@cyclonedx/cdxgen

{ "metadata": { "licenses": [ { "license": { "id": "CC-BY-SA-4.0", "url": "https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt" } } ] }, "definitions": { "standards": [ { "bom-ref": "ASVS-5.0", "name": "Application Security Verification Standard (ASVS)", "version": "5.0", "description": "The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, tool vendors, and consumers to define, build, test and verify secure applications.", "owner": "Application Security Verification Standard Project", "requirements": [ { "bom-ref": "V1", "identifier": "V1", "title": "Security Decision Documentation" }, { "bom-ref": "V1.1", "identifier": "V1.1", "title": "Secure Software Development Lifecycle", "parent": "V1" }, { "bom-ref": "V1.1.1", "identifier": "V1.1.1", "text": "[DELETED, NOT IN SCOPE]", "parent": "V1.1" }, { "bom-ref": "V1.1.2", "identifier": "V1.1.2", "text": "[DELETED, NOT IN SCOPE]", "parent": "V1.1" }, { "bom-ref": "V1.1.3", "identifier": "V1.1.3", "text": "[DELETED, NOT IN SCOPE]", "parent": "V1.1" }, { "bom-ref": "V1.1.4", "identifier": "V1.1.4", "text": "[DELETED, NOT IN SCOPE]", "parent": "V1.1" }, { "bom-ref": "V1.1.5", "identifier": "V1.1.5", "text": "[MOVED TO 1.14.7]", "parent": "V1.1" }, { "bom-ref": "V1.1.6", "identifier": "V1.1.6", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V1.1" }, { "bom-ref": "V1.1.7", "identifier": "V1.1.7", "text": "[DELETED, NOT IN SCOPE]", "parent": "V1.1" }, { "bom-ref": "V2", "identifier": "V2", "title": "Authentication" }, { "bom-ref": "V1.2", "identifier": "V1.2", "title": "Authentication Documentation", "parent": "V2" }, { "bom-ref": "V1.2.1", "identifier": "V1.2.1", "text": "[MOVED TO 14.6.2]", "parent": "V1.2" }, { "bom-ref": "V1.2.2", "identifier": "V1.2.2", "text": "[DELETED, MERGED TO 14.7.1]", "parent": "V1.2" }, { "bom-ref": "V1.2.3", "identifier": "V1.2.3", "text": "[DELETED, DUPLICATE OF 1.2.4]", "parent": "V1.2" }, { "bom-ref": "V1.2.4", "identifier": "V1.2.4", "text": "[MODIFIED, SPLIT TO 2.2.11] Verify that, if the application includes multiple authentication pathways, these are all documented together with the security controls and authentication strength which should be consistently enforced across them.", "parent": "V1.2" }, { "bom-ref": "V1.2.5", "identifier": "V1.2.5", "text": "[ADDED] Verify that a list of context specific words are documented in order to prevent their use in passwords.", "parent": "V1.2" }, { "bom-ref": "V1.2.6", "identifier": "V1.2.6", "text": "[ADDED, SPLIT FROM 2.2.1] Verify that application documentation defines how controls such as rate limiting, anti-automation, and adaptive response, are used to defend against attacks such as credential stuffing and password brute force. The documentation should make clear how these controls are configured and prevent malicious account lockout.", "parent": "V1.2" }, { "bom-ref": "V2.1", "identifier": "V2.1", "title": "Password Security", "parent": "V2" }, { "bom-ref": "V2.1.1", "identifier": "V2.1.1", "text": "[MODIFIED] Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended.", "parent": "V2.1" }, { "bom-ref": "V2.1.2", "identifier": "V2.1.2", "text": "[MODIFIED] Verify that passwords of at least 64 characters are permitted.", "parent": "V2.1" }, { "bom-ref": "V2.1.3", "identifier": "V2.1.3", "text": "[MODIFIED] Verify that the application verifies the user's password exactly as received from the user, without any modifications such as truncation or case transformation.", "parent": "V2.1" }, { "bom-ref": "V2.1.4", "identifier": "V2.1.4", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V2.1" }, { "bom-ref": "V2.1.5", "identifier": "V2.1.5", "text": "[GRAMMAR] Verify that users can change their password.", "parent": "V2.1" }, { "bom-ref": "V2.1.6", "identifier": "V2.1.6", "text": "Verify that password change functionality requires the user's current and new password.", "parent": "V2.1" }, { "bom-ref": "V2.1.7", "identifier": "V2.1.7", "text": "[MODIFIED, SPLIT TO 2.1.13] Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords.", "parent": "V2.1" }, { "bom-ref": "V2.1.8", "identifier": "V2.1.8", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V2.1" }, { "bom-ref": "V2.1.9", "identifier": "V2.1.9", "text": "Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.", "parent": "V2.1" }, { "bom-ref": "V2.1.10", "identifier": "V2.1.10", "text": "[MODIFIED, LEVEL L1 > L2] Verify that a user's password stays valid until it is discovered to be