@cyclonedx/cdxgen

{ "metadata": { "licenses": [ { "license": { "id": "CC-BY-SA-4.0", "url": "https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt" } } ] }, "definitions": { "standards": [ { "bom-ref": "ASVS-5.0.0", "name": "Application Security Verification Standard (ASVS)", "version": "5.0.0", "description": "The Application Security Verification Standard is a list of application security requirements that architects, developers, testers, security professionals, tool vendors, and consumers can use to define, build, test, and verify secure applications.", "owner": "Application Security Verification Standard Project", "requirements": [ { "bom-ref": "V1", "identifier": "V1", "title": "Encoding and Sanitization" }, { "bom-ref": "V1.1", "identifier": "V1.1", "title": "Encoding and Sanitization Architecture", "parent": "V1" }, { "bom-ref": "V1.1.1", "identifier": "V1.1.1", "text": "Verify that input is decoded or unescaped into a canonical form only once, it is only decoded when encoded data in that form is expected, and that this is done before processing the input further, for example it is not performed after input validation or sanitization.", "parent": "V1.1" }, { "bom-ref": "V1.1.2", "identifier": "V1.1.2", "text": "Verify that the application performs output encoding and escaping either as a final step before being used by the interpreter for which it is intended or by the interpreter itself.", "parent": "V1.1" }, { "bom-ref": "V1.2", "identifier": "V1.2", "title": "Injection Prevention", "parent": "V1" }, { "bom-ref": "V1.2.1", "identifier": "V1.2.1", "text": "Verify that output encoding for an HTTP response, HTML document, or XML document is relevant for the context required, such as encoding the relevant characters for HTML elements, HTML attributes, HTML comments, CSS, or HTTP header fields, to avoid changing the message or document structure.", "parent": "V1.2" }, { "bom-ref": "V1.2.2", "identifier": "V1.2.2", "text": "Verify that when dynamically building URLs, untrusted data is encoded according to its context (e.g., URL encoding or base64url encoding for query or path parameters). Ensure that only safe URL protocols are permitted (e.g., disallow javascript: or data:).", "parent": "V1.2" }, { "bom-ref": "V1.2.3", "identifier": "V1.2.3", "text": "Verify that output encoding or escaping is used when dynamically building JavaScript content (including JSON), to avoid changing the message or document structure (to avoid JavaScript and JSON injection).", "parent": "V1.2" }, { "bom-ref": "V1.2.4", "identifier": "V1.2.4", "text": "Verify that data selection or database queries (e.g., SQL, HQL, NoSQL, Cypher) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from SQL Injection and other database injection attacks. This is also relevant when writing stored procedures.", "parent": "V1.2" }, { "bom-ref": "V1.2.5", "identifier": "V1.2.5", "text": "Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding.", "parent": "V1.2" }, { "bom-ref": "V1.2.6", "identifier": "V1.2.6", "text": "Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented.", "parent": "V1.2" }, { "bom-ref": "V1.2.7", "identifier": "V1.2.7", "text": "Verify that the application is protected against XPath injection attacks by using query parameterization or precompiled queries.", "parent": "V1.2" }, { "bom-ref": "V1.2.8", "identifier": "V1.2.8", "text": "Verify that LaTeX processors are configured securely (such as not using the \"--shell-escape\" flag) and an allowlist of commands is used to prevent LaTeX injection attacks.", "parent": "V1.2" }, { "bom-ref": "V1.2.9", "identifier": "V1.2.9", "text": "Verify that the application escapes special characters in regular expressions (typically using a backslash) to prevent them from being misinterpreted as metacharacters.", "parent": "V1.2" }, { "bom-ref": "V1.2.10", "identifier": "V1.2.10", "text": "Verify that the application is protected against CSV and Formula Injection. The application must follow the escaping rules defined in RFC 4180 sections 2.6 and 2.7 when exporting CSV content. Additionally, when exporting to CSV or other spreadsheet formats (such as XLS, XLSX, or ODF), special characters (including '=', '+', '-', '@', '\\t' (tab), and '\\0' (null character)) must be escaped with a single quote if they appear as the first character in a field value.", "parent": "V1.2" }, { "bom-ref": "V1.3", "identifier": "V1.3", "title": "Sanitization", "parent": "V1" }, { "bom-ref": "V1.3.1", "identifier": "V1.3.1", "text": "Verify that all untrusted HTML input from WYSIWYG editors or similar is sanitized using a well-known and secure HTML sanitization library or framework feature.", "parent": "V1.3" }, { "bom-ref": "V1.3.2", "identifier": "V1.3.2", "text": "Verify that the application avoids the use of eval() or other