ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

V14.3 Verbiage Paragraph is odd

Open weasel0x00 opened this issue 3 years ago • 2 comments

I've always thought the wording for the paragraph in section V14.3 doesn't read very well. Might I purpose the following language instead?

Configurations for production should be hardened to protect against common attacks. Disabling debug consoles helps to prevent known Cross-site Scripting (XSS) and Remote File Inclusion (RFI) attacks. It also helps to eliminate trivial information discovery "vulnerabilities" that are the unwelcome hallmark of many penetration testing reports. Many of these issues are rarely rated as a significant risk, but they can be chained together with other vulnerabilities, resulting in a higher risk value.

weasel0x00 avatar Dec 16 '22 15:12 weasel0x00

Hi,

as we change requirements at the moment, texts in paragraph are not updated. This is something we need to recheck when changes with requirements are kind of done and before releasing.

elarlang avatar Dec 19 '22 08:12 elarlang

The V14.3 section now got title "Unintended Information Leakage" and the point there should be that for attackers (and search engines) can be available information, which is not to be intended to be public and which is outside of application access and authorization flow control.

But in big picture, we can open an issue for each section or clean-up entire document from text and start collecting just "points to cover" there. From one leaders meeting - we should use as short texts as possible.

elarlang avatar Oct 30 '23 15:10 elarlang

We are going to massively reduce section text as @elarlang stated so I am politely closing this out. Please re-open if you think this was premature.

jmanico avatar Nov 07 '24 11:11 jmanico