compromised or the user rotates it. The application must not require periodic credential rotation.", "parent": "V2.1" }, { "bom-ref": "V2.1.11", "identifier": "V2.1.11", "text": "Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted.", "parent": "V2.1" }, { "bom-ref": "V2.1.12", "identifier": "V2.1.12", "text": "[MODIFIED] Verify that password input fields use type=password to mask the entry. Applications may allow the user to temporarily view the entire masked password, or the last typed character of the password.", "parent": "V2.1" }, { "bom-ref": "V2.1.13", "identifier": "V2.1.13", "text": "[ADDED, SPLIT FROM 2.1.7, LEVEL L1 > L3] Verify that passwords submitted during account registration or password changes are checked against a set of breached passwords.", "parent": "V2.1" }, { "bom-ref": "V2.1.14", "identifier": "V2.1.14", "text": "[ADDED] Verify that the documented list of context specific words is used to prevent easy to guess passwords being created.", "parent": "V2.1" }, { "bom-ref": "V2.2", "identifier": "V2.2", "title": "General Authentication Security", "parent": "V2" }, { "bom-ref": "V2.2.1", "identifier": "V2.2.1", "text": "[MODIFIED, SPLIT TO 1.2.6] Verify that controls to prevent attacks such as credential stuffing and password brute force are implemented according to the application's security documentation.", "parent": "V2.2" }, { "bom-ref": "V2.2.2", "identifier": "V2.2.2", "text": "[MODIFIED] Verify that email is not used as either a single-factor or multi-factor authentication mechanism.", "parent": "V2.2" }, { "bom-ref": "V2.2.3", "identifier": "V2.2.3", "text": "[MODIFIED, SPLIT TO 2.2.10] Verify that users are notified after updates to authentication details, such as credential resets or modification of the username or email address.", "parent": "V2.2" }, { "bom-ref": "V2.2.4", "identifier": "V2.2.4", "text": "[MODIFIED, SPLIT TO 2.2.9, MERGED FROM 2.2.7, 2.3.2] Verify that a hardware-based authentication mechanism is supported that provides impersonation resistance against phishing attacks (such as WebAuthn) and verifies intent to authenticate by requiring a user-initiated action (such as a button press on a FIDO hardware key).", "parent": "V2.2" }, { "bom-ref": "V2.2.5", "identifier": "V2.2.5", "text": "[MOVED TO 9.3.3]", "parent": "V2.2" }, { "bom-ref": "V2.2.6", "identifier": "V2.2.6", "text": "[DELETED, DUPLICATE OF 2.7.3, 2.8.4]", "parent": "V2.2" }, { "bom-ref": "V2.2.7", "identifier": "V2.2.7", "text": "[DELETED, MERGED TO 2.2.4]", "parent": "V2.2" }, { "bom-ref": "V2.2.8", "identifier": "V2.2.8", "text": "[ADDED] Verify that valid users cannot be deduced from failed authentication challenges, such as by basing on error messages, HTTP response codes, or different response times. Registration and forgot password functionality should also have this protection.", "parent": "V2.2" }, { "bom-ref": "V2.2.9", "identifier": "V2.2.9", "text": "[ADDED, SPLIT FROM 2.2.4] Verify that the application requires users to either use a multi-factor authentication mechanism or a requires a combination of single-factor authentication mechanisms.", "parent": "V2.2" }, { "bom-ref": "V2.2.10", "identifier": "V2.2.10", "text": "[ADDED, SPLIT FROM 2.2.3] Verify that users are notified of suspicious authentication attempts. This may include successful or unsuccessful authentication from an unusual location or client, partially successful authentication with only one of multiple factors, successful or unsuccessful authentication after a long period of inactivity or successful authentication after several unsuccessful attempts.", "parent": "V2.2" }, { "bom-ref": "V2.2.11", "identifier": "V2.2.11", "text": "[ADDED, SPLIT FROM 1.2.4] Verify that, if the application includes multiple authentication pathways, there are no undocumented pathways and that security controls and authentication strength are enforced consistently.", "parent": "V2.2" }, { "bom-ref": "V2.3", "identifier": "V2.3", "title": "Authentication Factor Lifecycle", "parent": "V2" }, { "bom-ref": "V2.3.1", "identifier": "V2.3.1", "text": "[MODIFIED] Verify that system generated initial passwords or activation codes are securely randomly generated, follow the existing password policy, and expire after a short period of time or after they are initially used. These initial secrets must not be permitted to become the long term password.", "parent": "V2.3" }, { "bom-ref": "V2.3.2", "identifier": "V2.3.2", "text": "[DELETED, MERGED