dynamic code execution features such as Spring Expression Language (SpEL). Where there is no alternative, any user input being included must be sanitized before being executed.", "parent": "V1.3" }, { "bom-ref": "V1.3.3", "identifier": "V1.3.3", "text": "Verify that data being passed to a potentially dangerous context is sanitized beforehand to enforce safety measures, such as only allowing characters which are safe for this context and trimming input which is too long.", "parent": "V1.3" }, { "bom-ref": "V1.3.4", "identifier": "V1.3.4", "text": "Verify that user-supplied Scalable Vector Graphics (SVG) scriptable content is validated or sanitized to contain only tags and attributes (such as draw graphics) that are safe for the application, e.g., do not contain scripts and foreignObject.", "parent": "V1.3" }, { "bom-ref": "V1.3.5", "identifier": "V1.3.5", "text": "Verify that the application sanitizes or disables user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.", "parent": "V1.3" }, { "bom-ref": "V1.3.6", "identifier": "V1.3.6", "text": "Verify that the application protects against Server-side Request Forgery (SSRF) attacks, by validating untrusted data against an allowlist of protocols, domains, paths and ports and sanitizing potentially dangerous characters before using the data to call another service.", "parent": "V1.3" }, { "bom-ref": "V1.3.7", "identifier": "V1.3.7", "text": "Verify that the application protects against template injection attacks by not allowing templates to be built based on untrusted input. Where there is no alternative, any untrusted input being included dynamically during template creation must be sanitized or strictly validated.", "parent": "V1.3" }, { "bom-ref": "V1.3.8", "identifier": "V1.3.8", "text": "Verify that the application appropriately sanitizes untrusted input before use in Java Naming and Directory Interface (JNDI) queries and that JNDI is configured securely to prevent JNDI injection attacks.", "parent": "V1.3" }, { "bom-ref": "V1.3.9", "identifier": "V1.3.9", "text": "Verify that the application sanitizes content before it is sent to memcache to prevent injection attacks.", "parent": "V1.3" }, { "bom-ref": "V1.3.10", "identifier": "V1.3.10", "text": "Verify that format strings which might resolve in an unexpected or malicious way when used are sanitized before being processed.", "parent": "V1.3" }, { "bom-ref": "V1.3.11", "identifier": "V1.3.11", "text": "Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.", "parent": "V1.3" }, { "bom-ref": "V1.3.12", "identifier": "V1.3.12", "text": "Verify that regular expressions are free from elements causing exponential backtracking, and ensure untrusted input is sanitized to mitigate ReDoS or Runaway Regex attacks.", "parent": "V1.3" }, { "bom-ref": "V1.4", "identifier": "V1.4", "title": "Memory, String, and Unmanaged Code", "parent": "V1" }, { "bom-ref": "V1.4.1", "identifier": "V1.4.1", "text": "Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows.", "parent": "V1.4" }, { "bom-ref": "V1.4.2", "identifier": "V1.4.2", "text": "Verify that sign, range, and input validation techniques are used to prevent integer overflows.", "parent": "V1.4" }, { "bom-ref": "V1.4.3", "identifier": "V1.4.3", "text": "Verify that dynamically allocated memory and resources are released, and that references or pointers to freed memory are removed or set to null to prevent dangling pointers and use-after-free vulnerabilities.", "parent": "V1.4" }, { "bom-ref": "V1.5", "identifier": "V1.5", "title": "Safe Deserialization", "parent": "V1" }, { "bom-ref": "V1.5.1", "identifier": "V1.5.1", "text": "Verify that the application configures XML parsers to use a restrictive configuration and that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks.", "parent": "V1.5" }, { "bom-ref": "V1.5.2", "identifier": "V1.5.2", "text": "Verify that deserialization of untrusted data enforces safe input handling, such as using an allowlist of object types or restricting client-defined object types, to prevent deserialization attacks. Deserialization mechanisms that are explicitly defined as insecure must not be used with untrusted input.", "parent": "V1.5" }, { "bom-ref": "V1.5.3", "identifier": "V1.5.3", "text": "Verify that different parsers used in the application for the same data type (e.g., JSON parsers, XML parsers, URL parsers), perform parsing in a consistent way and use the same character encoding mechanism to avoid issues such as JSON Interoperability vulnerabilities or different URI or file parsing behavior being exploited in Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks.", "parent": "V1.5" }, { "bom-ref": "V2", "identifier": "V2", "title": "Validation and Business Logic" }, { "bom-ref": "V2.1", "identifier": "V2.1", "title": "Validation and Business Logic