Josh Grossman
Josh Grossman
So @elarlang I presume this needs to be a 1.12.x documentation requirement so based on https://github.com/OWASP/ASVS/issues/1604#issuecomment-1570884021 above, how about: > Verify that the application documentation defines the file types which...
@elarlang what do you think about my suggestion: https://github.com/OWASP/ASVS/issues/1604#issuecomment-2336774938
> Here is a suggestion that considers Elar's comments. > > _Verify that, if the application allows uploading files, the documentation defines the permitted file types, expected file extensions, and...
Yeah Elar included this in the requirement :) 
I think this is a great idea and important for V2. Just so I understand, do I correctly understand the theoretical attack scenario: I have a facemorphing app. People can...
> How about “you can only use one SSO Identity for public federation” (public federation is when you can use any public identity provider at registration). > > These public...
> > @jmanico my concern is that we are mandating only one way of solving the problem here, if there is a use case where they need to support multiple...
> I would say ideally the account identifier should be the `(issuer, sub)` pair(when using the OIDC terminology or `(idp_id, idp_user_id)` in general and using email address as user *identifier*...
@randomstuff can I get feedback on my suggested wording? "_Verify that, if the application supports multiple identity providers (IDPs), it registers the user with a combination of IDP ID and...
Ok so basically: "_Verify that, if the application supports multiple identity providers (IDPs), the user's identity cannot be spoofed via another supported identity provider (by using the same user identifier)._"...