TO 2.2.4]", "parent": "V2.3" }, { "bom-ref": "V2.3.3", "identifier": "V2.3.3", "text": "[MODIFIED] Verify that renewal instructions for authentication mechanisms which expire are sent with enough time to be carried out before the old authentication mechanism expires, configuring automated reminders if necessary.", "parent": "V2.3" }, { "bom-ref": "V2.3.4", "identifier": "V2.3.4", "text": "[ADDED] Verify that administrative users can initiate the password reset process for the user, but that this does not allow them to change or choose the user's password. This prevents a situation where they know the user's password.", "parent": "V2.3" }, { "bom-ref": "V2.4", "identifier": "V2.4", "title": "Credential Storage", "parent": "V2" }, { "bom-ref": "V2.4.1", "identifier": "V2.4.1", "text": "[MOVED TO 6.6.2]", "parent": "V2.4" }, { "bom-ref": "V2.4.2", "identifier": "V2.4.2", "text": "[DELETED, INCORRECT]", "parent": "V2.4" }, { "bom-ref": "V2.4.3", "identifier": "V2.4.3", "text": "[DELETED, MERGED TO 6.6.2]", "parent": "V2.4" }, { "bom-ref": "V2.4.4", "identifier": "V2.4.4", "text": "[DELETED, MERGED TO 6.6.2]", "parent": "V2.4" }, { "bom-ref": "V2.4.5", "identifier": "V2.4.5", "text": "[DELETED, INCORRECT]", "parent": "V2.4" }, { "bom-ref": "V2.5", "identifier": "V2.5", "title": "Credential Recovery", "parent": "V2" }, { "bom-ref": "V2.5.1", "identifier": "V2.5.1", "text": "[DELETED, INCORRECT]", "parent": "V2.5" }, { "bom-ref": "V2.5.2", "identifier": "V2.5.2", "text": "[GRAMMAR] Verify that password hints or knowledge-based authentication (so-called \"secret questions\") are not present.", "parent": "V2.5" }, { "bom-ref": "V2.5.3", "identifier": "V2.5.3", "text": "[DELETED, DUPLICATE OF 2.4.1]", "parent": "V2.5" }, { "bom-ref": "V2.5.4", "identifier": "V2.5.4", "text": "[MOVED TO 14.1.10]", "parent": "V2.5" }, { "bom-ref": "V2.5.5", "identifier": "V2.5.5", "text": "[DELETED, DUPLICATE OF 2.2.3]", "parent": "V2.5" }, { "bom-ref": "V2.5.6", "identifier": "V2.5.6", "text": "[MODIFIED] Verify that a secure process for resetting a forgotten password is implemented, that does not bypass any enabled multi-factor authentication mechanisms.", "parent": "V2.5" }, { "bom-ref": "V2.5.7", "identifier": "V2.5.7", "text": "[GRAMMAR, LEVEL L2 > L1] Verify that if OTP or other multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment.", "parent": "V2.5" }, { "bom-ref": "V2.6", "identifier": "V2.6", "title": "Lookup Secrets", "parent": "V2" }, { "bom-ref": "V2.6.1", "identifier": "V2.6.1", "text": "Verify that lookup secrets can be used only once.", "parent": "V2.6" }, { "bom-ref": "V2.6.2", "identifier": "V2.6.2", "text": "[MODIFIED, SPLIT TO 2.6.4] Verify that, when being stored in the application's back-end, lookup secrets with less than 112 bits of entropy (19 random alphanumeric characters or 34 random digits) are hashed with an approved password storage hashing algorithm that incorporates a 32-bit random salt. A standard hash function can be used if the secret has 112 bits of entropy or more.", "parent": "V2.6" }, { "bom-ref": "V2.6.3", "identifier": "V2.6.3", "text": "[MODIFIED] Verify that lookup secrets are generated using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) to avoid predictable values.", "parent": "V2.6" }, { "bom-ref": "V2.6.4", "identifier": "V2.6.4", "text": "[ADDED, SPLIT FROM 2.6.2] Verify that lookup secrets have a minimum of 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).", "parent": "V2.6" }, { "bom-ref": "V2.7", "identifier": "V2.7", "title": "Out-of-Band authentication mechanisms", "parent": "V2" }, { "bom-ref": "V2.7.1", "identifier": "V2.7.1", "text": "[MODIFIED] Verify that authentication mechanisms using the Public Switched Telephone Network (PSTN) to deliver One-time Passwords (OTPs) via phone or SMS are offered only when alternate stronger methods (such as push notifications) are also offered and when the service provides information on their security risks to users.", "parent": "V2.7" }, { "bom-ref": "V2.7.2", "identifier": "V2.7.2", "text": "[MODIFIED] Verify that out-of-band authentication requests, codes, or tokens expire within 10 minutes.", "parent": "V2.7" }, { "bom-ref": "V2.7.3", "identifier": "V2.7.3", "text": "[GRAMMAR] Verify that out-of-band authentication requests, codes, or tokens are only usable once, and only for the original authentication request.", "parent": "V2.7" }, { "bom-ref": "V2.7.4", "identifier": "V2.7.4", "text": "[GRAMMAR] Verify