Documentation", "parent": "V2" }, { "bom-ref": "V2.1.1", "identifier": "V2.1.1", "text": "Verify that the application's documentation defines input validation rules for how to check the validity of data items against an expected structure. This could be common data formats such as credit card numbers, email addresses, telephone numbers, or it could be an internal data format.", "parent": "V2.1" }, { "bom-ref": "V2.1.2", "identifier": "V2.1.2", "text": "Verify that the application's documentation defines how to validate the logical and contextual consistency of combined data items, such as checking that suburb and ZIP code match.", "parent": "V2.1" }, { "bom-ref": "V2.1.3", "identifier": "V2.1.3", "text": "Verify that expectations for business logic limits and validations are documented, including both per-user and globally across the application.", "parent": "V2.1" }, { "bom-ref": "V2.2", "identifier": "V2.2", "title": "Input Validation", "parent": "V2" }, { "bom-ref": "V2.2.1", "identifier": "V2.2.1", "text": "Verify that input is validated to enforce business or functional expectations for that input. This should either use positive validation against an allow list of values, patterns, and ranges, or be based on comparing the input to an expected structure and logical limits according to predefined rules. For L1, this can focus on input which is used to make specific business or security decisions. For L2 and up, this should apply to all input.", "parent": "V2.2" }, { "bom-ref": "V2.2.2", "identifier": "V2.2.2", "text": "Verify that the application is designed to enforce input validation at a trusted service layer. While client-side validation improves usability and should be encouraged, it must not be relied upon as a security control.", "parent": "V2.2" }, { "bom-ref": "V2.2.3", "identifier": "V2.2.3", "text": "Verify that the application ensures that combinations of related data items are reasonable according to the pre-defined rules.", "parent": "V2.2" }, { "bom-ref": "V2.3", "identifier": "V2.3", "title": "Business Logic Security", "parent": "V2" }, { "bom-ref": "V2.3.1", "identifier": "V2.3.1", "text": "Verify that the application will only process business logic flows for the same user in the expected sequential step order and without skipping steps.", "parent": "V2.3" }, { "bom-ref": "V2.3.2", "identifier": "V2.3.2", "text": "Verify that business logic limits are implemented per the application's documentation to avoid business logic flaws being exploited.", "parent": "V2.3" }, { "bom-ref": "V2.3.3", "identifier": "V2.3.3", "text": "Verify that transactions are being used at the business logic level such that either a business logic operation succeeds in its entirety or it is rolled back to the previous correct state.", "parent": "V2.3" }, { "bom-ref": "V2.3.4", "identifier": "V2.3.4", "text": "Verify that business logic level locking mechanisms are used to ensure that limited quantity resources (such as theater seats or delivery slots) cannot be double-booked by manipulating the application's logic.", "parent": "V2.3" }, { "bom-ref": "V2.3.5", "identifier": "V2.3.5", "text": "Verify that high-value business logic flows require multi-user approval to prevent unauthorized or accidental actions. This could include but is not limited to large monetary transfers, contract approvals, access to classified information, or safety overrides in manufacturing.", "parent": "V2.3" }, { "bom-ref": "V2.4", "identifier": "V2.4", "title": "Anti-automation", "parent": "V2" }, { "bom-ref": "V2.4.1", "identifier": "V2.4.1", "text": "Verify that anti-automation controls are in place to protect against excessive calls to application functions that could lead to data exfiltration, garbage-data creation, quota exhaustion, rate-limit breaches, denial-of-service, or overuse of costly resources.", "parent": "V2.4" }, { "bom-ref": "V2.4.2", "identifier": "V2.4.2", "text": "Verify that business logic flows require realistic human timing, preventing excessively rapid transaction submissions.", "parent": "V2.4" }, { "bom-ref": "V3", "identifier": "V3", "title": "Web Frontend Security" }, { "bom-ref": "V3.1", "identifier": "V3.1", "title": "Web Frontend Security Documentation", "parent": "V3" }, { "bom-ref": "V3.1.1", "identifier": "V3.1.1", "text": "Verify that application documentation states the expected security features that browsers using the application must support (such as HTTPS, HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and other relevant HTTP security mechanisms). It must also define how the application must behave when some of these features are not available (such as warning the user or blocking access).", "parent": "V3.1" }, { "bom-ref": "V3.2", "identifier": "V3.2", "title": "Unintended Content