set & locale
+- Submission: validate fields and provide feedback
+- Controller: sanitize input; positive input validation using correct character set
+- Model: parameterized queries
+
 - Presentation: output encode all user data as per output context; set input constraints
 - Controller: positive input validation
 - Tips: only process trustworthy data; do not store data HTML encoded in DB
 
 CodeIgniter provisions
 ======================
 
+- :ref:`urls-uri-security`
+- :ref:`invalidchars` filter
+- :doc:`../libraries/validation` library
+- :doc:`HTTP library <../incoming/incomingrequest>` provides for :ref:`input field filtering <incomingrequest-filtering-input-data>` & content metadata
+
 - :php:func:`esc()` function
 - :doc:`../libraries/validation` library
 - Support for :ref:`content-security-policy`
 
-***********************************
-A4 Insecure Direct Object Reference
-***********************************
+************************
+A04:2021 Insecure Design
+************************
 
-Insecure Direct Object References occur when an application provides direct
-access to objects based on user-supplied input. As a result of this vulnerability
-attackers can bypass authorization and access resources in the system directly,
-for example database records or files.
+@TODO
 
 OWASP recommendations
 =====================
 
-- Presentation: don't expose internal data; use random reference maps
-- Controller: obtain data from trusted sources or random reference maps
-- Model: validate user roles before updating data
+- @TODO
 
 CodeIgniter provisions
 ======================
 
-- :doc:`../libraries/validation` library
-- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
-- Easy to add third party authentication
+- @TODO
 
-****************************
-A5 Security Misconfiguration
-****************************
+**********************************
+A05:2021 Security Misconfiguration
+**********************************
 
 Improper configuration of an application architecture can lead to mistakes
 that might compromise the security of the whole architecture.
@@ -130,104 +155,91 @@ CodeIgniter provisions
 
 - Sanity checks during bootstrap
 
-**************************
-A6 Sensitive Data Exposure
-**************************
+*******************************************
+A06:2021 Vulnerable and Outdated Components
+*******************************************
 
-Sensitive data must be protected when it is transmitted through the network.
-Such data can include user credentials and credit cards. As a rule of thumb,
-if data must be protected when it is stored, it must be protected also during
-transmission.
+Many applications have known vulnerabilities and known attack strategies that
+can be exploited in order to gain remote control or to exploit data.
 
 OWASP recommendations
 =====================
 
-- Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
-- Controller: use strong ciphers and hashes
-- Model: mandate strong encrypted communications with servers
+- Don't use any of these
 
 CodeIgniter provisions
 ======================
 
-- The config for global secure access (``Config\App::$forceGlobalSecureRequests``)
-- :php:func:`force_https()` function
-- :doc:`../libraries/encryption`
-- The :ref:`database config <database-config-explanation-of-values>` (``encrypt``)
+- Third party libraries incorporated must be vetted
 
-****************************************
-A7 Missing Function Level Access Control
-****************************************
+***************************************************
+A07:2021 Identification and Authentication Failures
+***************************************************
 
-Sensitive data must be protected when it is transmitted through the network.
-Such data can include user credentials and credit cards. As a rule of thumb,
-if data must be protected when it is stored, it must be protected also during
-transmission.
+Inadequate authentication or improper session management can lead to a user
+getting more privileges than they are entitled to.
 
 OWASP recommendations
 =====================
 
-- Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
-- Controller: validate users and roles; validate CSRF tokens
-- Model: validate roles
+- Presentation: validate authentication & role; send CSRF token with forms
+- Design: only use built-in session management
+- Controller: validate user, role, CSRF token
+- Model: validate role
+- Tip: consider the use of a request governor
 
 CodeIgniter provisions
 ======================
 
-- :ref:`Public <application-structure-public>` folder, with application and system outside
-- :doc:`Security </libraries/security>` library provides for :ref:`CSRF validation <cross-site-request-forgery>`
+- :doc:`Session <../libraries/sessions>` library
+- :doc:`Security </libraries/security>` library provides for CSRF validation
+- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
+- Easy to add third party authentication
 
-************************************
-A8 Cross Site Request Forgery (CSRF)
-************************************
+*********************************************
+A08:2021 Software and Data Integrity Failures
+*********************************************
 
-CSRF is an attack that forces an end user to execute unwanted actions on a web
-application in which he/she is currently authenticated.
+@TODO
 
 OWASP recommendations
 =====================
 
-- Presentation: validate users and roles; send CSRF tokens
-- Controller: validate users and roles; validate CSRF tokens
-- Model: validate roles
+- @TODO
 
 CodeIgniter provisions
 ======================
 
-- :doc:`Security </libraries/security>` library provides for :ref:`CSRF validation <cross-site-request-forgery>`
+- @TODO
 
-**********************************************
-A9 Using Components with Known Vulnerabilities
-**********************************************
+*************************************************
+A09:2021 Security Logging and Monitoring Failures
+*************************************************
 
-Many applications have known vulnerabilities and known attack strategies that
-can be exploited in order to gain remote control or to exploit data.
+@TODO
 
 OWASP recommendations
 =====================
 
-- Don't use any of these
+- @TODO
 
 CodeIgniter provisions
 ======================
 
-- Third party libraries incorporated must be vetted
+- @TODO
 
-**************************************
-A10 Unvalidated Redirects and Forwards
-**************************************
+*******************************************
+A10:2021 Server-Side Request Forgery (SSRF)
+*******************************************
 
-Faulty business logic or injected actionable code could redirect the user
-inappropriately.
+@TODO
 
 OWASP recommendations
 =====================
 
-- Presentation: don't use URL redirection; use random indirect references
-- Controller: don't use URL redirection; use random indirect references
-- Model: validate roles
+- @TODO
 
 CodeIgniter provisions
 ======================
 
-- :doc:`HTTP library <../incoming/incomingrequest>` provides for ...
-- :doc:`Session <../libraries/sessions>` library provides :ref:`sessions-flashdata`
+- @TODO