that the secondary communications channel being used is secure and independent of the primary channel.", "parent": "V2.7" }, { "bom-ref": "V2.7.5", "identifier": "V2.7.5", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V2.7" }, { "bom-ref": "V2.7.6", "identifier": "V2.7.6", "text": "[MODIFIED] Verify that codes used in out-of-band authentication are generated using a cryptographically secure random number generator (CSPRNG) and contain at least 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).", "parent": "V2.7" }, { "bom-ref": "V2.7.7", "identifier": "V2.7.7", "text": "[ADDED] Verify that a code based out-of-band authentication mechanism is protected against brute force attacks by using either rate limiting or a code with at least 64 bits of entropy.", "parent": "V2.7" }, { "bom-ref": "V2.7.8", "identifier": "V2.7.8", "text": "[ADDED] Verify that, where push notifications are used for multi-factor authentication, rate limiting or number matching is used to prevent push bombing attacks.", "parent": "V2.7" }, { "bom-ref": "V2.8", "identifier": "V2.8", "title": "Time based One-time Passwords", "parent": "V2" }, { "bom-ref": "V2.8.1", "identifier": "V2.8.1", "text": "[GRAMMAR] Verify that time-based, one-time passwords have a defined lifetime before expiring.", "parent": "V2.8" }, { "bom-ref": "V2.8.2", "identifier": "V2.8.2", "text": "[GRAMMAR] Verify that symmetric keys used to verify submitted time-based, one-time passwords are highly protected, such as by using a hardware security module or secure operating system based key storage.", "parent": "V2.8" }, { "bom-ref": "V2.8.3", "identifier": "V2.8.3", "text": "[GRAMMAR] Verify that approved cryptographic algorithms are used in the generation, seeding, and verification of time-based, one-time passwords.", "parent": "V2.8" }, { "bom-ref": "V2.8.4", "identifier": "V2.8.4", "text": "[GRAMMAR] Verify that a time-based, one-time password can be used only once within the validity period.", "parent": "V2.8" }, { "bom-ref": "V2.8.5", "identifier": "V2.8.5", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V2.8" }, { "bom-ref": "V2.8.6", "identifier": "V2.8.6", "text": "[MODIFIED, LEVEL L2 > L3] Verify that physical single-factor OTP generators can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location.", "parent": "V2.8" }, { "bom-ref": "V2.8.7", "identifier": "V2.8.7", "text": "[MODIFIED, LEVEL L2 > L3] Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.", "parent": "V2.8" }, { "bom-ref": "V2.8.8", "identifier": "V2.8.8", "text": "[ADDED] Ensure that generation of the time-based multi-factor OTP token is based on the server's system time and not the client's machine.", "parent": "V2.8" }, { "bom-ref": "V2.9", "identifier": "V2.9", "title": "Cryptographic authentication mechanism", "parent": "V2" }, { "bom-ref": "V2.9.1", "identifier": "V2.9.1", "text": "[MODIFIED, LEVEL L2 > L3] Verify that the authentication server stores the cryptographic keys used in verification are securely and protected against disclosure, such as using a Trusted Platform Module (TPM) or Hardware Security Module (HSM), or an OS service that can use this secure storage.", "parent": "V2.9" }, { "bom-ref": "V2.9.2", "identifier": "V2.9.2", "text": "[LEVEL L2 > L3] Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device.", "parent": "V2.9" }, { "bom-ref": "V2.9.3", "identifier": "V2.9.3", "text": "[MODIFIED, LEVEL L2 > L3] Verify that approved cryptographic algorithms are used in the generation, seeding, and verification of the cryptographic keys.", "parent": "V2.9" }, { "bom-ref": "V2.10", "identifier": "V2.10", "title": "Service Authentication", "parent": "V2" }, { "bom-ref": "V2.10.1", "identifier": "V2.10.1", "text": "[MOVED TO 14.7.1]", "parent": "V2.10" }, { "bom-ref": "V2.10.2", "identifier": "V2.10.2", "text": "[MOVED TO 14.7.2]", "parent": "V2.10" }, { "bom-ref": "V2.10.3", "identifier": "V2.10.3", "text": "[DELETED, DUPLICATE OF 2.10.4]", "parent": "V2.10" }, { "bom-ref": "V2.10.4", "identifier": "V2.10.4", "text": "[DELETED, MERGED TO 14.8.1]", "parent": "V2.10" }, { "bom-ref": "V2.11", "identifier": "V2.11", "title": "Authentication with an Identity Providers", "parent": "V2" }, { "bom-ref": "V2.11.1", "identifier": "V2.11.1", "text": "[ADDED] Verify that, if the application supports multiple identity providers (IDPs), the user's identity cannot be spoofed via another supported identity provider (eg. by using the same user