Interpretation", "parent": "V3" }, { "bom-ref": "V3.2.1", "identifier": "V3.2.1", "text": "Verify that security controls are in place to prevent browsers from rendering content or functionality in HTTP responses in an incorrect context (e.g., when an API, a user-uploaded file or other resource is requested directly). Possible controls could include: not serving the content unless HTTP request header fields (such as Sec-Fetch-\\*) indicate it is the correct context, using the sandbox directive of the Content-Security-Policy header field or using the attachment disposition type in the Content-Disposition header field.", "parent": "V3.2" }, { "bom-ref": "V3.2.2", "identifier": "V3.2.2", "text": "Verify that content intended to be displayed as text, rather than rendered as HTML, is handled using safe rendering functions (such as createTextNode or textContent) to prevent unintended execution of content such as HTML or JavaScript.", "parent": "V3.2" }, { "bom-ref": "V3.2.3", "identifier": "V3.2.3", "text": "Verify that the application avoids DOM clobbering when using client-side JavaScript by employing explicit variable declarations, performing strict type checking, avoiding storing global variables on the document object, and implementing namespace isolation.", "parent": "V3.2" }, { "bom-ref": "V3.3", "identifier": "V3.3", "title": "Cookie Setup", "parent": "V3" }, { "bom-ref": "V3.3.1", "identifier": "V3.3.1", "text": "Verify that cookies have the 'Secure' attribute set, and if the '\\__Host-' prefix is not used for the cookie name, the '__Secure-' prefix must be used for the cookie name.", "parent": "V3.3" }, { "bom-ref": "V3.3.2", "identifier": "V3.3.2", "text": "Verify that each cookie's 'SameSite' attribute value is set according to the purpose of the cookie, to limit exposure to user interface redress attacks and browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF).", "parent": "V3.3" }, { "bom-ref": "V3.3.3", "identifier": "V3.3.3", "text": "Verify that cookies have the '__Host-' prefix for the cookie name unless they are explicitly designed to be shared with other hosts.", "parent": "V3.3" }, { "bom-ref": "V3.3.4", "identifier": "V3.3.4", "text": "Verify that if the value of a cookie is not meant to be accessible to client-side scripts (such as a session token), the cookie must have the 'HttpOnly' attribute set and the same value (e. g. session token) must only be transferred to the client via the 'Set-Cookie' header field.", "parent": "V3.3" }, { "bom-ref": "V3.3.5", "identifier": "V3.3.5", "text": "Verify that when the application writes a cookie, the cookie name and value length combined are not over 4096 bytes. Overly large cookies will not be stored by the browser and therefore not sent with requests, preventing the user from using application functionality which relies on that cookie.", "parent": "V3.3" }, { "bom-ref": "V3.4", "identifier": "V3.4", "title": "Browser Security Mechanism Headers", "parent": "V3" }, { "bom-ref": "V3.4.1", "identifier": "V3.4.1", "text": "Verify that a Strict-Transport-Security header field is included on all responses to enforce an HTTP Strict Transport Security (HSTS) policy. A maximum age of at least 1 year must be defined, and for L2 and up, the policy must apply to all subdomains as well.", "parent": "V3.4" }, { "bom-ref": "V3.4.2", "identifier": "V3.4.2", "text": "Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is a fixed value by the application, or if the Origin HTTP request header field value is used, it is validated against an allowlist of trusted origins. When 'Access-Control-Allow-Origin: *' needs to be used, verify that the response does not include any sensitive information.", "parent": "V3.4" }, { "bom-ref": "V3.4.3", "identifier": "V3.4.3", "text": "Verify that HTTP responses include a Content-Security-Policy response header field which defines directives to ensure the browser only loads and executes trusted content or resources, in order to limit execution of malicious JavaScript. As a minimum, a global policy must be used which includes the directives object-src 'none' and base-uri 'none' and defines either an allowlist or uses nonces or hashes. For an L3 application, a per-response policy with nonces or hashes must be defined.", "parent": "V3.4" }, { "bom-ref": "V3.4.4", "identifier": "V3.4.4", "text": "Verify that all HTTP responses contain an 'X-Content-Type-Options: nosniff' header field. This instructs browsers not to use content sniffing and MIME type guessing for the given response, and to require the response's Content-Type header field value to match the destination resource. For example, the response to a request for a style is only accepted if the response's Content-Type is 'text/css'. This also enables the use of the Cross-Origin Read Blocking (CORB) functionality by the