ASVS
ASVS copied to clipboard
OWASP
Are 5.2.6 and 12.6.1 effectively duplicates?
Does anyone have a compelling reason why these are not duplicates:
V5.2.6 | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports.
V12.6.1 | Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.
V5.2.6 | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports.
- The context here is regarding SSRF only, there should be a user input which is being handled by the application itself (functionality/code) and that functionality is required to be exposed to the public either internally or externally.
V12.6.1 | Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.
- The context here is larger than SSRF itself, as in here we are emphasizing on not only securing the Web Server/Application but the Network/Location i.e. Internal/External, DMZ/PROD it is placed in and to which systems (IP Addresses, Shared Drives, FTP Servers, Automation Scripts, Firewalls, Log Monitoring, ACLs, Unidirectional Network Communication or Bi-Directional etc.), under the hood which is eventually not exposed to the end user/adversary using it.
- More towards Architecture Review.
So do we think 12.6.1 is more of a network level security control, i.e. make sure the web server is network segmented so that it can only access certain IPs and URLs?
I would like to keep them separately.
We can take parallel with so called XSS problem (requirements like 5.3.1 and 5.3.3) and Content-Security-Policy (14.4.3). First ones are first-level defence, and second one second level/layer defence.
The same here - 5.2.6 is first level defence - avoid the problem. 12.6.1 is second layer defence - make the impact smaller in case the first level defence was not in place.
Agreed to @elarlang as the second point is regarding Defense In Depth providing a better and layered approach recommendations to have security in place at different levels!
So this makes 12.6.1 a network level configuration. Do we think this is still in scope? I think this should be moved to either V14 or V1.14 and I am open to suggestions. I also wonder if it is possible to add some more context to 12.6.1 to make the purpose clearer. Does someone want to open a PR?
From current category structure I can understand your will to move it to V1.14, but I would say, that most of requirements from this category (V1) should be moved away, as those are implementation requirements, not documentation and architecture decision requirements (most likely target for #1063 ).
We can move current V12.6 subcategory to V14, we can move requirement (temporarily) to V1.14 and/or we can create "Configuration hardening" subcategory to V14 and move this requirement there.