From 2f6906ac2403567570f10807d5f73413798417f9 Mon Sep 17 00:00:00 2001 From: Elar Lang <47597707+elarlang@users.noreply.github.com> Date: Thu, 9 May 2024 23:19:53 +0300 Subject: [PATCH] Asvs label corrections 3 (#1955) * label correction for 13.1.1 + 5.5.5, #1538 * label correction for 11.1.7, 11.1.8 #1272 * label correction for 7.2.6 #1890, #1902 * label correction for 13.1.1 + 5.5.5, #1538 --------- Co-authored-by: Elar Lang --- 5.0/en/0x13-V5-Validation-Sanitization-Encoding.md | 2 +- 5.0/en/0x15-V7-Error-Logging.md | 2 +- 5.0/en/0x19-V11-BusLogic.md | 4 ++-- 5.0/en/0x21-V13-API.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md index f3b8c6a7e5..b221ed2bcd 100644 --- a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md +++ b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -99,7 +99,7 @@ The following requirements will only apply when the application uses a systems l | **5.5.2** | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. | ✓ | ✓ | ✓ | 611 | | **5.5.3** | [MODIFIED, MERGED FROM 1.5.2] Verify that deserialization is not used when communicating with untrusted clients. If this is not possible, ensure that deserialization is performed safely, for example, by only allowing a allow-list of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks. | ✓ | ✓ | ✓ | 502 | | **5.5.4** | Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON. | ✓ | ✓ | ✓ | 95 | -| **5.5.5** | [ADDED, MERGED FROM 13.1.1] Verify that different parsers used in the application for the same data type (e.g. JSON parsers, XML parsers, URL parsers), perform parsing in a consistent way and use the same character encoding mechanism to avoid issues such as JSON Interoperability vulnerabilities or different URI or file parsing behavior being exploited in Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. | | ✓ | ✓ | 436 | +| **5.5.5** | [MODIFIED, MOVED FROM 13.1.1, LEVEL L1 > L2] Verify that different parsers used in the application for the same data type (e.g. JSON parsers, XML parsers, URL parsers), perform parsing in a consistent way and use the same character encoding mechanism to avoid issues such as JSON Interoperability vulnerabilities or different URI or file parsing behavior being exploited in Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. | | ✓ | ✓ | 436 | ## V5.6 Validation and Sanitization Architecture diff --git a/5.0/en/0x15-V7-Error-Logging.md b/5.0/en/0x15-V7-Error-Logging.md index 01f74ad1fa..98c9108b68 100644 --- a/5.0/en/0x15-V7-Error-Logging.md +++ b/5.0/en/0x15-V7-Error-Logging.md @@ -39,7 +39,7 @@ This section will briefly discuss the types of events to log but deliberately do | **7.2.3** | [MODIFIED, MOVED FROM 7.1.3] Verify that the application logs attempts to bypass the security controls defined in the design documentation such as input validation. | | ✓ | ✓ | 778 | | **7.2.4** | [MODIFIED, MOVED FROM 11.1.7] Verify that the application monitors for unusual events or activity from a business logic perspective. | | ✓ | ✓ | 754 | | **7.2.5** | [MODIFIED, MOVED FROM 11.1.8] Verify that the application has configurable alerting when unusual or malicious activity is detected. | | ✓ | ✓ | 390 | -| **7.2.6** | [MOVED FROM 9.2.5] Verify that the application logs security control failures such as backend TLS failures. | | | ✓ | 778 | +| **7.2.6** | [MODIFIED, MOVED FROM 9.2.5] Verify that the application logs security control failures such as backend TLS failures. | | | ✓ | 778 | | **7.2.7** | [ADDED] Verify that Content Security Policy violation reports are logged. | | | ✓ | | ## V7.3 Log Protection diff --git a/5.0/en/0x19-V11-BusLogic.md b/5.0/en/0x19-V11-BusLogic.md index 2abf401532..c2f681c654 100644 --- a/5.0/en/0x19-V11-BusLogic.md +++ b/5.0/en/0x19-V11-BusLogic.md @@ -20,8 +20,8 @@ Business logic security is so individual to every application that no one checkl | **11.1.4** | [MOVED TO 11.2.2] | | | | | | **11.1.5** | [MODIFIED] Verify that the application has globally defined business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies. | ✓ | ✓ | ✓ | | | **11.1.6** | [MODIFIED] Verify that the application uses synchronization and locking mechanisms for sensitive operations in order to keep internal data consistent, maintain user state, and prevent race conditions, such as 'time of check to time of use (TOCTOU)' vulnerabilities. | | ✓ | ✓ | 367 | -| **11.1.7** | [DELETED, MOVED TO 7.2.4] | | | | | -| **11.1.8** | [DELETED, MOVED TO 7.2.5] | | | | | +| **11.1.7** | [MOVED TO 7.2.4] | | | | | +| **11.1.8** | [MOVED TO 7.2.5] | | | | | | **11.1.9** | [ADDED] Verify that "atomic transactions" are being used at the business logic level such that either a business logic operation succeeds in its entirety, or it is rolled back to the previous correct state. | | ✓ | ✓ | | ## V11.2 Anti-automation diff --git a/5.0/en/0x21-V13-API.md b/5.0/en/0x21-V13-API.md index 04646a340d..a8e5e650ee 100644 --- a/5.0/en/0x21-V13-API.md +++ b/5.0/en/0x21-V13-API.md @@ -10,7 +10,7 @@ Please read this chapter in combination with all other chapters at this same lev | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **13.1.1** | [DELETED, MERGED TO 5.5.5] | | | | | +| **13.1.1** | [MOVED TO 5.5.5] | | | | | | **13.1.2** | [DELETED, DUPLICATE OF 4.3.1] | | | | | | **13.1.3** | [DELETED, MERGED TO 8.3.1] | | | | | | **13.1.4** | [DELETED, DUPLICATE OF 4.2.1] | | | | |