diff --git a/data/templates/asvs-5.0.cdx.json b/data/templates/asvs-5.0.cdx.json index 29cf03984..7b4bc13f0 100644 --- a/data/templates/asvs-5.0.cdx.json +++ b/data/templates/asvs-5.0.cdx.json @@ -133,7 +133,7 @@ { "bom-ref": "V2.1.2", "identifier": "V2.1.2", - "text": "[MODIFIED, SPLIT TO 2.4.6] Verify that passwords of at least 64 characters are permitted.", + "text": "[MODIFIED] Verify that passwords of at least 64 characters are permitted.", "parent": "V2.1" }, { @@ -151,7 +151,7 @@ { "bom-ref": "V2.1.5", "identifier": "V2.1.5", - "text": "Verify users can change their password.", + "text": "[GRAMMAR] Verify that users can change their password.", "parent": "V2.1" }, { @@ -307,7 +307,7 @@ { "bom-ref": "V2.3.4", "identifier": "V2.3.4", - "text": "[ADDED] System administrators should not be able to change or choose any user's password, but rather only be able to initiate the password reset process for the user.", + "text": "[ADDED] Verify that administrative users can initiate the password reset process for the user, but that this does not allow them to change or choose the user's password. This prevents a situation where they know the user's password.", "parent": "V2.3" }, { @@ -346,12 +346,6 @@ "text": "[DELETED, INCORRECT]", "parent": "V2.4" }, - { - "bom-ref": "V2.4.6", - "identifier": "V2.4.6", - "text": "[ADDED, SPLIT FROM 2.1.2] Verify that the application is protected against a denial of service attack caused by processing an overly long password.", - "parent": "V2.4" - }, { "bom-ref": "V2.5", "identifier": "V2.5", @@ -367,7 +361,7 @@ { "bom-ref": "V2.5.2", "identifier": "V2.5.2", - "text": "Verify password hints or knowledge-based authentication (so-called \"secret questions\") are not present.", + "text": "[GRAMMAR] Verify that password hints or knowledge-based authentication (so-called \"secret questions\") are not present.", "parent": "V2.5" }, { @@ -379,7 +373,7 @@ { "bom-ref": "V2.5.4", "identifier": "V2.5.4", - "text": "[MODIFIED] Verify that default user accounts (e.g. \"root\", \"admin\", or \"sa\") are not present in the application or are disabled.", + "text": "[MOVED TO 14.1.10]", "parent": "V2.5" }, { @@ -391,7 +385,7 @@ { "bom-ref": "V2.5.6", "identifier": "V2.5.6", - "text": "[GRAMMAR] Verify that forgotten password, and other recovery paths use a secure recovery mechanism, such as time-based OTP (TOTP) or other soft token, mobile push, or another offline recovery mechanism.", + "text": "[MODIFIED] Verify that a secure process for resetting a forgotten password is implemented, that does not bypass any enabled multi-factor authentication mechanisms.", "parent": "V2.5" }, { @@ -589,7 +583,7 @@ { "bom-ref": "V2.10.4", "identifier": "V2.10.4", - "text": "[DELETED, MERGED TO 6.4.1]", + "text": "[DELETED, MERGED TO 14.8.1]", "parent": "V2.10" }, { @@ -666,13 +660,19 @@ { "bom-ref": "V3.1.3", "identifier": "V3.1.3", - "text": "[MODIFIED, MOVED FROM 3.5.2, LEVEL L2 > L1] Verify that the application uses either cryptographically secured or random session tokens for session management. Static API secrets and keys should be avoided.", + "text": "[MODIFIED, MOVED FROM 3.5.2, LEVEL L2 > L1] Verify that the application uses either self-contained or reference tokens for session management. Static API secrets and keys should be avoided.", "parent": "V3.1" }, { "bom-ref": "V3.1.4", "identifier": "V3.1.4", - "text": "[MODIFIED, MOVED FROM 3.2.2, MERGED FROM 3.2.4] Verify that if random tokens are used to represent user sessions, they are unique and generated using a cryptographically secure pseudo-random number generator (CSPRNG) and possess at least 128 bits of entropy.", + "text": "[MODIFIED, MOVED FROM 3.2.2, MERGED FROM 3.2.4] Verify that if reference tokens are used to represent user sessions, they are unique and generated using a cryptographically secure pseudo-random number generator (CSPRNG) and possess at least 128 bits of entropy.", + "parent": "V3.1" + }, + { + "bom-ref": "V3.1.5", + "identifier": "V3.1.5", + "text": "[MODIFIED, MOVED FROM 3.2.1] Verify that the application generates a new session token on user authentication, including re-authentication, and terminates the current session token.", "parent": "V3.1" }, { @@ -684,7 +684,7 @@ { "bom-ref": "V3.2.1", "identifier": "V3.2.1", - "text": "[MODIFIED] Verify the application generates a new session token on user authentication, including re-authentication, and terminates the current session token.", + "text": "[MOVED TO 3.1.5]", "parent": "V3.2" }, { @@ -750,25 +750,25 @@ { "bom-ref": "V3.4.1", "identifier": "V3.4.1", - "text": "Verify that cookie-based session tokens have the 'Secure' attribute set.", + "text": "[MOVED TO 50.2.1]", "parent": "V3.4" }, { "bom-ref": "V3.4.2", "identifier": "V3.4.2", - "text": "[MODIFIED] Verify that cookie-based session tokens are not readable by client-side scripts. The session token cookie should have the 'HttpOnly' attribute set and the session token value should only be transferred to the client via the Set-Cookie header field.", + "text": "[MOVED TO 50.2.2]", "parent": "V3.4" }, { "bom-ref": "V3.4.3", "identifier": "V3.4.3", - "text": "Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks.", + "text": "[MOVED TO 50.2.3]", "parent": "V3.4" }, { "bom-ref": "V3.4.4", "identifier": "V3.4.4", - "text": "Verify that cookie-based session tokens use the \"__Host-\" prefix so cookies are only sent to the host that initially set the cookie.", + "text": "[MOVED TO 50.2.4]", "parent": "V3.4" }, { @@ -786,7 +786,7 @@ { "bom-ref": "V3.5.1", "identifier": "V3.5.1", - "text": "[MOVED TO 51.2.14]", + "text": "[MOVED TO 51.4.14]", "parent": "V3.5" }, { @@ -798,31 +798,7 @@ { "bom-ref": "V3.5.3", "identifier": "V3.5.3", - "text": "[MODIFIED, LEVEL L2 > L1] Verify that cryptographically secured tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents.", - "parent": "V3.5" - }, - { - "bom-ref": "V3.5.4", - "identifier": "V3.5.4", - "text": "[ADDED] Verify that, if a validity time span is present in the token data, the token and its content are accepted only if the verification time is within this validity time span. For example, for JWTs the claims 'nbf' and 'exp' must be verified.", - "parent": "V3.5" - }, - { - "bom-ref": "V3.5.5", - "identifier": "V3.5.5", - "text": "[ADDED] Verify that only algorithms on an allowlist can be used to create and verify cryptographically secured tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion.", - "parent": "V3.5" - }, - { - "bom-ref": "V3.5.6", - "identifier": "V3.5.6", - "text": "[ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.", - "parent": "V3.5" - }, - { - "bom-ref": "V3.5.7", - "identifier": "V3.5.7", - "text": "[ADDED] Verify that key material that is used to validate cryptographically secured tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.", + "text": "[MOVED TO 52.1.1]", "parent": "V3.5" }, { @@ -1025,7 +1001,7 @@ { "bom-ref": "V4.2.2", "identifier": "V4.2.2", - "text": "[MOVED TO 50.3.1]", + "text": "[MOVED TO 50.4.1]", "parent": "V4.2" }, { @@ -1037,13 +1013,13 @@ { "bom-ref": "V4.2.4", "identifier": "V4.2.4", - "text": "[ADDED] Verify that changes to values on which access control decisions are made are applied immediately. Where changes cannot be applied immediately, (such as when relying on data in cryptographically secured tokens), there must be mitigating controls to alert when a consumer performs an action when they should no longer be able to do so and revert the change. Note that this would be unable to mitigate information leakage.", + "text": "[ADDED] Verify that changes to values on which access control decisions are made are applied immediately. Where changes cannot be applied immediately, (such as when relying on data in self-contained tokens), there must be mitigating controls to alert when a consumer performs an action when they should no longer be able to do so and revert the change. Note that this would be unable to mitigate information leakage.", "parent": "V4.2" }, { "bom-ref": "V4.2.5", "identifier": "V4.2.5", - "text": "[ADDED] Verify that access to an object is based on the originating subject's (e.g. consumer's) permissions, not on the permissions of any intermediary or service acting on their behalf. For example, if a consumer calls a web service using a