MozillaWiki

User:Tritter/Working/Web Security Severity Ratings: Difference between revisions

User page Discussion

User:Tritter/Working/Web Security Severity Ratings (view source)

Revision as of 12:23, 11 February 2020

4,629 bytes removed ,  11 February 2020
Revamp - remove unrelated content and add missing wsec- descriptions
(Revamp - remove unrelated content and add missing wsec- descriptions)
Line 11: Line 11:
The following items are keywords for the severity of an issue.
The following items are keywords for the severity of an issue.


;'''sec-critical''': Really bad stuff.
;'''sec-critical''': Critical vulnerabilities are urgent security issues that present an ongoing or immediate danger to Firefox users. There is no difference technically between a sec-critical and a sec-high, the difference is purely related to risk to users.
{| class="wikitable collapsible " style="width: 100%"
{| class="wikitable collapsible " style="width: 100%"
! ''sec-critical Examples:''
! ''sec-critical Examples:''
|-
|-
|
|
* XSS (Stored)
* Remote Code Execution on a [https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/#critical-sites Critical] or [https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/#core-sites Core] site.
* CSRF
* Remoce Code Execution
* Authentication Flaws (which lead to account compromise)
* Authentication Flaws (which lead to account compromise)
* Session Management Flaws (which lead to account compromise)  
* Session Management Flaws (which lead to account compromise)  
* Cross-site Scripting (XSS) on a [https://www.mozilla.org/en-US/security/bug-bounty/web-eligible-sites/#critical-sites Critical Site]
|}
|}


Line 28: Line 27:
|-
|-
|
|
* Cross-site Scripting (XSS)
* XSS (Reflected)
* XSS (Reflected)
* CSRF
* Failure to use TLS where needed to ensure confidential/security  
* Failure to use TLS where needed to ensure confidential/security  
|}
|}
Line 53: Line 52:
|}
|}


==Additional Status Codes, Whiteboard Tracking Tags & Flags==
==Additional Whiteboard Tracking Tags & Flags==


=== Alternate Keywords ===
=== wsectype- Keywords ===


Often none of the above severity ratings apply to a bug, because it is not a vulnerability but nonetheless is security sensitive and needs to be kept private. These keywords apply to those.
wsectype- keywords are assigned to bugs to indicate the type of a vulnerability. These should be assigned to every vulnerability.


{| class="wikitable collapsible" style="width: 100%"
{| style="width: 80%;" class="wikitable collapsible  fullwidth-table"
! Alternate Keywords & Examples
|-
|-
|
! style="width:30%" | Code
;'''sec-other''': sec-other is a bit of a catch-all bucket used for bugs that are not exploitable security issues but need to be kept confidential to protect sensitive information.
! style="width:70%"| Description
{| class="wikitable collapsible " style="width: 100%"
! ''sec-other Examples:''
|-
|-
|
|wsec-applogic || Issues relating to the application logic
* XXX
|}
|}
 
A historical keyword is <b>sec-incident</b>, which is no longer used. <b>sec-want, sec-audit,</b> and <b>sec-vector</b> are not used for Web client bugs.
 
=== wsectype- Keywords ===
 
csectype- keywords are assigned to bugs to indicate the type of a vulnerability. Ideally these would be assigned to every vulnerability, but frequently they are not. While we request that only the security team assign <u>sec-high</u> and similar ratings, if you feel you can identify the type of a security bug <b><u>we encourage you to classify it yourself.</u></b>
 
