[go: up one dir, main page]
Menu

#521 Avoid naming controls using sensitive information keywords

open
nobody
rules (229)
5
2012-10-07
2009-02-17
Nadhamuni Kothapalle
No

Control name's/id's appearing in pages presented to the user should not be named with business keywords
like SSN, AccountId, password, userId etc, this can lead a hacker to understand what kind of values the control
holds.

Discussion

  • Ryan Gustafson

    Ryan Gustafson - 2009-02-17

    This rule is too specific, containing random business specific hard-coded values.

    Further, after generalizing, the rule boils down to:

    //AttributeValue[contains(string:upper-case(@Image), "YOUR_MAGIC_STRING_HERE")]

    Perhaps "AvoidMagicStringsInAttributeValuesRules", in which the user customizes the Rule to specify their list of magic strings.

    I'm hesitant however, is the Rule is so simple, and requires customization to even use. One can just as easily write the Rule directly.

     

  • Nadhamuni Kothapalle

    Nadhamuni Kothapalle - 2009-02-23

    Yeah thats correct, parameterizing this rule is a overhead, may be this can be used as needed by the application, this rule is supposed to be modified according the application and business domain its run. I am not sure whether its a good concept to go for a modification and use it.

     

  • Ryan Gustafson

    Ryan Gustafson - 2009-03-06

    As is this will not be accepted. If you wish to generalize it per my suggestions, I might reconsider.

     

Log in to post a comment.