Skip to content

Commit

Permalink
Asvs label corrections 3 (#1955)
Browse files Browse the repository at this point in the history
* label correction for 13.1.1 + 5.5.5, #1538

* label correction for 11.1.7, 11.1.8 #1272

* label correction for 7.2.6 #1890, #1902

* label correction for 13.1.1 + 5.5.5, #1538

---------

Co-authored-by: Elar Lang <elar@hoh.ee>
  • Loading branch information
elarlang and Elar Lang authored May 9, 2024
1 parent 705ecc1 commit 2f6906a
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion 5.0/en/0x13-V5-Validation-Sanitization-Encoding.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ The following requirements will only apply when the application uses a systems l
| **5.5.2** | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. |||| 611 |
| **5.5.3** | [MODIFIED, MERGED FROM 1.5.2] Verify that deserialization is not used when communicating with untrusted clients. If this is not possible, ensure that deserialization is performed safely, for example, by only allowing a allow-list of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks. |||| 502 |
| **5.5.4** | Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON. |||| 95 |
| **5.5.5** | [ADDED, MERGED FROM 13.1.1] Verify that different parsers used in the application for the same data type (e.g. JSON parsers, XML parsers, URL parsers), perform parsing in a consistent way and use the same character encoding mechanism to avoid issues such as JSON Interoperability vulnerabilities or different URI or file parsing behavior being exploited in Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. | ||| 436 |
| **5.5.5** | [MODIFIED, MOVED FROM 13.1.1, LEVEL L1 > L2] Verify that different parsers used in the application for the same data type (e.g. JSON parsers, XML parsers, URL parsers), perform parsing in a consistent way and use the same character encoding mechanism to avoid issues such as JSON Interoperability vulnerabilities or different URI or file parsing behavior being exploited in Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. | ||| 436 |

## V5.6 Validation and Sanitization Architecture

Expand Down
2 changes: 1 addition & 1 deletion 5.0/en/0x15-V7-Error-Logging.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ This section will briefly discuss the types of events to log but deliberately do
| **7.2.3** | [MODIFIED, MOVED FROM 7.1.3] Verify that the application logs attempts to bypass the security controls defined in the design documentation such as input validation. | ||| 778 |
| **7.2.4** | [MODIFIED, MOVED FROM 11.1.7] Verify that the application monitors for unusual events or activity from a business logic perspective. | ||| 754 |
| **7.2.5** | [MODIFIED, MOVED FROM 11.1.8] Verify that the application has configurable alerting when unusual or malicious activity is detected. | ||| 390 |
| **7.2.6** | [MOVED FROM 9.2.5] Verify that the application logs security control failures such as backend TLS failures. | | || 778 |
| **7.2.6** | [MODIFIED, MOVED FROM 9.2.5] Verify that the application logs security control failures such as backend TLS failures. | | || 778 |
| **7.2.7** | [ADDED] Verify that Content Security Policy violation reports are logged. | | || |

## V7.3 Log Protection
Expand Down
4 changes: 2 additions & 2 deletions 5.0/en/0x19-V11-BusLogic.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ Business logic security is so individual to every application that no one checkl
| **11.1.4** | [MOVED TO 11.2.2] | | | | |
| **11.1.5** | [MODIFIED] Verify that the application has globally defined business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies. |||| |
| **11.1.6** | [MODIFIED] Verify that the application uses synchronization and locking mechanisms for sensitive operations in order to keep internal data consistent, maintain user state, and prevent race conditions, such as 'time of check to time of use (TOCTOU)' vulnerabilities. | ||| 367 |
| **11.1.7** | [DELETED, MOVED TO 7.2.4] | | | | |
| **11.1.8** | [DELETED, MOVED TO 7.2.5] | | | | |
| **11.1.7** | [MOVED TO 7.2.4] | | | | |
| **11.1.8** | [MOVED TO 7.2.5] | | | | |
| **11.1.9** | [ADDED] Verify that "atomic transactions" are being used at the business logic level such that either a business logic operation succeeds in its entirety, or it is rolled back to the previous correct state. | ||| |

## V11.2 Anti-automation
Expand Down
2 changes: 1 addition & 1 deletion 5.0/en/0x21-V13-API.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ Please read this chapter in combination with all other chapters at this same lev

| # | Description | L1 | L2 | L3 | CWE |
| :---: | :--- | :---: | :---: | :---: | :---: |
| **13.1.1** | [DELETED, MERGED TO 5.5.5] | | | | |
| **13.1.1** | [MOVED TO 5.5.5] | | | | |
| **13.1.2** | [DELETED, DUPLICATE OF 4.3.1] | | | | |
| **13.1.3** | [DELETED, MERGED TO 8.3.1] | | | | |
| **13.1.4** | [DELETED, DUPLICATE OF 4.2.1] | | | | |
Expand Down

0 comments on commit 2f6906a

Please sign in to comment.