browser.", "parent": "V3.4" }, { "bom-ref": "V3.4.5", "identifier": "V3.4.5", "text": "Verify that the application sets a referrer policy to prevent leakage of technically sensitive data to third-party services via the 'Referer' HTTP request header field. This can be done using the Referrer-Policy HTTP response header field or via HTML element attributes. Sensitive data could include path and query data in the URL, and for internal non-public applications also the hostname.", "parent": "V3.4" }, { "bom-ref": "V3.4.6", "identifier": "V3.4.6", "text": "Verify that the web application uses the frame-ancestors directive of the Content-Security-Policy header field for every HTTP response to ensure that it cannot be embedded by default and that embedding of specific resources is allowed only when necessary. Note that the X-Frame-Options header field, although supported by browsers, is obsolete and may not be relied upon.", "parent": "V3.4" }, { "bom-ref": "V3.4.7", "identifier": "V3.4.7", "text": "Verify that the Content-Security-Policy header field specifies a location to report violations.", "parent": "V3.4" }, { "bom-ref": "V3.4.8", "identifier": "V3.4.8", "text": "Verify that all HTTP responses that initiate a document rendering (such as responses with Content-Type text/html), include the Cross‑Origin‑Opener‑Policy header field with the same-origin directive or the same-origin-allow-popups directive as required. This prevents attacks that abuse shared access to Window objects, such as tabnabbing and frame counting.", "parent": "V3.4" }, { "bom-ref": "V3.5", "identifier": "V3.5", "title": "Browser Origin Separation", "parent": "V3" }, { "bom-ref": "V3.5.1", "identifier": "V3.5.1", "text": "Verify that, if the application does not rely on the CORS preflight mechanism to prevent disallowed cross-origin requests to use sensitive functionality, these requests are validated to ensure they originate from the application itself. This may be done by using and validating anti-forgery tokens or requiring extra HTTP header fields that are not CORS-safelisted request-header fields. This is to defend against browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF).", "parent": "V3.5" }, { "bom-ref": "V3.5.2", "identifier": "V3.5.2", "text": "Verify that, if the application relies on the CORS preflight mechanism to prevent disallowed cross-origin use of sensitive functionality, it is not possible to call the functionality with a request which does not trigger a CORS-preflight request. This may require checking the values of the 'Origin' and 'Content-Type' request header fields or using an extra header field that is not a CORS-safelisted header-field.", "parent": "V3.5" }, { "bom-ref": "V3.5.3", "identifier": "V3.5.3", "text": "Verify that HTTP requests to sensitive functionality use appropriate HTTP methods such as POST, PUT, PATCH, or DELETE, and not methods defined by the HTTP specification as \"safe\" such as HEAD, OPTIONS, or GET. Alternatively, strict validation of the Sec-Fetch-* request header fields can be used to ensure that the request did not originate from an inappropriate cross-origin call, a navigation request, or a resource load (such as an image source) where this is not expected.", "parent": "V3.5" }, { "bom-ref": "V3.5.4", "identifier": "V3.5.4", "text": "Verify that separate applications are hosted on different hostnames to leverage the restrictions provided by same-origin policy, including how documents or scripts loaded by one origin can interact with resources from another origin and hostname-based restrictions on cookies.", "parent": "V3.5" }, { "bom-ref": "V3.5.5", "identifier": "V3.5.5", "text": "Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid.", "parent": "V3.5" }, { "bom-ref": "V3.5.6", "identifier": "V3.5.6", "text": "Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks.", "parent": "V3.5" }, { "bom-ref": "V3.5.7", "identifier": "V3.5.7", "text": "Verify that data requiring authorization is not included in script resource responses, like JavaScript files, to prevent Cross-Site Script Inclusion (XSSI) attacks.", "parent": "V3.5" }, { "bom-ref": "V3.5.8", "identifier": "V3.5.8", "text": "Verify that authenticated resources (such as images, videos, scripts, and other documents) can be loaded or embedded on behalf of the user only when intended. This can be accomplished by strict validation of the Sec-Fetch-* HTTP request header fields to ensure that the request did not originate from an inappropriate cross-origin call, or by setting a restrictive Cross-Origin-Resource-Policy HTTP response header field to instruct the browser to block returned content.", "parent": "V3.5" }, { "bom-ref": "V3.6", "identifier": "V3.6", "title": "External Resource Integrity", "parent": "V3" }, { "bom-ref": "V3.6.1", "identifier": "V3.6.1", "text": "Verify