ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

2.5.4 split it up

Open jmanico opened this issue 3 years ago • 1 comments
trafficstars

The process of verifying a shared password for admin accounts - and the process of verifying default admin accounts - is very different and henceforth we should break this up like the Beatles.

jmanico avatar Feb 02 '22 09:02 jmanico

Just took a trip down memory lane to try and figure out why it was like that in the first place and why it has that NIST identifier.

Shared accounts seems to have been added to an existing requirement about spoofing here: https://github.com/OWASP/ASVS/commit/c0f9c295ea57ecfba848cfbdca850034825117f1

It seems to have become shared or default here: https://github.com/OWASP/ASVS/commit/6298456976626a1853f296f5c892f78c3b5379ec

I still don't know why it has that NIST reference.

CWE is very generic as well.

AND the section doesn't make sense to me anyway...

I actually think this is a good candidate for section V1 as it is a more pervasive thing across an application.

Currently we have:

2.5.4:

Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").

I would propose adding the default aspect to 1.2:

1.2.5 [MOVED AND SPLIT FROM 2.5.4] Verify that default user accounts (e.g. "root", "admin", or "sa") are not present in the application or are disabled.

I am not actually sure if "shared accounts" should be included in the standard as it is not really related to how an application is built.

Thoughts?

tghosth avatar Jun 22 '22 16:06 tghosth

I am not actually sure if "shared accounts" should be included in the standard as it is not really related to how an application is built.

Hi guys, I totally agree with this. Maybe I misunderstand this requirement but if I get it right, how are we supposed to prevent users from being able to create an account using a generic email address such as "[email protected]" or "[email protected]"?

flo-blg avatar Nov 10 '22 15:11 flo-blg

Another issue for the same requirement: https://github.com/OWASP/ASVS/issues/1395

elarlang avatar Nov 10 '22 15:11 elarlang

@set-reminder 5 weeks look at this

tghosth avatar Dec 07 '22 15:12 tghosth

Reminder Wednesday, January 11, 2023 12:00 AM (GMT+01:00)

look at this

octo-reminder[bot] avatar Dec 07 '22 15:12 octo-reminder[bot]

🔔 @tghosth

look at this

octo-reminder[bot] avatar Jan 10 '23 23:01 octo-reminder[bot]

Opened PR #1578

tghosth avatar Mar 21 '23 19:03 tghosth

Re-open for level validation.

@tghosth - was level change from Level 1 to Level 2 intended or it happened as a mistake?

https://github.com/OWASP/ASVS/pull/1578/files/82e25bc952c25be950a5542d578dc529a83383be

elarlang avatar May 28 '23 09:05 elarlang

I think this was a mistake made because originally I moved it to V1. I have restored it to L1 for now in #1645. Thanks @elarlang !

tghosth avatar Jun 01 '23 10:06 tghosth