{| style="width: 800px;" class="wikitable collapsible  fullwidth-table"
|-
|-
! style="width:5%" | Code
|wsec-appmisconfig || Application misconfiguration
! style="width:10%"| Description
|-
|-
|wsec-authentication || Website or server authentication security issues (lockouts, password policy, etc)
|wsec-authentication || Website or server authentication security issues (lockouts, password policy, etc)
|-
|-
|wsec-authorization || web/server authorization security issues
|wsec-authorization || Web/server authorization security issues
|-
|wsec-automation-attack || Application is vulnerable to automation attacks
|-
|wsec-bruteforce || Application is vulnerable to bruteforce attacks
|-
|wsec-client || Web client side related vulnerability
|-
|-
|wsec-cookie || Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path)
|wsec-cookie || Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path)
Line 94: Line 84:
|-
|-
|wsec-csrf || Cross-Site Request Forgery (CSRF) bugs in server products
|wsec-csrf || Cross-Site Request Forgery (CSRF) bugs in server products
|-
|wsec-deplib || Known vulnerability in a dependant library
|-
|wsec-dir-index || Directory index incorrectly accessible
|-
|-
|wsec-disclosure || Disclosure of sensitive data, personal information, etc from a web service
|wsec-disclosure || Disclosure of sensitive data, personal information, etc from a web service
|-
|-
|wsec-dos || Used to denote web server Denial of Service bugs. For similar bugs in client software please use csectype-dos instead.
|wsec-dos || Used to denote web server Denial of Service bugs. For similar bugs in client software please use csectype-dos instead.
|-
|wsec-email || Email related vulnerability
|-
|-
|wsec-errorhandling || Any error handling issue
|wsec-errorhandling || Any error handling issue
|-
|wsec-fileinclusion || Local or remote file inclusion possible
|-
|wsec-headers || Missing or misconfigured security headers
|-
|wsec-http || Application is incorrectly accessible over http
|-
|wsec-http-header-inject || Application vulnerable to header injection attacks
|-
|-
|wsec-impersonation || Impersonation / Spoofing attacks (UI Redress, etc)
|wsec-impersonation || Impersonation / Spoofing attacks (UI Redress, etc)
Line 109: Line 113:
|wsec-logging || Logging issues such as requests for CEF log points.
|wsec-logging || Logging issues such as requests for CEF log points.
|-
|-
|wsec-other || web/server security issues that don't fit into other categories
|wsec-nullbyte || Application is vulnerable to null byte injection
|-
|-
|wsec-session || Issues related to sesson management (Session fixation, etc)
|wsec-objref || Insecure direct object references used
|-
|-
|wsec-sqli || SQL Injection
|wsec-oscmd || Application is vulnerable to Operating System command injection
|-
|-
|wsec-ssrf || Server Side Request Forgery (SSRF) bugs in server products. CWE-918
|wsec-other || Web/server security issues that don't fit into other categories
|-
|-
|wsec-xss || Cross-Site Scripting (XSS) bugs in server products
|wsec-overflow || Application is vulnerable to overflow attacks
|-
|-
|}
|wsec-redirect || Open redirect vulnerability
 
=== opsectype- Keywords ===
 
opsectype- keywords are assigned to bugs relating to Operations Security (Mozilla owned & operated severs and services)
 
{| style="width: 800px;" class="wikitable collapsible  fullwidth-table"
|-
|-
! style="width:5%" | Code
|wsec-selfxss || Self cross site scripting
! style="width:10%"| Description
|-
|-
| opsec-access
|wsec-serialization || Insecure deserialization
| The identified issue is an access violation.
|-
|-
|}
|wsec-servermisconfig || Server misconfiguration
 
=== Whiteboard Tags ===
 
{| style="width: 800px;" class="wikitable collapsible  fullwidth-table"
! Whiteboard Tags
|-
|-
! style="width:5%" | Code
|wsec-session || Issues related to sesson management (Session fixation, etc)
! style="width:10%"| Description
! style="width:5%" | Examples
|-
|-
|<strike><b>sec-assigned:UserAlias</b></strike> <b>depricated for sec-review? flag with alias</b>
|wsec-sqli || SQL Injection
|This designates the assigned security resource that is accountable for actions to be taken on the designated item. When possible the bug will be assigned to the security contact for action. This will be used when that is not possible or practical.
|sec-review?:curtisk@blah.bah indicates that curtisk is the accountable party for action
|-
|-
|<b>[Q2]</b>
|wsec-ssrf || Server Side Request Forgery (SSRF) bugs in server products. CWE-918
|This designates a bug as being identified as a request to be done or targeted for a given operational quarter. If no year is given it is for the current year.
|[Q2] indicates second quarter of the current calendar year, [Q1-2013] would be used to indicate a target for an upcoming quarter that has not occurred.
|-
|-
|<b>[k90]</b>
|wsec-takeover || Domain vulnerable to takeover
|This designates a bug as being part of the Kilimanjaro effort so that it can be tracked, triaged and given appropriate priority and attention.
|
|-
|-
|<b>[basecamp]</b>
|wsec-tls || TLS related issues
|This designates a bug as being part of the basecamp sub effort of the Kilimanjaro effort.
|
|-  
|<b>[fennec]</b>
|This designates a bug as being a critical bug for the efforts around our mobile browser project. This could be combined with either the [k9o] or [basecamp] tags as a bug could be part of both.
|
|-
|-
|<b>[triage needed]</b>
|wsec-traversal || Directory traversal possible
|Used to mark a bug for weekly triage meeting.
|
|-
|-
|<strike><b>[pending secreview]</b></strike> deprecated
|wsec-weakpasswd || Weak passwords can be used
| Indicates a secreview or tasks related to said review are yet to be completed.
|
|-
|-
|<b>[start mm/dd/yyyy][target mm/dd/yyyy]</b>
|wsec-xml || XML related vulnerability including XML External Entity (XXE) processing
|This indicates that expected dates to start and complete work on a given review or security bug.
|[start 01/29/2013][target 02/09/2013] indicates work will start on 29-Jan and expected target for completion on 09-Feb
|-
|-
|<strike><b>[completed secreview]</b></strike> deprecated
|wsec-xss || Cross-Site Scripting (XSS) bugs in server products
| Indicates the given secreview or related tasks have been completed
|
|-
|<b>mentorship</b>
| Indicates that a given bug is part of our security mentorship program. The assignee of said bug is the Mozilla mentor for such a bug.
|
|-
|<strike><b>[score:##]</b></strike> deprecated
|This indicates the relative severity score for risk rating bugs per the calculator at https://people.mozilla.com/~ckoenig/
|[score:30:moderate] shows that the issue has a numerical score of 30 and a severity of moderate.
|-
|<b>[Web]</b>
|Indicates an item related to our Web properties
|
|-
|<b>u= c= p=</b>
|These items are used to allow bugs to be tracked by scrumbu.gs for work tracking ([http://scrumbu.gs/help/ more info]).
|
|-
|<b>s=</b>
|This tag is used in conjunction with the scrumbu.gs tags above to indicate which sprint a given bug has been assigned.
|s=13q4.1 indicates the bug is in the year 2013, 4th quarter and sprint 1. Each sprint is 2 weeks long and it's calendar dates can be tracked on scrumbu.gs
|-
|}
 