that client-side assets, such as JavaScript libraries, CSS, or web fonts, are only hosted externally (e.g., on a Content Delivery Network) if the resource is static and versioned and Subresource Integrity (SRI) is used to validate the integrity of the asset. If this is not possible, there should be a documented security decision to justify this for each resource.", "parent": "V3.6" }, { "bom-ref": "V3.7", "identifier": "V3.7", "title": "Other Browser Security Considerations", "parent": "V3" }, { "bom-ref": "V3.7.1", "identifier": "V3.7.1", "text": "Verify that the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.", "parent": "V3.7" }, { "bom-ref": "V3.7.2", "identifier": "V3.7.2", "text": "Verify that the application will only automatically redirect the user to a different hostname or domain (which is not controlled by the application) where the destination appears on an allowlist.", "parent": "V3.7" }, { "bom-ref": "V3.7.3", "identifier": "V3.7.3", "text": "Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation.", "parent": "V3.7" }, { "bom-ref": "V3.7.4", "identifier": "V3.7.4", "text": "Verify that the application's top-level domain (e.g., site.tld) is added to the public preload list for HTTP Strict Transport Security (HSTS). This ensures that the use of TLS for the application is built directly into the main browsers, rather than relying only on the Strict-Transport-Security response header field.", "parent": "V3.7" }, { "bom-ref": "V3.7.5", "identifier": "V3.7.5", "text": "Verify that the application behaves as documented (such as warning the user or blocking access) if the browser used to access the application does not support the expected security features.", "parent": "V3.7" }, { "bom-ref": "V4", "identifier": "V4", "title": "API and Web Service" }, { "bom-ref": "V4.1", "identifier": "V4.1", "title": "Generic Web Service Security", "parent": "V4" }, { "bom-ref": "V4.1.1", "identifier": "V4.1.1", "text": "Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content of the response, including the charset parameter to specify safe character encoding (e.g., UTF-8, ISO-8859-1) according to IANA Media Types, such as \"text/\", \"/+xml\" and \"/xml\".", "parent": "V4.1" }, { "bom-ref": "V4.1.2", "identifier": "V4.1.2", "text": "Verify that only user-facing endpoints (intended for manual web-browser access) automatically redirect from HTTP to HTTPS, while other services or endpoints do not implement transparent redirects. This is to avoid a situation where a client is erroneously sending unencrypted HTTP requests, but since the requests are being automatically redirected to HTTPS, the leakage of sensitive data goes undiscovered.", "parent": "V4.1" }, { "bom-ref": "V4.1.3", "identifier": "V4.1.3", "text": "Verify that any HTTP header field used by the application and set by an intermediary layer, such as a load balancer, a web proxy, or a backend-for-frontend service, cannot be overridden by the end-user. Example headers might include X-Real-IP, X-Forwarded-*, or X-User-ID.", "parent": "V4.1" }, { "bom-ref": "V4.1.4", "identifier": "V4.1.4", "text": "Verify that only HTTP methods that are explicitly supported by the application or its API (including OPTIONS during preflight requests) can be used and that unused methods are blocked.", "parent": "V4.1" }, { "bom-ref": "V4.1.5", "identifier": "V4.1.5", "text": "Verify that per-message digital signatures are used to provide additional assurance on top of transport protections for requests or transactions which are highly sensitive or which traverse a number of systems.", "parent": "V4.1" }, { "bom-ref": "V4.2", "identifier": "V4.2", "title": "HTTP Message Structure Validation", "parent": "V4" }, { "bom-ref": "V4.2.1", "identifier": "V4.2.1", "text": "Verify that all application components (including load balancers, firewalls, and application servers) determine boundaries of incoming HTTP messages using the appropriate mechanism for the HTTP version to prevent HTTP request smuggling. In HTTP/1.x, if a Transfer-Encoding header field is present, the Content-Length header must be ignored per RFC 2616. When using HTTP/2 or HTTP/3, if a Content-Length header field is present, the receiver must ensure that it is consistent with the length of the DATA frames.", "parent": "V4.2" }, { "bom-ref": "V4.2.2", "identifier": "V4.2.2", "text": "Verify that when generating HTTP messages, the Content-Length header field does not conflict with the length of the content as determined by the framing of the HTTP protocol, in order to prevent request smuggling attacks.", "parent": "V4.2" }, { "bom-ref": "V4.2.3", "identifier": "V4.2.3", "text": "Verify that the application does not send nor accept HTTP/2 or HTTP/3 messages with connection-specific header fields such as Transfer-Encoding