signed token for authentication, and the service then requests data from a different service, the second service should use the consumer's signed token, rather than a machine-to-machine token from the first service, to make permission decisions.", + "text": "[ADDED] Verify that access to an object is based on the originating subject's (e.g. consumer's) permissions, not on the permissions of any intermediary or service acting on their behalf. For example, if a consumer calls a web service using a self-contained token for authentication, and the service then requests data from a different service, the second service should use the consumer's token, rather than a machine-to-machine token from the first service, to make permission decisions.", "parent": "V4.2" }, { @@ -1114,7 +1090,7 @@ { "bom-ref": "V1.5.5", "identifier": "V1.5.5", - "text": "[ADDED, SPLIT FROM 1.5.1] Verify that input validation rules are documented and define how to ensure the logical and contextual consistency of combined data items, such as checking that suburb and zipcode match.", + "text": "[ADDED, SPLIT FROM 1.5.1] Verify that input validation rules are documented and define how to ensure the logical and contextual consistency of combined data items, such as checking that suburb and zip code match.", "parent": "V1.5" }, { @@ -1150,13 +1126,13 @@ { "bom-ref": "V5.1.5", "identifier": "V5.1.5", - "text": "[MODIFIED, SPLIT TO 50.7.1] Verify that the application will only automatically redirect the user to a different URL directly from an application URL where the destination appears on an allowlist.", + "text": "[MODIFIED, SPLIT TO 50.8.1] Verify that the application will only automatically redirect the user to a different URL directly from an application URL where the destination appears on an allowlist.", "parent": "V5.1" }, { "bom-ref": "V5.1.6", "identifier": "V5.1.6", - "text": "[ADDED] Verify that untrusted input is validated for length before being included in a cookie (including as part of a JWT) and that the cookie name and value length combined are not over 4096 bytes.", + "text": "[ADDED] Verify that the application validates that user-controlled input in HTTP request header fields does not exceed the server's maximum header field size limit (usually 4kB or 8kB) to prevent client-based denial of service attacks.", "parent": "V5.1" }, { @@ -1165,12 +1141,6 @@ "text": "[ADDED, SPLIT FROM 5.1.4] Verify that the application ensures that combinations of related data items are reasonable according to the pre-defined rules.", "parent": "V5.1" }, - { - "bom-ref": "V5.1.8", - "identifier": "V5.1.8", - "text": "[ADDED] Verify that the application validates that user-controlled input in HTTP request header fields does not exceed the server's maximum header field size limit (usually 4kB or 8kB) to prevent client-based denial of service attacks.", - "parent": "V5.1" - }, { "bom-ref": "V5.2", "identifier": "V5.2", @@ -1198,7 +1168,7 @@ { "bom-ref": "V5.2.4", "identifier": "V5.2.4", - "text": "[MODIFIED] Verify that the application avoids the use of eval() or other dynamic code execution features such as Spring Expression Lanugage (SpEL). Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.", + "text": "[MODIFIED] Verify that the application avoids the use of eval() or other dynamic code execution features such as Spring Expression Language (SpEL). Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.", "parent": "V5.2" }, { @@ -1276,7 +1246,7 @@ { "bom-ref": "V5.3.3", "identifier": "V5.3.3", - "text": "[MODIFIED, SPLIT TO 50.5.2] Verify that output encoding or escaping is used when dynamically building JavaScript content (including JSON), to avoid changing the message or document structure (to avoid JavaScript and JSON injection).", + "text": "[MODIFIED, SPLIT TO 50.6.2] Verify that output encoding or escaping is used when dynamically building JavaScript content (including JSON), to avoid changing the message or document structure (to avoid JavaScript and JSON injection).", "parent": "V5.3" }, { @@ -1432,7 +1402,7 @@ { "bom-ref": "V6", "identifier": "V6", - "title": "Stored Cryptography" + "title": "Cryptography" }, { "bom-ref": "V1.6", @@ -1449,7 +1419,7 @@ { "bom-ref": "V1.6.2", "identifier": "V1.6.2", - "text": "Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.", + "text": "[DELETED, MERGED TO 14.8.1]", "parent": "V1.6" }, { @@ -1461,18 +1431,12 @@ { "bom-ref": "V1.6.4", "identifier": "V1.6.4", - "text": "[GRAMMAR] Verify that the architecture treats client-side secrets (such as symmetric keys, passwords, or API tokens) as insecure and never uses them to protect or access sensitive data.", + "text": "[MODIFIED] Verify that a cryptographic inventory is performed, maintained, regularly updated, and includes all cryptographic keys, algorithms, and certificates used by the application. It should also document where keys can and cannot be used in the system and also the types of data which can and cannot be protected using the keys.", "parent": "V1.6" }, { "bom-ref": "V1.6.5", "identifier": "V1.6.5", - "text": "[ADDED] Verify that a cryptographic inventory is performed, maintained, regularly updated, and includes all cryptographic keys, algorithms, and certificates used by the application.", - "parent": "V1.6" - }, - { - "bom-ref": "V1.6.7", - "identifier": "V1.6.7", "text": "[ADDED] Verify that cryptographic discovery mechanisms are employed to identify all instances of cryptography in the system, including encryption, hashing, and signing operations.", "parent": "V1.6" }, @@ -1527,7 +1491,7 @@ { "bom-ref": "V6.2.4", "identifier": "V6.2.4", - "text": "Verify that the application is designed with crypto agility such that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. Similarly, it must also be possible to replace keys and passwords and re-encrypt data. This should allow for seamless upgrades to post-quantum cryptography (PQC), once PQC standards are fully established.", + "text": "[MODIFIED, MERGED FROM 1.6.3] Verify that the application is designed with crypto agility such that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. Similarly, it must also be possible to replace keys and passwords and re-encrypt data. This should allow for seamless upgrades to post-quantum cryptography (PQC), once PQC standards are fully established.", "parent": "V6.2" }, { @@ -1557,7 +1521,7 @@ { "bom-ref": "V6.2.9", "identifier": "V6.2.9", - "text": "[ADDED] All cryptographic primitives MUST utilize a minimum of 128-bits of security, with exceptions only made for equipment or applications approaching end of life, where the requirement is at least 112-bits of security for all cryptography.", + "text": "[ADDED] Verify that all cryptographic primitives utilize a minimum of 128-bits of security based on the algorithm, key size, and configuration. For example, a 256-bit ECC key provides roughly 128 bits of security where RSA requires a 3072-bit key to achieve 128 bits of security.", "parent": "V6.2" }, { @@ -1569,13 +1533,13 @@ { "bom-ref": "V6.3.1", "identifier": "V6.3.1", - "text": "[GRAMMAR, LEVEL L2 > L1] Verify that all random numbers and strings which are intended to be non-guessable must be generated using a cryptographically-secure pseudo-random number generator (CSPRNG).", + "text": "[GRAMMAR, LEVEL L2 > L1] Verify that all random numbers and strings which are intended to be non-guessable must be generated using a cryptographically-secure pseudo-random number generator (CSPRNG) and have at least 128 bits of entropy. Note that UUIDs do not respect this condition.", "parent": "V6.3" }, { "bom-ref": "V6.3.2", "identifier": "V6.3.2", - "text": "[MODIFIED] Verify that UUIDs are created with an implementation of the UUID v4 or v7 algorithms which utilizes a cryptographically-secure pseudo-random number generator (CSPRNG).", + "text": "[DELETED, DUPLICATE OF 6.3.1]", "parent": "V6.3" }, { @@ -1593,25 +1557,13 @@ { "bom-ref": "V6.4.1", "identifier": "V6.4.1", - "text": "[MODIFIED, MERGED FROM 2.10.4] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to, and destroy back-end secrets, such as passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys. Secrets must not be included in source code or be received as CI/CD variables. For a L3 application, this should involved a hardware-backed