=== Feature Page Codes ===
 
{| style="width: 800px;" class="wikitable collapsible  fullwidth-table"
! Feature Page Codes
|-
! style="width:5%" | Code
! style="width:10%"| Description
! style="width:5%" | Examples
|-
|<b>sec-review-needed</b>
|A security review is needed for the feature, this could mean a variety of things. If there is no <username> in the notes then a full review needs to be scheduled, if a <username> is present than that person will follow-up with the feature team on whatever task is needed.
|
|-
|<b>sec-review-complete</b>
|The security review / actions desired have been completed. This will result in a link to the notes from security actions or a note from the assigned resource.
|
|-
|<b>sec-review-active</b>
| There are active tasks associated with the review that are yet to be completed in order for the review to be seen as completed. These will be captured in the "Action Items" section of the review notes.
|
|-
|<b>sec-review-sched</b>
| Security review tasks have been scheduled, if this is a full security review the date of the scheduled review will be present in the security notes.
|
|-
|<b>sec-review-unnecessary</b>
| After triage it was felt the feature needed no review or security actions.
|
|-
| <b>Security health: <blank></b>
| There are no notes or status is unknown.
| Color: <None>
|-
| <b>Security health: OK</b>
| The tasks are on schedule or completed and are considered non-blocking.
| {{StatusHealthy|status=Color: Green}}
|-
| <b>Security health: Blocked</b>
| Some aspect of the security review has given cause to block the feature from further work or landing. The reasons will be listed in the security notes or linked to a larger review outcome for follow-up.
| {{StatusBlocked|status=Color: Yellow}}
|-
| <b>Security health: At Risk</b>
| Some aspect of the security review may cause the feature to be blocked or put the feature at risk of being off schedule.The reasons will be listed in the security notes or linked to a larger review outcome for follow-up.
| {{StatusAtRisk|status=Color: Red}}
|-
| <b>Security health: Assigned</b>
| Security tasks have been assigned to a member of the team to followup. The name of this resource will be in the security notes.
| {{StatusAssigned|status=Color: Teal}}
|-
|-
|}
|}
Line 255: Line 153:
=== Flags ===
=== Flags ===


{| style="width: 800px;" class="wikitable collapsible  fullwidth-table"
{| style="width: 80%;" class="wikitable collapsible  fullwidth-table"
! Flags
! Flags
|-
|-
! style="width:5%" | Flag  
! style="width:15%" | Flag  
! style="width:10%"| Description
! style="width:25%"| Description
! style="width:5%" | Settings
! style="width:60%" | Settings
|-
|-
| sec-review
| sec-review
Line 267: Line 165:
{|class="wikitable fullwidth-table"
{|class="wikitable fullwidth-table"
|-
|-
! style="width:5%" | Setting  
! style="width:10%" | Setting  
! style="width:10%"| Description
! style="width:90%"| Description
|-
|-
|'?'|| Request for the security team to review the requested bug for action
|'?'|| Request for the security team to review the requested bug for action
Line 283: Line 181:
{|class="wikitable fullwidth-table"
{|class="wikitable fullwidth-table"
|-
|-
! style="width:5%" | Setting  
! style="width:10%" | Setting  
! style="width:10%"| Description
! style="width:90%"| Description
|-
|-
|'?'|| Bug is nominated for review by the bounty committee
|'?'|| Bug is nominated for review by the bounty committee
Line 299: Line 197:
{|class="wikitable fullwidth-table"
{|class="wikitable fullwidth-table"
|-
|-
! style="width:5%" | Setting  
! style="width:10%" | Setting  
! style="width:10%"| Description
! style="width:90%"| Description
|-
|-
|'?'|| Bug is nominated for review by the bounty committee
|'?'|| Bug is nominated for review by the bounty committee
Psiinon
Confirmed users
133

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1223500"