to prevent response splitting and header injection attacks.", "parent": "V4.2" }, { "bom-ref": "V4.2.4", "identifier": "V4.2.4", "text": "Verify that the application only accepts HTTP/2 and HTTP/3 requests where the header fields and values do not contain any CR (\\r), LF (\\n), or CRLF (\\r\\n) sequences, to prevent header injection attacks.", "parent": "V4.2" }, { "bom-ref": "V4.2.5", "identifier": "V4.2.5", "text": "Verify that, if the application (backend or frontend) builds and sends requests, it uses validation, sanitization, or other mechanisms to avoid creating URIs (such as for API calls) or HTTP request header fields (such as Authorization or Cookie), which are too long to be accepted by the receiving component. This could cause a denial of service, such as when sending an overly long request (e.g., a long cookie header field), which results in the server always responding with an error status.", "parent": "V4.2" }, { "bom-ref": "V4.3", "identifier": "V4.3", "title": "GraphQL", "parent": "V4" }, { "bom-ref": "V4.3.1", "identifier": "V4.3.1", "text": "Verify that a query allowlist, depth limiting, amount limiting, or query cost analysis is used to prevent GraphQL or data layer expression Denial of Service (DoS) as a result of expensive, nested queries.", "parent": "V4.3" }, { "bom-ref": "V4.3.2", "identifier": "V4.3.2", "text": "Verify that GraphQL introspection queries are disabled in the production environment unless the GraphQL API is meant to be used by other parties.", "parent": "V4.3" }, { "bom-ref": "V4.4", "identifier": "V4.4", "title": "WebSocket", "parent": "V4" }, { "bom-ref": "V4.4.1", "identifier": "V4.4.1", "text": "Verify that WebSocket over TLS (WSS) is used for all WebSocket connections.", "parent": "V4.4" }, { "bom-ref": "V4.4.2", "identifier": "V4.4.2", "text": "Verify that, during the initial HTTP WebSocket handshake, the Origin header field is checked against a list of origins allowed for the application.", "parent": "V4.4" }, { "bom-ref": "V4.4.3", "identifier": "V4.4.3", "text": "Verify that, if the application's standard session management cannot be used, dedicated tokens are being used for this, which comply with the relevant Session Management security requirements.", "parent": "V4.4" }, { "bom-ref": "V4.4.4", "identifier": "V4.4.4", "text": "Verify that dedicated WebSocket session management tokens are initially obtained or validated through the previously authenticated HTTPS session when transitioning an existing HTTPS session to a WebSocket channel.", "parent": "V4.4" }, { "bom-ref": "V5", "identifier": "V5", "title": "File Handling" }, { "bom-ref": "V5.1", "identifier": "V5.1", "title": "File Handling Documentation", "parent": "V5" }, { "bom-ref": "V5.1.1", "identifier": "V5.1.1", "text": "Verify that the documentation defines the permitted file types, expected file extensions, and maximum size (including unpacked size) for each upload feature. Additionally, ensure that the documentation specifies how files are made safe for end-users to download and process, such as how the application behaves when a malicious file is detected.", "parent": "V5.1" }, { "bom-ref": "V5.2", "identifier": "V5.2", "title": "File Upload and Content", "parent": "V5" }, { "bom-ref": "V5.2.1", "identifier": "V5.2.1", "text": "Verify that the application will only accept files of a size which it can process without causing a loss of performance or a denial of service attack.", "parent": "V5.2" }, { "bom-ref": "V5.2.2", "identifier": "V5.2.2", "text": "Verify that when the application accepts a file, either on its own or within an archive such as a zip file, it checks if the file extension matches an expected file extension and validates that the contents correspond to the type represented by the extension. This includes, but is not limited to, checking the initial 'magic bytes', performing image re-writing, and using specialized libraries for file content validation. For L1, this can focus just on files which are used to make specific business or security decisions. For L2 and up, this must apply to all files being accepted.", "parent": "V5.2" }, { "bom-ref": "V5.2.3", "identifier": "V5.2.3", "text": "Verify that the application checks compressed files (e.g., zip, gz, docx, odt) against maximum allowed uncompressed size and against maximum number of files before uncompressing the file.", "parent": "V5.2" }, { "bom-ref": "V5.2.4", "identifier": "V5.2.4", "text": "Verify that a file size quota and maximum number of files per user are enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.", "parent": "V5.2" }, { "bom-ref": "V5.2.5", "identifier": "V5.2.5", "text": "Verify that the application does not allow uploading compressed files containing symlinks unless this is specifically required (in which case it will be