solution such as an HSM.", + "text": "[MOVED TO 14.8.1]", "parent": "V6.4" }, { "bom-ref": "V6.4.2", "identifier": "V6.4.2", - "text": "[MODIFIED] Verify that key material is not exposed to the application (neither the front-end nor the back-end) but instead uses an isolated security module like a vault for cryptographic operations.", - "parent": "V6.4" - }, - { - "bom-ref": "V6.4.3", - "identifier": "V6.4.3", - "text": "[ADDED] Verify that key secrets have defined expiration dates and are rotated on a schedule based on the organization’s threat model and business requirements.", - "parent": "V6.4" - }, - { - "bom-ref": "V6.4.4", - "identifier": "V6.4.4", - "text": "[ADDED] Verify that access to secret assets adheres to the principle of least privilege.", + "text": "[MOVED TO 14.8.2]", "parent": "V6.4" }, { @@ -1629,19 +1581,19 @@ { "bom-ref": "V6.5.2", "identifier": "V6.5.2", - "text": "[ADDED, SPLIT FROM 6.2.5, LEVEL L2 > L1] Verify that insecure ciphers, including Triple-DES and Blowfish, are not used but secure ciphers and modes** such as AES with GCM are.", + "text": "[ADDED, SPLIT FROM 6.2.5, LEVEL L2 > L1] Verify that insecure ciphers, including Triple-DES and Blowfish, are not used but secure ciphers and modes such as AES with GCM are.", "parent": "V6.5" }, { "bom-ref": "V6.5.3", "identifier": "V6.5.3", - "text": "[MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used.", + "text": "[MODIFIED, MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used.", "parent": "V6.5" }, { "bom-ref": "V6.5.4", "identifier": "V6.5.4", - "text": "[MOVED FROM 6.2.7] Verify that encrypted data is authenticated via signatures, including unencrypted tokens being used for secure access control, as well as through authenticated cipher modes or HMAC for protection against unauthorized modification.", + "text": "[MODIFIED, MOVED FROM 6.2.7] Verify that encrypted data is authenticated via signatures, as well as through authenticated cipher modes or HMAC for protection against unauthorized modification.", "parent": "V6.5" }, { @@ -1680,12 +1632,6 @@ "text": "[ADDED] Verify that hash functions used in digital signatures are collision resistant and have appropriate bit-lengths to avoid attacks, such as collision or pre-image attacks.", "parent": "V6.6" }, - { - "bom-ref": "V6.6.5", - "identifier": "V6.6.5", - "text": "[ADDED] Verify that hash functions used in HMAC, KDF, and random bit generation are derived from those with proper entropy seeding for random bit generation.", - "parent": "V6.6" - }, { "bom-ref": "V6.7", "identifier": "V6.7", @@ -1695,7 +1641,7 @@ { "bom-ref": "V6.7.1", "identifier": "V6.7.1", - "text": "[ADDED] Verify that industry-proven cryptographic algorithms, such as Diffie-Hellman groups, with a focus on ensuring that key exchange mechanisms use secure parameters to prevent man-in-the-middle attacks or cryptographic breaks, are used for key exchanges to prevent attacks on the key establishment process.", + "text": "[ADDED] Verify that industry-proven cryptographic algorithms are used for key exchange (such as Diffie-Hellman) with a focus on ensuring that key exchange mechanisms use secure parameters. This should prevent attacks on the key establishment process which could lead to adversary-in-the-middle attacks or cryptographic breaks.", "parent": "V6.7" }, { @@ -1725,7 +1671,7 @@ { "bom-ref": "V6.9.1", "identifier": "V6.9.1", - "text": "[ADDED] Verify, if the application needs to support post-quantum cryptography, that quantum-safe algorithms, or quantum-resistant algorithms, such as lattice-based (ML-KEM), hash-based, code-based, or multivariate cryptographic schemes, are used as replacements for vulnerable classical algorithms like RSA and ECC.", + "text": "[ADDED] Verify that a cryptographic inventory is maintained and includes a documented transformation plan or mapping that outlines the migration path from current cryptographic algorithms and systems to those that are post-quantum cryptography/quantum-safe.", "parent": "V6.9" }, { @@ -1981,7 +1927,7 @@ { "bom-ref": "V8.1.4", "identifier": "V8.1.4", - "text": "Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.", + "text": "[GRAMMAR] Verify that the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.", "parent": "V8.1" }, { @@ -2107,7 +2053,7 @@ { "bom-ref": "V9", "identifier": "V9", - "title": "Communication Encryption" + "title": "Secure Communication" }, { "bom-ref": "V1.9", @@ -2232,7 +2178,7 @@ { "bom-ref": "V9.4.1", "identifier": "V9.4.1", - "text": "[MODIFIED, MOVED FROM 9.1.2] Verify that only the latest recommended cipher suites are enabled, with the strongest cipher suites set as preferred.", + "text": "[MODIFIED, MOVED FROM 9.1.2] Verify that only the latest recommended cipher suites are enabled, with the strongest cipher suites set as preferred. L3 applications must only support cipher suites which provide forward secrecy.", "parent": "V9.4" }, { @@ -2247,6 +2193,18 @@ "text": "[MOVED FROM 9.2.4] Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured.", "parent": "V9.4" }, + { + "bom-ref": "V9.4.4", + "identifier": "V9.4.4", + "text": "[ADDED] Verify that Encrypted Client Hello (ECH) is supported and properly configured within the application’s TLS settings to prevent exposure of sensitive metadata, such as the Server Name Indication (SNI), during TLS handshake processes.", + "parent": "V9.4" + }, + { + "bom-ref": "V9.4.5", + "identifier": "V9.4.5", + "text": "[ADDED] Verify that the application validates that mTLS client certificates are trusted before using the certificate identity for authentication or authorization.", + "parent": "V9.4" + }, { "bom-ref": "V10", "identifier": "V10", @@ -2279,7 +2237,7 @@ { "bom-ref": "V1.10.4", "identifier": "V1.10.4", - "text": "[ADDED, SPLIT FROM 1.14.5] Verify that application documentation highlights parts of the application where \"risky\" operations are being performed. \"Risky\" in this context means those with a high likelyhood of being dangerously exploitated such as: deserialization of untrusted data, raw file parsing, direct memory manipulation, etc.", + "text": "[ADDED, SPLIT FROM 1.14.5] Verify that application documentation highlights parts of the application where \"risky\" operations are being performed. \"Risky\" in this context means those with a high likelihood of being dangerously exploited such as: deserialization of untrusted data, raw file parsing, direct memory manipulation, etc.", "parent": "V1.10" }, { @@ -2405,7 +2363,7 @@ { "bom-ref": "V10.5.1", "identifier": "V10.5.1", - "text": "[ADDED, SPLIT FROM 1.14.5, 14.2.6] Verify that the application implements additional protections around parts of the application which are documented as performing \"risky\" operations or using \"risky\" third-party libaries. This could include techniques such as sandboxing, encapsulation, containerization or network level isolation to delay and deter attackers who compromise one part of an application from pivoting elsewhere in the application.", + "text": "[ADDED, SPLIT FROM 1.14.5, 14.2.6] Verify that the application implements additional protections around parts of the application which are documented as performing \"risky\" operations or using \"risky\" third-party libraries. This could include techniques such as sandboxing, encapsulation, containerization or network level isolation to delay and deter attackers who compromise one part of an application from pivoting elsewhere in the application.", "parent": "V10.4" }, { @@ -2518,7 +2476,7 @@ { "bom-ref": "V11.1.3", "identifier": "V11.1.3", - "text": "[MODIFIED, MERGED FROM 11.1.5] Verify that business logic limits and validations are implemented as per the application's documentation.", + "text": "[MODIFIED, MERGED FROM 11.1.5] Verify that business logic limits and validations are implemented as per the application's documentation, to avoid business logic flaws being exploited such as buying items for a negative amount.", "parent": "V11.1" }, { @@ -2601,7 +2559,7 @@ { "bom-ref": "V1.12.2", "identifier": "V1.12.2", - "text": "[DELETED, MERGED TO 50.5.1]", + "text": "[DELETED, MERGED TO 50.6.1]", "parent": "V1.12" }, { @@ -2739,7 +2697,7 @@ { "bom-ref": "V12.5.2", "identifier": "V12.5.2", - "text": "[MOVED TO 50.5.1]", + "text": "[MOVED TO 50.6.1]", "parent": "V12.5" }, { @@ -2837,6 +2795,12 @@ "text": "[MODIFIED, MOVED FROM 14.4.1] Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content of the response, including the charset parameter to specify safe character encoding (e.g., UTF-8, ISO-8859-1) according to IANA Media Types, such as \"text/\", \"/+xml\" and \"/xml\".", "parent": "V13.1" }, + { + "bom-ref": "V13.1.8", + "identifier": "V13.1.8", + "text": "[ADDED] Verify that HTTPS-based endpoints either return an error or do not respond to unencrypted HTTP requests which contain sensitive data in the headers or body. If a client is erroneously sending unencrypted HTTP requests but the requests are being automatically redirected to HTTPS, this leakage of sensitive data may go undiscovered.", + "parent": "V13.1" + }, { "bom-ref": "V13.2", "identifier": "V13.2", @@ -2858,7 +2822,7 @@ { "bom-ref": "V13.2.3", "identifier": "V13.2.3", - "text": "[DELETED, MERGED TO 50.3.1]", + "text": "[DELETED, MERGED TO 50.4.1]", "parent": "V13.2" }, { @@ -3049,7 +3013,7 @@ { "bom-ref": "V1.14.6", "identifier": "V1.14.6", - "text": "[MOVED TO 50.7.2]", + "text": "[MOVED TO 50.8.2]", "parent": "V1.14" }, { @@ -3118,6 +3082,12 @@ "text": "[ADDED] Verify that application code or functionality can only be changed via the standard update or build process and not directly in production through application functionality or some other direct modification mechanism.", "parent": "V14.1" }, + { + "bom-ref": "V14.1.10", + "identifier": "V14.1.10", + "text": "[MODIFIED, MOVED FROM 2.5.4] Verify that default user accounts (e.g. \"root\", \"admin\", or \"sa\") are not present in the application or are disabled.", + "parent": "V14.1" + }, { "bom-ref": "V14.2", "identifier": "V14.2", @@ -3139,7 +3109,7 @@ { "bom-ref": "V14.2.3", "identifier": "V14.2.3", - "text": "[MOVED TO 50.6.1]", + "text": "[MOVED TO 50.7.1]", "parent": "V14.2" }, { @@ -3217,37 +3187,37 @@ { "bom-ref": "V14.4.2", "identifier": "V14.4.2", - "text": "[DELETED, MERGED TO 50.5.1]", + "text": "[DELETED, MERGED TO 50.6.1]", "parent": "V14.4" }, { "bom-ref": "V14.4.3", "identifier": "V14.4.3", - "text": "[MOVED TO 50.2.1]", + "text": "[MOVED TO 50.3.1]", "parent": "V14.4" }, { "bom-ref": "V14.4.4", "identifier": "V14.4.4", - "text": "[MOVED TO 50.2.2]", + "text": "[MOVED TO 50.3.2]", "parent": "V14.4" }, { "bom-ref": "V14.4.5", "identifier": "V14.4.5", - "text": "[MOVED TO 50.2.3]", + "text": "[MOVED TO 50.3.3]", "parent": "V14.4" }, { "bom-ref": "V14.4.6", "identifier": "V14.4.6", - "text": "[MOVED TO 50.2.4]", + "text": "[MOVED TO 50.3.4]", "parent": "V14.4" }, { "bom-ref": "V14.4.7", "identifier": "V14.4.7", - "text": "[MOVED TO 50.2.5]", + "text": "[MOVED TO 50.3.5]", "parent": "V14.4" }, { @@ -3271,7 +3241,7 @@ { "bom-ref": "V14.5.3", "identifier": "V14.5.3", - "text": "[SPLIT TO 50.2.6, 50.3.3]", + "text": "[SPLIT TO 50.3.6, 50.4.3]", "parent": "V14.5" }, { @@ -3322,6 +3292,36 @@ "text": "[MODIFIED, MOVED FROM 4.3.3] Verify that, if the application allows changing configurations around passwords or connection parameters for integrations with external databases and services, they are protected by extra controls such as re-authentication or multi-user approval.", "parent": "V14.7" }, + { + "bom-ref": "V14.8", + "identifier": "V14.8", + "title": "Secret Management", + "parent": "V14" + }, + { + "bom-ref": "V14.8.1", + "identifier": "V14.8.1", + "text": "[MODIFIED, MOVED FROM 6.4.1, MERGED FROM 1.6.2, 2.10.4] Verify that a secrets management solution such as a key vault is used to securely create, store, control access to, and destroy back-end secrets. These could include passwords, key material, integrations with databases and third-party systems, seeds and internal secrets, and API keys. Secrets must not be included in application source code or included in build artifacts. For a L3 application, this should involve a hardware-backed solution such as an HSM.", + "parent": "V14.8" + }, + { + "bom-ref": "V14.8.2", + "identifier": "V14.8.2", + "text": "[MODIFIED, MOVED FROM 6.4.2] Verify that key material is not exposed to the application (neither the front-end nor the back-end) but instead uses an isolated security module like a vault for cryptographic operations.", + "parent": "V14.8" + }, + { + "bom-ref": "V14.8.3", + "identifier": "V14.8.3", + "text": "[ADDED] Verify that key secrets have defined expiration dates and are rotated on a schedule based on the organization’s threat model and business requirements.", + "parent": "V14.8" + }, + { + "bom-ref": "V14.8.4", + "identifier": "V14.8.4", + "text": "[ADDED] Verify that access to secret assets adheres to the principle of least privilege.", + "parent": "V14.8" + }, { "bom-ref": "V50", "identifier": "V50", @@ -3354,152 +3354,188 @@ { "bom-ref": "V50.2", "identifier": "V50.2", - "title": "Browser Security Mechanism Headers", + "title": "Cookie Setup", "parent": "V50" }, { "bom-ref": "V50.2.1", "identifier": "V50.2.1", - "text": "[MODIFIED, MOVED FROM 14.4.3, LEVEL L1 > L2] Verify that every HTTP response includes a Content-Security-Policy header to reduce the risk of malicious JavaScript. The directives object-src 'none' and base-uri 'none' must be defined. For an L3 application, a per-response policy with nonces or hashes must be defined.", + "text": "[MODIFIED, MOVED FROM 3.4.1] Verify that cookies have the 'Secure' attribute set, and if the '\\__Host-' prefix is not used for the cookie name, the '__Secure-' prefix must be used for the cookie name.", "parent": "V50.2" }, { "bom-ref": "V50.2.2", "identifier": "V50.2.2", - "text": "[GRAMMAR, MOVED FROM 14.4.4] Verify that all responses contain a X-Content-Type-Options: nosniff header field.", + "text": "[MODIFIED, MOVED FROM 3.4.2, LEVEL L1 > L2] Verify that if the value of a cookie is not meant to be accessible to client-side scripts (such as a session token), the cookie must have the 'HttpOnly' attribute set and the same value (e. g. session token) must only be transferred to the client via the 'Set-Cookie' header field.", "parent": "V50.2" }, { "bom-ref": "V50.2.3", "identifier": "V50.2.3", - "text": "[MODIFIED, MOVED FROM 14.4.5] Verify that a Strict-Transport-Security header field is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains.", + "text": "[MODIFIED, MOVED FROM 3.4.3, LEVEL L1 > L2] Verify that each cookie's 'SameSite' attribute value is set according to the purpose of the cookie, to limit exposure to cross-site request forgery and user interface redress attacks.", "parent": "V50.2" }, { "bom-ref": "V50.2.4", "identifier": "V50.2.4", - "text": "[MODIFIED, MOVED FROM 14.4.6] Verify that an suitable Referrer-Policy header is included to prevent sensitive information in the URL from being exposed to untrusted parties via the Referer header.", + "text": "[MODIFIED, MOVED FROM 3.4.4, LEVEL L1 > L2] Verify that cookies have the '__Host-' prefix for the cookie name unless they are explicitly designed to be shared with other hosts.", "parent": "V50.2" }, { "bom-ref": "V50.2.5", "identifier": "V50.2.5", - "text": "[MODIFIED, MOVED FROM 14.4.7] Verify that the content of the web application cannot be embedded in a third-party site by default, and that embedding of specific resources is allowed only when necessary, using the Content-Security-Policy frame-ancestors directive. Note that X-Frame-Options is now obsolete.", - "parent": "V50.2" - }, - { - "bom-ref": "V50.2.6", - "identifier": "V50.2.6", - "text": "[ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is validated against an allowlist of trusted origins. When \"Access-Control-Allow-Origin: *\" needs to be used, verify that the responses do not include any sensitive information.", - "parent": "V50.2" - }, - { - "bom-ref": "V50.2.7", - "identifier": "V50.2.7", - "text": "[ADDED] Verify that the Content-Security-Policy header field specifies a location to report violations.", - "parent": "V50.2" - }, - { - "bom-ref": "V50.2.8", - "identifier": "V50.2.8", - "text": "[ADDED] Verify that the application's top-level domain (e.g., site.tld) is added to the public HSTS preload list so that the use of TLS for the application is built directly into the main browsers, rather than relying only on the relevant HTTP response header field.", + "text": "[ADDED] Verify that when the application writes a cookie the cookie