Should DLL Hijacking be a single item?

[JeffreyShran]

as suggested in #6 by @matreurai

Note : I've seen in TASVS-STORAGE a category specific to a specific vulnerability (DLL Hijacking). I think this should be modified as the testing standard is not made for specific vulnerabilities in my opinion. Additionally, these items are explaining a type of attack and do not provide any guidance to what to test or how to prevent/mitigate risks of such attacks. The equivalent in the Web Application Security Verification Standard would be to add an item as such:
"Cross-Site Scripting Category - Blind cross-site scripting (XSS) is a variant of stored XSS where the malicious payload is executed in a different context or application than where it was originally injected.".
I don't think this make sense in the context of a Verification Standard.

[matreurai]

I don't think an item should be created for "DLL Hijacking" specifically, but I do think various items could be addressing risks related to that type of attacks, including all variants. I believe items should reflect tests or checkup testers should go over in order to minimize the risks for a type of attack. As an example for DLL Hijacking:
Item 1 - Identify and look for DLLs loading from unexpected locations using Process Explorer with appropriate filters such as "NAME NOT FOUND" to reduce risks of DLL Hijacking.
Item 2 - Verify the use of fully qualified paths when loading DLLs to reduce risks of DLL Hijacking,
Item 3 - Verify the current working directory was removed from the DLL search path (SetDllDirectory("");) to reduce risks of DLL Hijacking.
Item 4 - Make sure safe process search mode is enabled (SetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT);) to reduce risks of DLL Hijacking
Item 5 - Thick client should digitally sign legitimate DLLs to reduce risks of DLL Hijacking
etc...

[JeffreyShran]

my only fear here is we are moving the standard to becoming more of a testing guide.

I would say that as a first step we should decide at a higher level if we want to itemize tests as you describe across the standard or do we want to leave that detail out (or maybe into the definition of a test item) and then re-align the whole document with that decision in mind.

What do you think @matreurai?