ASVS
ASVS copied to clipboard
OWASP
Application Security Verification Standard
The following liked need to be reecategorized 2.3.4 | [ADDED] System administrators should not be able to change or choose any user's password, but rather only be able to initiate...
Started to re-investigate issue #1790, then checked the section "V3.5 Token-based Session Management" and reached to the conclusion, that the entire section should be just cleaned up. At the moment...
Spin-off from #1311 We have 3 Content-Security-Policy related topics to discuss: * discussion 1 - default level-1 requirement to say, that browsers should only communicate with and load content from...
URL Safety
This is a spinoff from #1589 with a focus on URLs. My first question is, are we aiming this requirement at the dynamic generation of URLs or at the processor...
The table below shows how this requirement has evolved since it was added: |Point in time| # | Description | L1 | L2 | L3 | CWE | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html)...
4.2.1 alludes to horizontal access control but we should decide whether we want to be more specific about access control types, e.g. Making sure that the user has permission to...
spin-off from https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 3" Probably I was the first one to say that `redirect_uri` validation is a duplicate of general open-redirect but now I think it's important to have...
@elarlang and team I'll begin with a few proposals of my own here to start the discussion about them (more to come). I'll try not to duplicate the ones already...
spin-off from https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 4" There is a clear trend of overengineering using OAuth. One of them is using OAuth only for providing authentication. In this case, directly OIDC should...
spin-off from https://github.com/OWASP/ASVS/issues/1925 "proposal 7", from @TobiasAhnoff > 7 Verify that refresh-tokens expires according to threat model and business requirements Proppoal from Elar: The refresh_token topic requires more attention. But...