name and value length combined are not over 4096 bytes. Overly large cookies will not be stored by the browser and therefore not sent with requests, preventing the user from using application functionality which relies on that cookie.", "parent": "V50.2" }, { "bom-ref": "V50.3", "identifier": "V50.3", - "title": "Browser Origin Separation", + "title": "Browser Security Mechanism Headers", "parent": "V50" }, { "bom-ref": "V50.3.1", "identifier": "V50.3.1", - "text": "[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality, using the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures.", + "text": "[MODIFIED, MOVED FROM 14.4.3, LEVEL L1 > L2] Verify that every HTTP response includes a Content-Security-Policy header to reduce the risk of malicious JavaScript. The directives object-src 'none' and base-uri 'none' must be defined. For an L3 application, a per-response policy with nonces or hashes must be defined.", "parent": "V50.3" }, { "bom-ref": "V50.3.2", "identifier": "V50.3.2", - "text": "[ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid.", + "text": "[GRAMMAR, MOVED FROM 14.4.4] Verify that all responses contain a X-Content-Type-Options: nosniff header field.", "parent": "V50.3" }, { "bom-ref": "V50.3.3", "identifier": "V50.3.3", - "text": "[ADDED, SPLIT FROM 14.5.3] Verify that the Origin header field is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy.", + "text": "[MODIFIED, MOVED FROM 14.4.5] Verify that a Strict-Transport-Security header field is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains.", + "parent": "V50.3" + }, + { + "bom-ref": "V50.3.4", + "identifier": "V50.3.4", + "text": "[MODIFIED, MOVED FROM 14.4.6] Verify that an suitable Referrer-Policy header is included to prevent sensitive information in the URL from being exposed to untrusted parties via the Referer header.", + "parent": "V50.3" + }, + { + "bom-ref": "V50.3.5", + "identifier": "V50.3.5", + "text": "[MODIFIED, MOVED FROM 14.4.7] Verify that the content of the web application cannot be embedded in a third-party site by default, and that embedding of specific resources is allowed only when necessary, using the Content-Security-Policy frame-ancestors directive. Note that X-Frame-Options is now obsolete.", + "parent": "V50.3" + }, + { + "bom-ref": "V50.3.6", + "identifier": "V50.3.6", + "text": "[ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is validated against an allowlist of trusted origins. When \"Access-Control-Allow-Origin: *\" needs to be used, verify that the responses do not include any sensitive information.", + "parent": "V50.3" + }, + { + "bom-ref": "V50.3.7", + "identifier": "V50.3.7", + "text": "[ADDED] Verify that the Content-Security-Policy header field specifies a location to report violations.", "parent": "V50.3" }, { "bom-ref": "V50.4", "identifier": "V50.4", - "title": "Cross-Site Script Inclusion", + "title": "Browser Origin Separation", "parent": "V50" }, { "bom-ref": "V50.4.1", "identifier": "V50.4.1", - "text": "[ADDED] Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks.", + "text": "[MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality, using the development framework's built-in anti-CSRF functionality or CSRF tokens, along with additional defense-in-depth measures.", "parent": "V50.4" }, { "bom-ref": "V50.4.2", "identifier": "V50.4.2", - "text": "[ADDED] Verify that data requiring authorization is not included in script resource responses, like JavaScript files, to prevent Cross-Site Script Inclusion (XSSI) attacks.", + "text": "[ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid.", + "parent": "V50.4" + }, + { + "bom-ref": "V50.4.3", + "identifier": "V50.4.3", + "text": "[ADDED, SPLIT FROM 14.5.3] Verify that the Origin header field is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy.", "parent": "V50.4" }, { "bom-ref": "V50.5", "identifier": "V50.5", - "title": "Unintended Content Interpretation", + "title": "Cross-Site Script Inclusion", "parent": "V50" }, { "bom-ref": "V50.5.1", "identifier": "V50.5.1", - "text": "[MODIFIED, MOVED FROM 12.5.2, MERGED FROM 1.12.2, 14.4.2] Verify that security controls are in place to prevent browsers from rendering content or functionality in HTTP responses in an incorrect context (e.g., when an API, a user-uploaded file or other resource is requested directly). Possible controls could include: not serving the content unless HTTP request header fields, such as Sec-Fetch-\\*, indicate it is the correct context, Content-Security-Policy: sandbox, Content-Disposition: attachment, etc.", + "text": "[ADDED] Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks.", "parent": "V50.5" }, { "bom-ref": "V50.5.2", "identifier": "V50.5.2", - "text": "[ADDED, SPLIT FROM 5.3.3] Verify that JavaScript context-aware methods are used when handling untrusted data to avoid unintended content execution, such as executing content as HTML instead of displaying it as text.", + "text": "[ADDED] Verify that data requiring authorization is not included in script resource responses, like JavaScript files, to prevent Cross-Site Script Inclusion (XSSI) attacks.", "parent": "V50.5" }, { "bom-ref": "V50.6", "identifier": "V50.6", - "title": "External Resource Integrity", + "title": "Unintended Content Interpretation", "parent": "V50" }, { "bom-ref": "V50.6.1", "identifier": "V50.6.1", - "text": "[MODIFIED, MOVED FROM 14.2.3] Verify that if client-side assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.", + "text": "[MODIFIED, MOVED FROM 12.5.2, MERGED FROM 1.12.2, 14.4.2] Verify that security controls are in place to prevent browsers from rendering content or functionality in HTTP responses in an incorrect context (e.g., when an API, a user-uploaded file or other resource is requested directly). Possible controls could include: not serving the content unless HTTP request header fields, such as Sec-Fetch-\\*, indicate it is the correct context, Content-Security-Policy: sandbox, Content-Disposition: attachment, etc.", + "parent": "V50.6" + }, + { + "bom-ref": "V50.6.2", + "identifier": "V50.6.2", + "text": "[ADDED, SPLIT FROM 5.3.3] Verify that functions (such as createTextNode, textContent) which safely render content as text, are used to apply untrusted content to an HTML page or the DOM. Properties or functions (such as innerHTML, document.write) that render content as HTML must not be used.", "parent": "V50.6" }, { "bom-ref": "V50.7", "identifier": "V50.7", - "title": "Other Browser Security Considerations", + "title": "External Resource Integrity", "parent": "V50" }, { "bom-ref": "V50.7.1", "identifier": "V50.7.1", - "text": "[ADDED, SPLIT FROM 5.1.5] Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation.", + "text": "[MODIFIED, MOVED FROM 14.2.3] Verify that if client-side assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.", "parent": "V50.7" }, { - "bom-ref": "V50.7.2", - "identifier": "V50.7.2", - "text": "[MODIFIED, MOVED FROM 1.14.6] Verify the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.", - "parent": "V50.7" + "bom-ref": "V50.8", + "identifier": "V50.8", + "title": "Other Browser Security Considerations", + "parent": "V50" + }, + { + "bom-ref": "V50.8.1", + "identifier": "V50.8.1", + "text": "[ADDED, SPLIT FROM 5.1.5] Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation.", + "parent": "V50.8" }, { - "bom-ref": "V50.7.3", - "identifier": "V50.7.3", + "bom-ref": "V50.8.2", + "identifier": "V50.8.2", + "text": "[MODIFIED, MOVED FROM 1.14.6] Verify that the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.", + "parent": "V50.8" + }, + { + "bom-ref": "V50.8.3", + "identifier": "V50.8.3", "text": "[ADDED] Verify that the application behaves as documented (such as warning the user or blocking access) if the browser used to access the application does not support the expected security features.", - "parent": "V50.7" + "parent": "V50.8" + }, + { + "bom-ref": "V50.8.4", + "identifier": "V50.8.4", + "text": "[ADDED] Verify that the application's top-level domain (e.g., site.tld) is added to the public HSTS preload list so that the use of TLS for the application is built directly into the main browsers, rather than relying only on the relevant HTTP response header field.", + "parent": "V50.8" }, { "bom-ref": "V51", @@ -3515,163 +3551,163 @@ { "bom-ref": "V51.1.1", "identifier": "V51.1.1", - "text": "[ADDED] Verify that tokens (such as ID tokens, access tokens and refresh tokens) can only be used for their intended purpose. For example, ID tokens can only be used to prove user authentication for the client.", + "text": "[ADDED] Verify that tokens are only sent to components that strictly need them. For example, avoid having access or refresh tokens accessible for the frontend when they are only needed by the backend.", "parent": "V51.1" }, { "bom-ref": "V51.1.2", "identifier": "V51.1.2", - "text": "[ADDED] Verify that tokens are only sent to components that strictly need them. For example, avoid having access or refresh tokens accessible for the frontend when they are only needed by the backend.", - "parent": "V51.1" - }, - { - "bom-ref": "V51.1.3", - "identifier": "V51.1.3", "text": "[ADDED] Verify that the client only accepts values from the authorization server (such as the authorization code or ID token) if these values result from an authorization flow that was initiated by the same user agent session and transaction. This requires that client-generated secrets, such as the proof key for code exchange (PKCE) 'code_verifier', 'state' or OIDC 'nonce' are not guessable, are specific to the transaction, and are securely bound to both the client and the user agent session in which the transaction was started.", "parent": "V51.1" }, { "bom-ref": "V51.2", "identifier": "V51.2", - "title": "OAuth Authorization Server", + "title": "OAuth Client", "parent": "V51" }, { "bom-ref": "V51.2.1", "identifier": "V51.2.1", - "text": "[ADDED] Verify that, if the authorization server returns the authorization code, it can be used only once for a token request.", + "text": "[ADDED] Verify that, if the OAuth Client can interact with more than one authorization server, it has a defense against mix-up attacks. For example, it could require that the authorization server returns the 'iss' parameter value and validate it in the authorization response and the token response.", "parent": "V51.2" }, { "bom-ref": "V51.2.2", "identifier": "V51.2.2", - "text": "[ADDED] Verify that the authorization code is short-lived. The maximum lifetime can be 10 minutes for L1 and L2 applications and 1 minute for L3 applications.", + "text": "[ADDED] Verify that, if the code flow is used, the OAuth Client has protection against cross-site request forgery (CSRF) attacks which trigger token requests, either by using proof key for code exchange (PKCE) functionality or checking the 'state' parameter that was sent in the authorization request.", "parent": "V51.2" }, { "bom-ref": "V51.2.3", "identifier": "V51.2.3", - "text": "[ADDED] Verify that, if the code grant is used, the authorization server mitigates authorization code interception attacks by requiring proof key for code exchange (PKCE). For authorization requests, the authorization server must require a valid 'code_challenge' value and must not accept 'code_challenge_method' value 'plain'. For a token request, it must require validation of the 'code_verifier' parameter.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.4", - "identifier": "V51.2.4", - "text": "[ADDED] Verify that the authorization server mitigates refresh token replay attacks for public clients, preferably using sender-constrained refresh tokens (i.e. Demonstrating Proof of Possession (DPoP) or Certificate-Bound Access Tokens (mTLS)). For L1 applications only, refresh token rotation may be used instead. If refresh token rotation is used, verify that the authorization server invalidates the refresh token after usage and revokes all refresh tokens for that authorization if an already used and invalidated refresh token is provided.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.5", - "identifier": "V51.2.5", - "text": "[ADDED] Verify that for a given client, the authorization server only allows the usage of grants that this client needs to use. Note that the grants 'token' (Implicit flow) and 'password' (Resource Owner Password Credentials flow) should no longer be used.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.6", - "identifier": "V51.2.6", - "text": "[ADDED] Verify that the authorization server validates redirect URIs based on a client-specific allowlist of pre-registered URIs using exact string comparison.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.7", - "identifier": "V51.2.7", - "text": "[ADDED] Verify that confidential client is authenticated for client-to-authorized server backchannel requests such as token requests, pushed authorization requests (PAR), token revocation requests, and token introspection requests.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.8", - "identifier": "V51.2.8", - "text": "[ADDED] Verify that the authorization server configuration only assigns the required scopes to the OAuth Client.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.9", - "identifier": "V51.2.9", - "text": "[ADDED] Verify that grant type 'code' is always used together with pushed authorization requests (PAR).", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.10", - "identifier": "V51.2.10", - "text": "[ADDED] Verify that the client is confidential and the authorization server requires the use of strong client authentication methods (based on public-key cryptography and resistant to replay attacks), i. e. 'mTLS' or 'private-key-jwt'.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.11", - "identifier": "V51.2.11", - "text": "[ADDED] Verify that the authorization server issues only sender-constrained (Proof-of-Posession) access tokens, either using mTLS certificate binding or Demonstration of Proof of Possession (DPoP).", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.12", - "identifier": "V51.2.12", - "text": "[ADDED] Verify that for a given client, the authorization server only allows the 'response_mode' value that this client needs to use. For example by having the authorization server validate this value against the expected values or by using pushed authorization request (PAR) or JWT-secured authorization request (JAR).", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.13", - "identifier": "V51.2.13", - "text": "[ADDED] Verify that refresh tokens have an absolute expiration, including if sliding refresh token expiration is applied.", - "parent": "V51.2" - }, - { - "bom-ref": "V51.2.14", - "identifier": "V51.2.14", - "text": "[MODIFIED, MOVED FROM 3.5.1] Verify that refresh tokens and reference access tokens can be revoked by an authorized user. It can be achieved by using the authorization server user interface, or by a client that is using authorization server APIs for revocation.", + "text": "[ADDED] Verify that the OAuth Client only requests the required scopes (or other authorization parameters) in requests to the authorization server.", "parent": "V51.2" }, { "bom-ref": "V51.3", "identifier": "V51.3", - "title": "OAuth Client", + "title": "OAuth Resource Server", "parent": "V51" }, { "bom-ref": "V51.3.1", "identifier": "V51.3.1", - "text": "[ADDED] Verify that, if the OAuth Client can interact with more than one authorization server, it has a defense against mix-up attacks. For example, it could require that the authorization server returns the 'iss' parameter value and validate it in the authorization response and the token response.", + "text": "[ADDED] Verify that the resource server prevents the use of stolen access tokens or replay of access tokens (from unauthorized parties) by requiring sender-constrained access tokens, either Mutual TLS for OAuth 2 or OAuth 2 Demonstration of Proof of Possession (DPoP).", "parent": "V51.3" }, { "bom-ref": "V51.3.2", "identifier": "V51.3.2", - "text": "[ADDED] Verify that, if the code flow is used, the OAuth Client has protection against cross-site request forgery (CSRF) attacks which trigger token requests, either by using proof key for code exchange (PKCE) functionality or checking the 'state' parameter that was sent in the authorization request.", + "text": "[ADDED] Verify that the resource server only accepts access tokens that are intended for use with that service (audience). The audience may be included in a structured access token (such as the 'aud' claim in JWT) or it can be checked using the token