Sjoerd Langkemper

> Like I said, if it is related to messing with DNS, it's out of ASVS scope. Can you elaborate on this? I don't understand why this would be the...

In my scenario, the attacker owns attacker.com, so they can just configure the DNS in the normal way anyway they want.

Some applications allow loading any image by URL. [Example](https://www4.lunapic.com/editor/?action=flip):  In this case, the server loads a user-input URL. But to avoid SSRF it should not load resources from the...

The solution is to resolve the domain, validate that the resulting IP address is not an RFC1918 IP address, and then connect to that IP address. To avoid race conditions,...

> application should never send user password back to client as plain-text In #1134 @elarlang argued that the application does not know the password when it is hashed, and 2.4.1...

See also [V13.2.6: signing requests · Issue #528 · OWASP/ASVS](https://github.com/OWASP/ASVS/issues/528)

I agree. I looked into this earlier: * [Clearing secrets from memory](http://www.sjoerdlangkemper.nl/2016/05/22/should-passwords-be-cleared-from-memory/) * [Overwriting memory in Python](http://www.sjoerdlangkemper.nl/2016/06/09/clearing-memory-in-python/) It primarily reduces impact in the case of a buffer overread (i.e. [heartbleed](https://en.wikipedia.org/wiki/Heartbleed)),...

I agree that everyone should run SAST to detect security bugs. But is that what this requirement says? > that can detect potentially malicious code Not security bugs, but actively...

> For example, an image file should have properties such as width and height. [PHP docs disagree](https://www.php.net/manual/en/function.getimagesize.php): > Do not use getimagesize() to check that a given file is a...

Some requirements are given as length, others as entropy. I don't think this is a problem, or inconsistent. It is possible to reason about the entropy of random secrets that...