ASVS

ASVS copied to clipboard

proposal/discussion: JWT - 3.5.6 rephrase it to describe the goal and/or split to different requirements based on different goals

10

spin-off from https://github.com/OWASP/ASVS/issues/1925 "proposal 4" From @TobiasAhnoff > 4 Verify that only access-tokens are used for authorization by the RS (not id-tokens or other kinds of tokens) Proposal from me:...

elarlang

proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server

3

spin-off from https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 2" For a situation, where OAuth is used as a "first-party" authorization solution and the application needs one and only way how it communicates with the...

elarlang

proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint)

6

spin-off from https://github.com/OWASP/ASVS/issues/1916 "Discussion/Proposal 1" The [summary](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-6.3.3.3) for browser based communication says: > To summarize, the architecture of a browser-based OAuth 2.0 client application is straightforward, but results in a...

elarlang

V51 OAuth: Consider adding more general OAuth verifications

7

There are of course many candidates, it is hard to summarize all relevant OAuth and OIDC specs in just a small set of verifications for [V51 OAuth](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md). Here are a...

TobiasAhnoff

proposal: new separate requirement - decode should be done only once and before processing input data

11

spin-off from https://github.com/OWASP/ASVS/issues/1484#issuecomment-1403257737 Requirement text needs validation and language/grammar check: Verify that decoding is done only once and as the first step e. g. decoding is not done after input...

elarlang

Italian Translation

1

Hi everyone, I'm translating the OWASP ASVS into Italian I don't think anyone has started the translation yet

ricsirigu

V51 OAuth: Consider narrowing or expanding the scope for the OAuth2 chapter

12

A suggestion is to define the scope for the [V51 OAuth](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x51-V51-OAuth2.md) chapter more clearly. Either to make it more general and include OIDC or be more specific, excluding OIDC and...

TobiasAhnoff

encoded sensitive data (such as JWT) should not be logged

5

access_token (also id_token) JWT may contain relatively sensitive information, such as person's full name, SSN, email, phone, address, etc. At the same time, those are sent via URL parameters -...

elarlang

update 5.3.1, #1589

1

This Pull Request relates to issue #1589

elarlang

Link checker is temperamental and apparently deprecated

13

The link checker seems to sometimes fail, even when it should not. For example: https://github.com/OWASP/ASVS/actions/runs/9854671316/job/27207915942 The link seems to work even through the link checker said it didn't. Also, it...

tghosth