identifier). Usually, the application should register and identify the user using a combination of the IdP ID (serving as a namespace) and the user's ID in the IDP.", "parent": "V2.11" }, { "bom-ref": "V2.11.2", "identifier": "V2.11.2", "text": "[ADDED] Verify that the presence and integrity of digital signatures on authentication assertions (for example on JWTs or SAML assertions) are always validated, rejecting any assertions that are unsigned or have invalid signatures.", "parent": "V2.11" }, { "bom-ref": "V2.11.3", "identifier": "V2.11.3", "text": "[ADDED] Verify that SAML assertions are uniquely processed and used only once within the validity period to prevent replay attacks.", "parent": "V2.11" }, { "bom-ref": "V3", "identifier": "V3", "title": "Session Management" }, { "bom-ref": "V1.3", "identifier": "V1.3", "title": "Session Management Documentation", "parent": "V3" }, { "bom-ref": "V1.3.1", "identifier": "V1.3.1", "text": "[ADDED] Verify that the user's session inactivity period and maximum session lifetime before reauthentication are documented, appropriate in combination with other controls, and that documentation includes justification for any deviations from NIST SP 800-63B reauthentication requirements.", "parent": "V1.3" }, { "bom-ref": "V1.3.2", "identifier": "V1.3.2", "text": "[ADDED] Verify that the documentation defines how many concurrent (parallel) sessions are allowed for one account as well as the intended behaviours and actions to be taken when the maximum number of active sessions is reached.", "parent": "V1.3" }, { "bom-ref": "V1.3.3", "identifier": "V1.3.3", "text": "[ADDED] Verify that all systems that create and manage user sessions as part of a federated identity management ecosystem (such as SSO systems) are documented along with controls to coordinate session lifetimes, termination, and any other condition that should require re-authentication.", "parent": "V1.3" }, { "bom-ref": "V3.1", "identifier": "V3.1", "title": "Fundamental Session Management Security", "parent": "V3" }, { "bom-ref": "V3.1.1", "identifier": "V3.1.1", "text": "[DELETED, MERGED TO 8.3.1]", "parent": "V3.1" }, { "bom-ref": "V3.1.2", "identifier": "V3.1.2", "text": "[ADDED] Verify that the application performs all session token verification using a trusted, back-end service.", "parent": "V3.1" }, { "bom-ref": "V3.1.3", "identifier": "V3.1.3", "text": "[MODIFIED, MOVED FROM 3.5.2, LEVEL L2 > L1] Verify that the application uses either self-contained or reference tokens for session management. Static API secrets and keys should be avoided.", "parent": "V3.1" }, { "bom-ref": "V3.1.4", "identifier": "V3.1.4", "text": "[MODIFIED, MOVED FROM 3.2.2, MERGED FROM 3.2.4] Verify that if reference tokens are used to represent user sessions, they are unique and generated using a cryptographically secure pseudo-random number generator (CSPRNG) and possess at least 128 bits of entropy.", "parent": "V3.1" }, { "bom-ref": "V3.1.5", "identifier": "V3.1.5", "text": "[MODIFIED, MOVED FROM 3.2.1] Verify that the application generates a new session token on user authentication, including re-authentication, and terminates the current session token.", "parent": "V3.1" }, { "bom-ref": "V3.2", "identifier": "V3.2", "title": "Session Binding", "parent": "V3" }, { "bom-ref": "V3.2.1", "identifier": "V3.2.1", "text": "[MOVED TO 3.1.5]", "parent": "V3.2" }, { "bom-ref": "V3.2.2", "identifier": "V3.2.2", "text": "[MOVED TO 3.1.4]", "parent": "V3.2" }, { "bom-ref": "V3.2.3", "identifier": "V3.2.3", "text": "[DELETED, MERGED TO 8.2.2]", "parent": "V3.2" }, { "bom-ref": "V3.2.4", "identifier": "V3.2.4", "text": "[DELETED, MERGED TO 3.1.4]", "parent": "V3.2" }, { "bom-ref": "V3.3", "identifier": "V3.3", "title": "Session Timeout", "parent": "V3" }, { "bom-ref": "V3.3.1", "identifier": "V3.3.1", "text": "[MOVED TO 3.8.1]", "parent": "V3.3" }, { "bom-ref": "V3.3.2", "identifier": "V3.3.2", "text": "[MODIFIED, SPLIT TO 3.3.5] Verify that there is an absolute maximum session lifetime such that re-authentication is enforced according to risk analysis and documented security decisions.", "parent": "V3.3" }, { "bom-ref": "V3.3.3", "identifier": "V3.3.3", "text": "[MOVED TO 3.8.2]", "parent": "V3.3" }, { "bom-ref": "V3.3.4", "identifier": "V3.3.4", "text": "[MOVED TO 3.7.2]", "parent": "V3.3" }, { "bom-ref": "V3.3.5", "identifier": "V3.3.5", "text": "[ADDED, SPLIT FROM 3.3.2] Verify that there is an inactivity timeout such that re-authentication