necessary to enforce an allowlist of the files that can be symlinked to).", "parent": "V5.2" }, { "bom-ref": "V5.2.6", "identifier": "V5.2.6", "text": "Verify that the application rejects uploaded images with a pixel size larger than the maximum allowed, to prevent pixel flood attacks.", "parent": "V5.2" }, { "bom-ref": "V5.3", "identifier": "V5.3", "title": "File Storage", "parent": "V5" }, { "bom-ref": "V5.3.1", "identifier": "V5.3.1", "text": "Verify that files uploaded or generated by untrusted input and stored in a public folder, are not executed as server-side program code when accessed directly with an HTTP request.", "parent": "V5.3" }, { "bom-ref": "V5.3.2", "identifier": "V5.3.2", "text": "Verify that when the application creates file paths for file operations, instead of user-submitted filenames, it uses internally generated or trusted data, or if user-submitted filenames or file metadata must be used, strict validation and sanitization must be applied. This is to protect against path traversal, local or remote file inclusion (LFI, RFI), and server-side request forgery (SSRF) attacks.", "parent": "V5.3" }, { "bom-ref": "V5.3.3", "identifier": "V5.3.3", "text": "Verify that server-side file processing, such as file decompression, ignores user-provided path information to prevent vulnerabilities such as zip slip.", "parent": "V5.3" }, { "bom-ref": "V5.4", "identifier": "V5.4", "title": "File Download", "parent": "V5" }, { "bom-ref": "V5.4.1", "identifier": "V5.4.1", "text": "Verify that the application validates or ignores user-submitted filenames, including in a JSON, JSONP, or URL parameter and specifies a filename in the Content-Disposition header field in the response.", "parent": "V5.4" }, { "bom-ref": "V5.4.2", "identifier": "V5.4.2", "text": "Verify that file names served (e.g., in HTTP response header fields or email attachments) are encoded or sanitized (e.g., following RFC 6266) to preserve document structure and prevent injection attacks.", "parent": "V5.4" }, { "bom-ref": "V5.4.3", "identifier": "V5.4.3", "text": "Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent serving of known malicious content.", "parent": "V5.4" }, { "bom-ref": "V6", "identifier": "V6", "title": "Authentication" }, { "bom-ref": "V6.1", "identifier": "V6.1", "title": "Authentication Documentation", "parent": "V6" }, { "bom-ref": "V6.1.1", "identifier": "V6.1.1", "text": "Verify that application documentation defines how controls such as rate limiting, anti-automation, and adaptive response, are used to defend against attacks such as credential stuffing and password brute force. The documentation must make clear how these controls are configured and prevent malicious account lockout.", "parent": "V6.1" }, { "bom-ref": "V6.1.2", "identifier": "V6.1.2", "text": "Verify that a list of context-specific words is documented in order to prevent their use in passwords. The list could include permutations of organization names, product names, system identifiers, project codenames, department or role names, and similar.", "parent": "V6.1" }, { "bom-ref": "V6.1.3", "identifier": "V6.1.3", "text": "Verify that, if the application includes multiple authentication pathways, these are all documented together with the security controls and authentication strength which must be consistently enforced across them.", "parent": "V6.1" }, { "bom-ref": "V6.2", "identifier": "V6.2", "title": "Password Security", "parent": "V6" }, { "bom-ref": "V6.2.1", "identifier": "V6.2.1", "text": "Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended.", "parent": "V6.2" }, { "bom-ref": "V6.2.2", "identifier": "V6.2.2", "text": "Verify that users can change their password.", "parent": "V6.2" }, { "bom-ref": "V6.2.3", "identifier": "V6.2.3", "text": "Verify that password change functionality requires the user's current and new password.", "parent": "V6.2" }, { "bom-ref": "V6.2.4", "identifier": "V6.2.4", "text": "Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords which match the application's password policy, e.g. minimum length.", "parent": "V6.2" }, { "bom-ref": "V6.2.5", "identifier": "V6.2.5", "text": "Verify that passwords of any composition can be used, without rules limiting the type of characters permitted. There must be no requirement for a minimum number of upper or lower case characters, numbers, or special characters.", "parent": "V6.2" }, { "bom-ref": "V6.2.6", "identifier": "V6.2.6", "text": "Verify that password input fields use type=password to mask the entry. Applications may allow the user to temporarily view the entire masked password, or the last typed character of the password.", "parent": "V6.2" }, { "bom-ref": "V6.2.7", "identifier": "V6.2.7", "text": "Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted.", "parent": "V6.2" }, { "bom-