ASVS

ASVS copied to clipboard

Add requirement about usage of claims other than subject and issuer as an identifier for OpenID Connect

23

Usage of claims other than the subject and issuer identifier to uniquely identify an end user in OpenID Connect is non-compliant with the [framework](https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability). As per [a recent Microsoft report](https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/),...

jsherm-fwdsec

Adding clarity for 1.5.1 and 5.1.4 (related 5.1.3, 1.8.1)

20

Suggest we augment 5.1.4 from: 5.1.4 | Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers,...

jmanico

client should not send longer request headers than server can accept

8

spin-off from https://github.com/OWASP/ASVS/issues/1739#issuecomment-1816882008 Problem to solve: if a user controls input that is sent to the server via request header (token) value, it must be validated or sanitized to not...

elarlang

2.3.1 seems weak

13

Can we please bump this to 8 so we are in line wth other password size requirements? | # | Description | L1 | L2 | L3 | CWE |...

jmanico

5.3.1 has too much going on and should be shortened

80

[5.3.1](https://appsecg.host/5.3) | Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL parameters, HTTP headers, SMTP,...

tghosth

5.2.2 sounds like input validation

6

This requirement is in the sanitization section but sounds like input validation. The CWE also doesn't make sense to me. | # | Description | L1 | L2 | L3...

tghosth

Large Language Models (LLM) in the ASVS

28

_(Ed note, original issue title was: **Prevention of Prompt Injection in Applications Using Large Language Models (LLM)**)_ The popularity of Large Language Models (LLM) like GPT variants from OpenAI has...

ImanSharaf

Mitigate Risk of Fraudulent Activities by Implementing Dual Authorization [Business Logic Issue]

26

One of the most critical security issues that can exist in high-value sensitive systems (for example, banking systems) is the lack of dual authorization for sensitive operations or transactions. This...

ImanSharaf

In the docker build, a script called `install-unx.sh` fails intermittently. This should have some: - better error messages - retry or other resilience strategy

ike

Consider Adding Feature-Policy Header Verification to ASVS

14

I've noticed that the current version of ASVS does not have an item covering the implementation of the Feature-Policy header (also known as Permissions-Policy in its latest iteration). This header...

ImanSharaf