introspection endpoint.", "parent": "V51.3" }, { "bom-ref": "V51.3.3", "identifier": "V51.3.3", - "text": "[ADDED] Verify that the OAuth Client only requests the required scopes (or other authorization parameters) in requests to the authorization server.", + "text": "[ADDED] Verify that the resource server enforces authorization decisions based on claims from the access token that define delegated authorization. If claims such as 'sub', 'scope', and 'authorization_details' are present, they should be part of the decision.", + "parent": "V51.3" + }, + { + "bom-ref": "V51.3.4", + "identifier": "V51.3.4", + "text": "[ADDED] Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims.", "parent": "V51.3" }, { "bom-ref": "V51.4", "identifier": "V51.4", - "title": "OAuth Resource Server", + "title": "OAuth Authorization Server", "parent": "V51" }, { "bom-ref": "V51.4.1", "identifier": "V51.4.1", - "text": "[ADDED] Verify that the resource server prevents the use of stolen access tokens or replay of access tokens (from unauthorized parties) by requiring sender-constrained access tokens, either Mutual TLS for OAuth 2 or OAuth 2 Demonstration of Proof of Possession (DPoP).", + "text": "[ADDED] Verify that, if the authorization server returns the authorization code, it can be used only once for a token request.", "parent": "V51.4" }, { "bom-ref": "V51.4.2", "identifier": "V51.4.2", - "text": "[ADDED] Verify that the resource server validates that the access token is intended to be used on that resource server (audience), for example by checking the 'aud' claim from the access token to be an expected value.", + "text": "[ADDED] Verify that the authorization code is short-lived. The maximum lifetime can be 10 minutes for L1 and L2 applications and 1 minute for L3 applications.", "parent": "V51.4" }, { "bom-ref": "V51.4.3", "identifier": "V51.4.3", - "text": "[ADDED] Verify that access tokens are restricted to certain resources and actions on resource servers or resources. Every Resource Server is obliged to verify, for every request, whether the access token sent with that request was meant to be used for that particular action on the particular resource. If not, the resource server must refuse to serve the respective request.", + "text": "[ADDED] Verify that, if the code grant is used, the authorization server mitigates authorization code interception attacks by requiring proof key for code exchange (PKCE). For authorization requests, the authorization server must require a valid 'code_challenge' value and must not accept 'code_challenge_method' value 'plain'. For a token request, it must require validation of the 'code_verifier' parameter.", "parent": "V51.4" }, { "bom-ref": "V51.4.4", "identifier": "V51.4.4", - "text": "[ADDED] Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims.", + "text": "[ADDED] Verify that the authorization server mitigates refresh token replay attacks for public clients, preferably using sender-constrained refresh tokens (i.e. Demonstrating Proof of Possession (DPoP) or Certificate-Bound Access Tokens (mTLS)). For L1 applications only, refresh token rotation may be used instead. If refresh token rotation is used, verify that the authorization server invalidates the refresh token after usage and revokes all refresh tokens for that authorization if an already used and invalidated refresh token is provided.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.5", + "identifier": "V51.4.5", + "text": "[ADDED] Verify that for a given client, the authorization server only allows the usage of grants that this client needs to use. Note that the grants 'token' (Implicit flow) and 'password' (Resource Owner Password Credentials flow) must no longer be used.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.6", + "identifier": "V51.4.6", + "text": "[ADDED] Verify that the authorization server validates redirect URIs based on a client-specific allowlist of pre-registered URIs using exact string comparison.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.7", + "identifier": "V51.4.7", + "text": "[ADDED] Verify that confidential client is authenticated for client-to-authorized server backchannel requests such as token requests, pushed authorization requests (PAR), token revocation requests, and token introspection requests.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.8", + "identifier": "V51.4.8", + "text": "[ADDED] Verify that the authorization server configuration only assigns the required scopes to the OAuth Client.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.9", + "identifier": "V51.4.9", + "text": "[ADDED] Verify that grant type 'code' is always used together with pushed authorization requests (PAR).", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.10", + "identifier": "V51.4.10", + "text": "[ADDED] Verify that the client is confidential and the authorization server requires the use of strong client authentication methods (based on public-key cryptography and resistant to replay attacks), i.e. 'mTLS' or 'private-key-jwt'.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.11", + "identifier": "V51.4.11", + "text": "[ADDED] Verify that the authorization server issues only sender-constrained (Proof-of-Possession) access tokens, either using mTLS certificate binding or Demonstration of Proof of Possession (DPoP).", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.12", + "identifier": "V51.4.12", + "text": "[ADDED] Verify that for a given client, the authorization server only allows the 'response_mode' value that this client needs to use. For example by having the authorization server validate this value against the expected values or by using pushed authorization request (PAR) or JWT-secured authorization request (JAR).", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.13", + "identifier": "V51.4.13", + "text": "[ADDED] Verify that refresh tokens have an absolute expiration, including if sliding refresh token expiration is applied.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.14", + "identifier": "V51.4.14", + "text": "[MODIFIED, MOVED FROM 3.5.1] Verify that refresh tokens and reference access tokens can be revoked by an authorized user. It can be achieved by using the authorization server user interface, or by a client that is using authorization server APIs for revocation.", + "parent": "V51.4" + }, + { + "bom-ref": "V51.4.15", + "identifier": "V51.4.15", + "text": "[ADDED] Verify that, for a server-side client (which is not executed on the end-user device), the authorization server ensures that the 'authorization_details' parameter value is from the client backend and that the user has not tampered with it. For example by requiring the usage of pushed authorization request (PAR) or JWT-secured authorization request (JAR).", "parent": "V51.4" }, { @@ -3699,16 +3735,99 @@ "parent": "V51.5" }, { - "bom-ref": "V51.5", - "identifier": "V51.5", - "title": "OIDC OpenID Provider", + "bom-ref": "V51.5.4", + "identifier": "V51.5.4", + "text": "[ADDED] Verify that the client validates that the ID token is intended to be used for that client (audience) by checking that the 'aud' claim from the token is equal to the 'client_id' value for the client.", + "parent": "V51.5" + }, + { + "bom-ref": "V51.6", + "identifier": "V51.6", + "title": "OpenID Provider", "parent": "V51" }, { "bom-ref": "V51.6.1", "identifier": "V51.6.1", - "text": "[ADDED] Verify that the OpenID Provider only allows values 'code', 'ciba', 'id-token', or 'id-token code' for response mode. Note that 'code' is preferred over 'id-token code' (the OIDC Hybrid flow), and 'token' (any Implicit flow) should not be used.", - "parent": "V51.5" + "text": "[ADDED] Verify that the OpenID Provider only allows values 'code', 'ciba', 'id-token', or 'id-token code' for response mode. Note that 'code' is preferred over 'id-token code' (the OIDC Hybrid flow), and 'token' (any Implicit flow) must not be used.", + "parent": "V51.6" + }, + { + "bom-ref": "V51.7", + "identifier": "V51.7", + "title": "Consent Management", + "parent": "V51" + }, + { + "bom-ref": "V51.7.1", + "identifier": "V51.7.1", + "text": "[ADDED] Verify that the authorization server ensures that the user consents to each authorization request. If the identity of the client cannot