is enforced according to risk analysis and documented security decisions.", "parent": "V3.3" }, { "bom-ref": "V3.4", "identifier": "V3.4", "title": "Cookie-based Session Management", "parent": "V3" }, { "bom-ref": "V3.4.1", "identifier": "V3.4.1", "text": "[MOVED TO 50.2.1]", "parent": "V3.4" }, { "bom-ref": "V3.4.2", "identifier": "V3.4.2", "text": "[MOVED TO 50.2.2]", "parent": "V3.4" }, { "bom-ref": "V3.4.3", "identifier": "V3.4.3", "text": "[MOVED TO 50.2.3]", "parent": "V3.4" }, { "bom-ref": "V3.4.4", "identifier": "V3.4.4", "text": "[MOVED TO 50.2.4]", "parent": "V3.4" }, { "bom-ref": "V3.4.5", "identifier": "V3.4.5", "text": "[DELETED, DEPRECATED BY 50.1.1]", "parent": "V3.4" }, { "bom-ref": "V3.5", "identifier": "V3.5", "title": "Token-based Session Management", "parent": "V3" }, { "bom-ref": "V3.5.1", "identifier": "V3.5.1", "text": "[MOVED TO 51.4.14]", "parent": "V3.5" }, { "bom-ref": "V3.5.2", "identifier": "V3.5.2", "text": "[MOVED TO 3.1.3]", "parent": "V3.5" }, { "bom-ref": "V3.5.3", "identifier": "V3.5.3", "text": "[MOVED TO 52.1.1]", "parent": "V3.5" }, { "bom-ref": "V3.6", "identifier": "V3.6", "title": "Federated Re-authentication", "parent": "V3" }, { "bom-ref": "V3.6.1", "identifier": "V3.6.1", "text": "[MODIFIED, MERGED FROM 3.6.2] Verify that session lifetime and termination between Relying Parties (RPs) and Credential Service Providers (CSPs) behave as documented, requiring re-authentication as necessary such as when the maximum time between CSP authentication events is reached.", "parent": "V3.6" }, { "bom-ref": "V3.6.2", "identifier": "V3.6.2", "text": "[DELETED, MERGED TO 3.6.1]", "parent": "V3.6" }, { "bom-ref": "V3.6.3", "identifier": "V3.6.3", "text": "[ADDED] Verify that creation of a session requires either the user's consent or an explicit action, preventing the creation of new application sessions without user interaction.", "parent": "V3.6" }, { "bom-ref": "V3.7", "identifier": "V3.7", "title": "Defenses Against Session Abuse", "parent": "V3" }, { "bom-ref": "V3.7.1", "identifier": "V3.7.1", "text": "[MODIFIED] Verify that the application requires re-authentication or secondary verification before allowing highly sensitive transactions or modifications to sensitive account attributes such as authentication settings.", "parent": "V3.7" }, { "bom-ref": "V3.7.2", "identifier": "V3.7.2", "text": "[MODIFIED, MOVED FROM 3.3.4] Verify that users are able to view and (having re-entered login credentials) terminate any or all currently active sessions.", "parent": "V3.7" }, { "bom-ref": "V3.8", "identifier": "V3.8", "title": "Session Termination", "parent": "V3" }, { "bom-ref": "V3.8.1", "identifier": "V3.8.1", "text": "[MODIFIED, MOVED FROM 3.3.1] Verify that logout and expiration terminate the user's session, such that the back button or a downstream relying party cannot resume an authenticated session.", "parent": "V3.8" }, { "bom-ref": "V3.8.2", "identifier": "V3.8.2", "text": "[MODIFIED, LEVEL L2 > L1, MOVED FROM 3.3.3] Verify that the application gives the option to terminate all other active sessions after a successful change or removal of any authentication factor (including password change via reset or recovery and, if present, an MFA settings update).", "parent": "V3.8" }, { "bom-ref": "V3.8.3", "identifier": "V3.8.3", "text": "[ADDED] Verify that all pages that require authentication have easy and visible access to logout functionality.", "parent": "V3.8" }, { "bom-ref": "V3.8.4", "identifier": "V3.8.4", "text": "[ADDED] Verify that the application terminates all active sessions when a user account is disabled or deleted (such as an employee leaving the company).", "parent": "V3.8" }, { "bom-ref": "V3.8.5", "identifier": "V3.8.5", "text": "[ADDED] Verify that application administrators are able to terminate active sessions for an individual user or for all users.", "parent": "V3.8" }, { "bom-ref": "V4", "identifier": "V4", "title": "Access Control" }, { "bom-ref": "V1.4", "identifier": "V1.4", "title": "Access Control Documentation", "parent": "V4" }, { "bom-ref": "V1.4.1", "identifier": "V1.4.1", "text": "[DELETED, DUPLICATE OF 4.1.1]", "parent": "V1.4" }, { "bom-ref": "V1.4.2", "identifier": "V1.4.2", "text": "[DELETED]", "parent": "V1.4" }, { "bom-ref": "V1.4.3", "identifier": "V1.4.3", "text": "[DELETED, DUPLICATE OF 4.1.3]", "parent": "V1.4" }, { "bom-ref": "V1.4.4", "identifier": "V1.4.4", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V1.4" }, { "bom-ref": "V1.4.5", "identifier": "V1.4.5", "text": "[DELETED, INSUFFICIENT