Iman

I still believe that we need to mention Zip Slip attack as many pentesters might not be aware of this method, maybe we can change 12.1.2 and a note to...

@jmanico What do you think about this one?

Thank you for sharing your perspective. I concur with your viewpoint on this matter. While I acknowledge the evolving landscape of Single Sign-On (SSO) technologies, it's evident that SAML remains...

> Fair enough, let's do it. We can start with these: - XML Signature Wrapping (XSW) Attacks: This involves manipulating the SAML response to insert or wrap additional assertions or...

Let's start with three: - Verify and enforce the presence and integrity of digital signatures on SAML assertions, rejecting any assertions that are unsigned or have invalid signatures. - Verify...

I would suggest this check: _Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content, using methods such as checking file...

If you opt for Option 3, it could become a very large category. Option 1 maintains a laser focus on client-side code but may miss the broader context that some...

@tghosth we can offer using SecureString in .Net or GuardedString in Java to achieve this goal. Also, if someone dumps the memory, they can use something like Volatility to fetch...

I understand your concern. The proposed check is intended for situations where the application deals with sensitive operations or transactions that carry significant business risk (some L3s). It is not...

I understand your point regarding the distinction between recommendations and requirements. However, I would like to draw your attention to some existing items in the ASVS that are not applicable...