be assured, the authorization server must always explicitly prompt the user for consent.", + "parent": "V51.7" + }, + { + "bom-ref": "V51.7.2", + "identifier": "V51.7.2", + "text": "[ADDED] Verify that when the authorization server prompts for user consent, it presents sufficient and clear information about what is being consented to. When applicable this should include the nature of the requested authorizations (typically based on scope, resource server, rich authorization requests (RAR) authorization details), the identity of the authorized application and the lifetime of these authorizations.", + "parent": "V51.7" + }, + { + "bom-ref": "V51.7.3", + "identifier": "V51.7.3", + "text": "[ADDED] Verify that the user can review, modify and revoke consents which the user has granted through the authorization server.", + "parent": "V51.7" + }, + { + "bom-ref": "V52", + "identifier": "V52", + "title": "Self-contained Tokens" + }, + { + "bom-ref": "V52.1", + "identifier": "V52.1", + "title": "Token source and integrity", + "parent": "V52" + }, + { + "bom-ref": "V52.1.1", + "identifier": "V52.1.1", + "text": "[MODIFIED, MOVED FROM 3.5.3, LEVEL L2 > L1] Verify that self-contained tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents.", + "parent": "V52.1" + }, + { + "bom-ref": "V52.1.2", + "identifier": "V52.1.2", + "text": "[ADDED] Verify that only algorithms on an allowlist can be used to create and verify self-contained tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion.", + "parent": "V52.1" + }, + { + "bom-ref": "V52.1.3", + "identifier": "V52.1.3", + "text": "[ADDED] Verify that key material that is used to validate self-contained tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.", + "parent": "V52.1" + }, + { + "bom-ref": "V52.2", + "identifier": "V52.2", + "title": "Using token content", + "parent": "V52" + }, + { + "bom-ref": "V52.2.1", + "identifier": "V52.2.1", + "text": "[ADDED] Verify that, if a validity time span is present in the token data, the token and its content are accepted only if the verification time is within this validity time span. For example, for JWTs the claims 'nbf' and 'exp' must be verified.", + "parent": "V52.2" + }, + { + "bom-ref": "V52.2.2", + "identifier": "V52.2.2", + "text": "[ADDED] Verify that the service receiving a token validates the token to be the correct type and is meant for the intended purpose before accepting the token's contents. For example, only access tokens can be accepted for authorization decisions and only ID tokens can be used for proving user authentication.", + "parent": "V52.2" + }, + { + "bom-ref": "V52.2.3", + "identifier": "V52.2.3", + "text": "[ADDED] Verify that the service only accepts tokens which are intended for use with that service (audience). For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service.", + "parent": "V52.2" }, { "bom-ref": "V53", @@ -3828,7 +3947,6 @@ "V2.3.1", "V2.3.4", "V2.5.2", - "V2.5.4", "V2.5.6", "V2.5.7", "V2.7.1", @@ -3842,18 +3960,9 @@ "V3.1.2", "V3.1.3", "V3.1.4", - "V3.2.1", + "V3.1.5", "V3.3.2", "V3.3.5", - "V3.4.1", - "V3.4.2", - "V3.4.3", - "V3.4.4", - "V3.5.3", - "V3.5.4", - "V3.5.5", - "V3.5.6", - "V3.5.7", "V3.7.1", "V3.8.1", "V3.8.2", @@ -3939,6 +4048,7 @@ "V13.7.2", "V13.7.3", "V14.1.6", + "V14.1.10", "V14.3.2", "V14.3.3", "V14.3.4", @@ -3946,41 +4056,46 @@ "V14.3.6", "V14.6.1", "V50.1.1", - "V50.2.2", - "V50.2.3", - "V50.2.4", - "V50.2.5", - "V50.2.6", - "V50.3.1", + "V50.2.1", + "V50.3.2", "V50.3.3", + "V50.3.4", + "V50.3.5", + "V50.3.6", "V50.4.1", - "V50.4.2", + "V50.4.3", "V50.5.1", "V50.5.2", "V50.6.1", + "V50.6.2", + "V50.7.1", "V51.1.1", "V51.1.2", - "V51.1.3", "V51.2.1", "V51.2.2", "V51.2.3", - "V51.2.4", - "V51.2.5", - "V51.2.6", - "V51.2.7", - "V51.2.8", - "V51.2.12", - "V51.2.13", - "V51.3.1", "V51.3.2", "V51.3.3", + "V51.3.4", + "V51.4.1", "V51.4.2", "V51.4.3", "V51.4.4", + "V51.4.6", + "V51.4.7", + "V51.4.8", + "V51.4.12", + "V51.4.13", "V51.5.1", "V51.5.2", "V51.5.3", - "V51.6.1", + "V51.5.4", + "V52.1.1", + "V52.1.2", + "V52.1.3", + "V52.2.1", + "V52.2.2", + "V52.2.3", "V53.1.1", "V53.2.1", "V53.2.2", @@ -4016,9 +4131,7 @@ "V2.3.1", "V2.3.3", "V2.3.4", - "V2.4.6", "V2.5.2", - "V2.5.4", "V2.5.6", "V2.5.7", "V2.6.1", @@ -4044,18 +4157,9 @@ "V3.1.2", "V3.1.3", "V3.1.4", - "V3.2.1", + "V3.1.5", "V3.3.2", "V3.3.5", - "V3.4.1", - "V3.4.2", - "V3.4.3", - "V3.4.4", - "V3.5.3", - "V3.5.4", - "V3.5.5", - "V3.5.6", - "V3.5.7", "V3.6.3", "V3.7.1", "V3.7.2", @@ -4080,7 +4184,6 @@ "V5.1.5", "V5.1.6", "V5.1.7", - "V5.1.8", "V5.2.1", "V5.2.2", "V5.2.3", @@ -4113,28 +4216,19 @@ "V5.6.2", "V5.6.3", "V1.6.1", - "V1.6.2", "V1.6.4", - "V1.6.5", - "V1.6.7", "V6.2.1", "V6.2.2", "V6.2.4", "V6.2.9", "V6.3.1", - "V6.3.2", "V6.3.3", - "V6.4.1", - "V6.4.2", - "V6.4.3", - "V6.4.4", "V6.5.1", "V6.5.2", "V6.6.1", "V6.6.2", "V6.6.3", "V6.6.4", - "V6.6.5", "V6.7.1", "V6.8.2", "V6.9.1", @@ -4210,6 +4304,7 @@ "V12.5.4", "V12.7.1", "V13.1.7", + "V13.1.8", "V13.2.5", "V13.4.1", "V13.4.2", @@ -4230,6 +4325,7 @@ "V14.1.6", "V14.1.7", "V14.1.9", + "V14.1.10", "V14.3.2", "V14.3.3", "V14.3.4", @@ -4240,46 +4336,64 @@ "V14.7.1", "V14.7.2", "V14.7.3", + "V14.8.1", + "V14.8.2", + "V14.8.3", + "V14.8.4", "V50.1.1", "V50.2.1", "V50.2.2", "V50.2.3", "V50.2.4", "V50.2.5", - "V50.2.6", "V50.3.1", "V50.3.2", "V50.3.3", + "V50.3.4", + "V50.3.5", + "V50.3.6", "V50.4.1", "V50.4.2", + "V50.4.3", "V50.5.1", "V50.5.2", "V50.6.1", - "V50.7.2", + "V50.6.2", + "V50.7.1", + "V50.8.2", "V51.1.1", "V51.1.2", - "V51.1.3", "V51.2.1", "V51.2.2", "V51.2.3", - "V51.2.4", - "V51.2.5", - "V51.2.6", - "V51.2.7", - "V51.2.8", - "V51.2.12", - "V51.2.13", - "V51.2.14", - "V51.3.1", "V51.3.2", "V51.3.3", + "V51.3.4", + "V51.4.1", "V51.4.2", "V51.4.3", "V51.4.4", + "V51.4.5", + "V51.4.6", + "V51.4.7", + "V51.4.8", + "V51.4.12", + "V51.4.13", + "V51.4.14", "V51.5.1", "V51.5.2", "V51.5.3", + "V51.5.4", "V51.6.1", + "V51.7.1", + "V51.7.2", + "V51.7.3", + "V52.1.1", + "V52.1.2", + "V52.1.3", + "V52.2.1", + "V52.2.2", + "V52.2.3", "V53.1.1", "V53.1.2", "V53.2.1", @@ -4325,9 +4439,7 @@ "V2.3.1", "V2.3.3", "V2.3.4", - "V2.4.6", "V2.5.2", - "V2.5.4", "V2.5.6", "V2.5.7", "V2.6.1", @@ -4360,18 +4472,9 @@ "V3.1.2", "V3.1.3", "V3.1.4", - "V3.2.1", + "V3.1.5", "V3.3.2", "V3.3.5", - "V3.4.1", - "V3.4.2", - "V3.4.3", - "V3.4.4", - "V3.5.3", - "V3.5.4", - "V3.5.5", - "V3.5.6", - "V3.5.7", "V3.6.1", "V3.6.3", "V3.7.1", @@ -4400,7 +4503,6 @@ "V5.1.5", "V5.1.6", "V5.1.7", - "V5.1.8", "V5.2.1", "V5.2.2", "V5.2.3", @@ -4433,22 +4535,15 @@ "V5.6.2", "V5.6.3", "V1.6.1", - "V1.6.2", "V1.6.4", "V1.6.5", - "V1.6.7", "V6.2.1", "V6.2.2", "V6.2.4", "V6.2.8", "V6.2.9", "V6.3.1", - "V6.3.2", "V6.3.3", - "V6.4.1", - "V6.4.2", - "V6.4.3", - "V6.4.4", "V6.5.1", "V6.5.2", "V6.5.3", @@ -4458,7 +4553,6 @@ "V6.6.2", "V6.6.3", "V6.6.4", - "V6.6.5", "V6.7.1", "V6.8.1", "V6.8.2", @@ -4509,6 +4603,8 @@ "V9.4.1", "V9.4.2", "V9.4.3", + "V9.4.4", + "V9.4.5", "V1.10.2", "V1.10.3", "V1.10.4", @@ -4551,6 +4647,7 @@ "V12.7.1", "V13.1.6", "V13.1.7", + "V13.1.8", "V13.2.2", "V13.2.5", "V13.4.1", @@ -4575,6 +4672,7 @@ "V14.1.7", "V14.1.8", "V14.1.9", + "V14.1.10", "V14.3.2", "V14.3.3", "V14.3.4", @@ -4585,6 +4683,10 @@ "V14.7.1", "V14.7.2", "V14.7.3", + "V14.8.1", + "V14.8.2", + "V14.8.3", + "V14.8.4", "V1.50.1", "V50.1.1", "V50.2.1", @@ -4592,48 +4694,63 @@ "V50.2.3", "V50.2.4", "V50.2.5", - "V50.2.6", - "V50.2.7", - "V50.2.8", "V50.3.1", "V50.3.2", "V50.3.3", + "V50.3.4", + "V50.3.5", + "V50.3.6", + "V50.3.7", "V50.4.1", "V50.4.2", + "V50.4.3", "V50.5.1", "V50.5.2", "V50.6.1", + "V50.6.2", "V50.7.1", - "V50.7.2", - "V50.7.3", + "V50.8.1", + "V50.8.2", + "V50.8.3", + "V50.8.4", "V51.1.1", "V51.1.2", - "V51.1.3", "V51.2.1", "V51.2.2", "V51.2.3", - "V51.2.4", - "V51.2.5", - "V51.2.6", - "V51.2.7", - "V51.2.8", - "V51.2.9", - "V51.2.10", - "V51.2.11", - "V51.2.12", - "V51.2.13", - "V51.2.14", "V51.3.1", "V51.3.2", "V51.3.3", + "V51.3.4", "V51.4.1", "V51.4.2", "V51.4.3", "V51.4.4", + "V51.4.5", + "V51.4.6", + "V51.4.7", + "V51.4.8", + "V51.4.9", + "V51.4.10", + "V51.4.11", + "V51.4.12", + "V51.4.13", + "V51.4.14", + "V51.4.15", "V51.5.1", "V51.5.2", "V51.5.3", + "V51.5.4", "V51.6.1", + "V51.7.1", + "V51.7.2", + "V51.7.3", + "V52.1.1", + "V52.1.2", + "V52.1.3", + "V52.2.1", + "V52.2.2", + "V52.2.3", "V53.1.1", "V53.1.2", "V53.2.1",