IMPACT]", "parent": "V1.4" }, { "bom-ref": "V1.4.6", "identifier": "V1.4.6", "text": "[ADDED] Verify that access control documentation defines controls that incorporate changes to a consumers environmental and contextual attributes (such as time of day, location, IP address, or device) to make security decisions, including those pertaining to authentication and authorization. These changes should be detected both when the consumer tries to start a new session or during an existing session.", "parent": "V1.4" }, { "bom-ref": "V1.4.7", "identifier": "V1.4.7", "text": "[ADDED] Verify that access control documentation defines explicit rules for restricting function-level, data-specific, and field-level access based on consumer permissions, specifying relevant consumer and resource attributes, as well as environmental factors involved in decision-making.", "parent": "V1.4" }, { "bom-ref": "V4.1", "identifier": "V4.1", "title": "General Access Control Design", "parent": "V4" }, { "bom-ref": "V4.1.1", "identifier": "V4.1.1", "text": "[MOVED TO 4.2.3]", "parent": "V4.1" }, { "bom-ref": "V4.1.2", "identifier": "V4.1.2", "text": "[DELETED, DUPLICATE OF 4.1.3]", "parent": "V4.1" }, { "bom-ref": "V4.1.3", "identifier": "V4.1.3", "text": "[MODIFIED] Verify that the application ensures that function-level access is restricted to consumers with explicit permissions.", "parent": "V4.1" }, { "bom-ref": "V4.1.4", "identifier": "V4.1.4", "text": "[DELETED, DUPLICATE OF 4.1.3]", "parent": "V4.1" }, { "bom-ref": "V4.1.5", "identifier": "V4.1.5", "text": "[MOVED TO 7.4.5]", "parent": "V4.1" }, { "bom-ref": "V4.1.6", "identifier": "V4.1.6", "text": "[MODIFIED, MOVED FROM 4.2.1] Verify that the application ensures that data-specific access is restricted to consumers with explicit permissions to specific data items to mitigate insecure direct object reference (IDOR) and broken object level authorization (BOLA).", "parent": "V4.1" }, { "bom-ref": "V4.1.7", "identifier": "V4.1.7", "text": "[ADDED] Verify that the application ensures that field-level access is restricted to consumers with explicit permissions to specific fields to mitigate broken object property level authorization (BOPLA).", "parent": "V4.1" }, { "bom-ref": "V4.1.8", "identifier": "V4.1.8", "text": "[ADDED] Verify that adaptive security controls related to authentication and authorization decisions based on a consumers environmental and contextual attributes (such as time of day, location, IP address, or device) are implemented as defined in access control documentation.", "parent": "V4.1" }, { "bom-ref": "V4.2", "identifier": "V4.2", "title": "Operation Level Access Control", "parent": "V4" }, { "bom-ref": "V4.2.1", "identifier": "V4.2.1", "text": "[MOVED TO 4.1.6]", "parent": "V4.2" }, { "bom-ref": "V4.2.2", "identifier": "V4.2.2", "text": "[MOVED TO 50.4.1]", "parent": "V4.2" }, { "bom-ref": "V4.2.3", "identifier": "V4.2.3", "text": "[MODIFIED, MOVED FROM 4.1.1] Verify that the application enforces access control rules at a trusted service layer and doesn't rely on controls that an untrusted consumer could manipulate, such as client-side JavaScript.", "parent": "V4.2" }, { "bom-ref": "V4.2.4", "identifier": "V4.2.4", "text": "[ADDED] Verify that changes to values on which access control decisions are made are applied immediately. Where changes cannot be applied immediately, (such as when relying on data in self-contained tokens), there must be mitigating controls to alert when a consumer performs an action when they should no longer be able to do so and revert the change. Note that this would be unable to mitigate information leakage.", "parent": "V4.2" }, { "bom-ref": "V4.2.5", "identifier": "V4.2.5", "text": "[ADDED] Verify that access to an object is based on the originating subject's (e.g. consumer's) permissions, not on the permissions of any intermediary or service acting on their behalf. For example, if a consumer calls a web service using a self-contained token for authentication, and the service then requests data from a different service, the second service should use the consumer's token, rather than a machine-to-machine token from the first service, to make permission decisions.", "parent": "V4.2" }, { "bom-ref": "V4.3", "identifier": "V4.3", "title": "Other Access Control Considerations", "parent": "V4" }, { "bom-ref": "V4.3.1", "identifier": "V4.3.1", "text": "[MODIFIED, LEVEL L1 > L3] Verify that access to administrative interfaces incorporates multiple layers of security, including continuous consumer identity verification, device security posture assessment, and contextual risk analysis, ensuring that network location or trusted endpoints are not the sole factors for authorization even though they may reduce the likelihood of unauthorized access.", "parent": "V4.3" }, { "bom-ref": "V4.3.2", "identifier": "V4.3.2", "text": "[SPLIT TO 14.3.4, 14.3.5]", "parent": "V4.3" }, { "bom-ref": "V4.3.3", "identifier": "V4.3.3", "text": "[MOVED TO 14.7.3]", "parent": "V4.3" }, { "bom-ref": "V4.3.4", "identifier": "V4.3.4", "text": "[ADDED] Verify that multi-tenant applications use cross-tenant controls to ensure consumer operations will never affect tenants with which they do not have permissions to interact.", "parent": "V4.3" }, { "bom-ref": "V5", "identifier": "V5", "title": "Validation, Sanitization and Encoding" }, { "bom-ref": "V1.5", "identifier": "V1.5", "title": "Input and Output Documentation", "parent": "V5" }, { "bom-ref": "V1.5.1", "identifier": "V1.5.1", "text": "[MODIFIED, SPLIT TO 1.5.5, LEVEL L2 > L1] Verify that input validation rules define how to check the validity of data items against an expected structure. This could be common data formats such as credit card numbers, e-mail addresses, telephone numbers, or it could be an internal data format.", "parent": "V1.5" }, { "bom-ref": "V1.5.2", "identifier": "V1.5.2", "text": "[DELETED, MERGED TO 5.5.3]", "parent": "V1.5" }, { "bom-ref": "V1.5.3", "identifier": "V1.5.3", "text": "[MOVED TO 5.6.2]", "parent": "V1.5" }, { "bom-ref": "V1.5.4", "identifier": "V1.5.4", "text": "[MOVED TO 5.6.3]", "parent": "V1.5" }, { "bom-ref": "V1.5.5", "identifier": "V1.5.5", "text": "[ADDED, SPLIT FROM 1.5.1] Verify that input validation rules are documented and define how to ensure the logical and contextual consistency of combined data items, such as checking that suburb and zip code match.", "parent": "V1.5" }, { "bom-ref": "V5.1", "identifier": "V5.1", "title": "Input Validation", "parent": "V5" }, { "bom-ref": "V5.1.1", "identifier": "V5.1.1", "text": "[MODIFIED] Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (query string, body parameters, cookies, or header fields).", "parent": "V5.1" }, { "bom-ref": "V5.1.2", "identifier": "V5.1.2", "text": "[MOVED TO 10.4.4]", "parent": "V5.1" }, { "bom-ref": "V5.1.3", "identifier": "V5.1.3", "text": "[MODIFIED] Verify that all input is validated using positive validation, against an allowed list of values, patterns or ranges to enforce business or functional expectations for that input.", "parent": "V5.1" }, { "bom-ref": "V5.1.4", "identifier": "V5.1.4", "text": "[MODIFIED, SPLIT TO 5.1.7] Verify that data items with an expected structure are validated according to the pre-defined rules.", "parent": "V5.1" }, { "bom-ref": "V5.1.5", "identifier": "V5.1.5", "text": "[MODIFIED, SPLIT TO 50.8.1] Verify that the application will only automatically redirect the user to a different URL directly from an application URL where the destination appears on an allowlist.", "parent": "V5.1" }, { "bom-ref": "V5.1.6", "identifier": "V5.1.6", "text": "[ADDED] Verify that the application validates that user-controlled input in HTTP request header fields does not exceed the server's maximum header field size limit (usually 4kB or 8kB) to prevent client-based denial of service attacks.", "parent": "V5.1" }, { "bom-ref": "V5.1.7", "identifier": "V5.1.7", "text": "[ADDED, SPLIT FROM 5.1.4] Verify that the application ensures that combinations of related data items are reasonable according to the pre-defined rules.", "parent": "V5.1" }, { "bom-ref": "V5.2", "identifier": "V5.2", "title": "Sanitization and Sandboxing", "parent": "V5" }, { "bom-ref": "V5.2.1", "identifier": "V5.2.1", "text": "[MODIFIED] Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized using a well-known and secure HTML sanitization library or framework feature.", "parent": "V5.2" }, { "bom-ref": "V5.2.2", "identifier": "V5.2.2", "text": "[MODIFIED] Verify that data being passed to a potentially dangerous context is sanitized beforehand to enforce safety measures, such as only allowing characters which are safe for this context and trimming input which is too long.", "parent": "V5.2" }, { "bom-ref": "V5.2.3", "identifier": "V5.2.3", "text": "Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.",