From 5e7c034dec32031cea4a672b85a7e7b835498fb3 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Fri, 13 Sep 2024 08:20:40 +0300 Subject: [PATCH] moving requirements to different section, #1808 #959 --- 5.0/en/0x20-V12-Files-Resources.md | 2 +- 5.0/en/0x21-V13-API.md | 22 +++++++++++++++++++++- 5.0/en/0x22-V14-Config.md | 23 +++++------------------ 5.0/en/0x50-V50-Web-Frontend-Security.md | 1 + 4 files changed, 28 insertions(+), 20 deletions(-) diff --git a/5.0/en/0x20-V12-Files-Resources.md b/5.0/en/0x20-V12-Files-Resources.md index bc7237172..03244787d 100644 --- a/5.0/en/0x20-V12-Files-Resources.md +++ b/5.0/en/0x20-V12-Files-Resources.md @@ -57,7 +57,7 @@ Although zip bombs can be effectively tested using penetration testing technique | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **12.6.1** | [MOVED TO 14.7.1] | | | | | +| **12.6.1** | [MOVED TO 14.6.1] | | | | | ## V12.7 Application Resources diff --git a/5.0/en/0x21-V13-API.md b/5.0/en/0x21-V13-API.md index a8e5e650e..a685a0ba5 100644 --- a/5.0/en/0x21-V13-API.md +++ b/5.0/en/0x21-V13-API.md @@ -16,6 +16,8 @@ Please read this chapter in combination with all other chapters at this same lev | **13.1.4** | [DELETED, DUPLICATE OF 4.2.1] | | | | | | **13.1.5** | [DELETED, INSUFFICIENT IMPACT] | | | | | | **13.1.6** | [MODIFIED, MOVED FROM 13.2.6, LEVEL L2 > L3] Verify that per-message digital signatures are used to provide additional assurance on top of transport protections for requests or transactions which are highly sensitive or which traverse a number of systems. | | | ✓ | 345 | +| **13.1.7** | [MODIFIED, MOVED FROM 14.4.1, SPLIT TO 13.1.8] Verify that every HTTP response contains a Content-Type header which matches the actual content of the response. | ✓ | ✓ | ✓ | 173 | +| **13.1.8** | [ADDED, SPLIT FROM 13.1.7] Verify that if a response specifies a Content-Type of "text/\*", "\*/\*+xml" and "\*/xml", it also specifies a safe character set (e.g., UTF-8, ISO-8859-1) with the charset parameter. | ✓ | ✓ | ✓ | 173 | ## V13.2 RESTful Web Service @@ -25,7 +27,7 @@ Due to the lack of a formal stable version of the JSON schema validation specifi | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **13.2.1** | [MOVED TO 14.5.5] | | | | | +| **13.2.1** | [MOVED TO 13.6.2] | | | | | | **13.2.2** | [LEVEL L1 > L3] Verify that JSON schema validation is in place and verified before accepting input. | | | ✓ | 20 | | **13.2.3** | [DELETED, MERGED TO 50.3.1] | | | | | | **13.2.4** | [DELETED, DUPLICATE OF 11.1.4] | | | | | @@ -60,6 +62,24 @@ GraphQL is becoming more common as a way of creating data rich clients which are | **13.5.3** | [ADDED] Verify that, if the application's standard session management cannot be used, dedicated tokens are being used for this which comply with the relevant Session Management security requirements. | ✓ | ✓ | ✓ | 331 | | **13.5.4** | [ADDED] Verify that dedicated WebSocket session management tokens are initially obtained or validated through the previously authenticated HTTPS session when transitioning an existing HTTPS session to a WebSocket channel. | ✓ | ✓ | ✓ | 319 | +## V13.6 HTTP Request Header Validation + +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **13.6.1** | [MODIFIED, MOVED FROM 14.5.1] Verify that the application only responds to HTTP methods in use by the application or by the API (including OPTIONS during preflight requests) and unused methods (e.g. TRACE) are blocked. | ✓ | ✓ | ✓ | 749 | +| **13.6.2** | [MODIFIED, MOVED FROM 13.2.1] Verify that HTTP requests using the HEAD, OPTIONS, TRACE or GET verb do not modify any backend data structure or perform any state-changing actions. These requests are safe methods and should therefore not have any side effects. | ✓ | ✓ | ✓ | 650 | +| **13.6.3** | [ADDED] Verify that all application components, including load balancers, firewalls, and application servers, comply with RFC 2616 by ignoring the Content-Length header when a Transfer-Encoding header is present, to prevent HTTP Request Smuggling. | | ✓ | ✓ | 444 | +| **13.6.4** | [ADDED] Verify that any HTTP headers used by the application and defined by intermediary devices like load balancers or proxies, such as X-Real-IP and X-Forwarded-*, cannot be overridden by the end-user. | | ✓ | ✓ | 346 | + +## V13.7 HTTP/2 + +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **13.7.1** | [ADDED] Verify that the value in the Content-Length request header matches the calculated length using the built-in mechanism. | ✓ | ✓ | ✓ | 400 | +| **13.7.2** | [ADDED] Verify that all Transfer-Encoding headers are stripped from the message or that the request is blocked entirely. | ✓ | ✓ | ✓ | | +| **13.7.3** | [ADDED] Verify that a full CRLF (\r\n) sequence is neutralized inside a HTTP/2 header. | ✓ | ✓ | ✓ | 113 | + + ## References For more information, see also: diff --git a/5.0/en/0x22-V14-Config.md b/5.0/en/0x22-V14-Config.md index fda1cf695..4a2a09662 100644 --- a/5.0/en/0x22-V14-Config.md +++ b/5.0/en/0x22-V14-Config.md @@ -67,42 +67,29 @@ Configurations for production should be hardened to protect against common attac | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **14.4.1** | [MODIFIED, SPLIT TO 14.4.8] Verify that every HTTP response contains a Content-Type header which matches the actual content of the response. | ✓ | ✓ | ✓ | 173 | +| **14.4.1** | [MOVED TO 13.1.7] | | | | | | **14.4.2** | [DELETED, DEPRECATED BY 50.5.3] | | | | | | **14.4.3** | [MOVED TO 50.2.1] | | | | | | **14.4.4** | [MOVED TO 50.2.2] | | | | | | **14.4.5** | [MOVED TO 50.2.3] | | | | | | **14.4.6** | [MOVED TO 50.2.4] | | | | | | **14.4.7** | [MOVED TO 50.2.5] | | | | | -| **14.4.8** | [ADDED, SPLIT FROM 14.4.1] Verify that if a response specifies a Content-Type of "text/\*", "\*/\*+xml" and "\*/xml", it also specifies a safe character set (e.g., UTF-8, ISO-8859-1) with the charset parameter. | ✓ | ✓ | ✓ | 173 | ## V14.5 HTTP Request Header Validation | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **14.5.1** | [MODIFIED] Verify that the application only responds to HTTP methods in use by the application or by the API (including OPTIONS during preflight requests) and unused methods (e.g. TRACE) are blocked. | ✓ | ✓ | ✓ | 749 | +| **14.5.1** | [MOVED TO 13.6.1] Verify that the application only responds to HTTP methods in use by the application or by the API (including OPTIONS during preflight requests) and unused methods (e.g. TRACE) are blocked. | ✓ | ✓ | ✓ | 749 | | **14.5.2** | [DELETED, DUPLICATE OF 4.1.1] | | | | | | **14.5.3** | [SPLIT TO 50.2.6, 50.3.3] | | | | | | **14.5.4** | [DELETED, INCORRECT] | | | | | -| **14.5.5** | [MODIFIED, MOVED FROM 13.2.1] Verify that HTTP requests using the HEAD, OPTIONS, TRACE or GET verb do not modify any backend data structure or perform any state-changing actions. These requests are safe methods and should therefore not have any side effects. | ✓ | ✓ | ✓ | 650 | -| **14.5.6** | [ADDED] Verify that all application components, including load balancers, firewalls, and application servers, comply with RFC 2616 by ignoring the Content-Length header when a Transfer-Encoding header is present, to prevent HTTP Request Smuggling. | | ✓ | ✓ | 444 | -| **14.5.7** | [ADDED] Verify that the web application warns users who are using an old browser which does not support HTTP security features on which the application relies. The list of old browsers must be periodically reviewed and updated. | | | ✓ | 1104 | -| **14.5.8** | [ADDED] Verify that any HTTP headers used by the application and defined by intermediary devices like load balancers or proxies, such as X-Real-IP and X-Forwarded-*, cannot be overridden by the end-user. | | ✓ | ✓ | 346 | -## V14.6 HTTP/2 +## V14.6 Web or Application Server Configuration | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **14.6.1** | [ADDED] Verify that the value in the Content-Length request header matches the calculated length using the built-in mechanism. | ✓ | ✓ | ✓ | 400 | -| **14.6.2** | [ADDED] Verify that all Transfer-Encoding headers are stripped from the message or that the request is blocked entirely. | ✓ | ✓ | ✓ | | -| **14.6.3** | [ADDED] Verify that a full CRLF (\r\n) sequence is neutralized inside a HTTP/2 header. | ✓ | ✓ | ✓ | 113 | - -## V14.7 Web or Application Server Configuration - -| # | Description | L1 | L2 | L3 | CWE | -| :---: | :--- | :---: | :---: | :---: | :---: | -| **14.7.1** | [GRAMMAR, MOVED FROM 12.6.1] Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data or files from. | ✓ | ✓ | ✓ | 918 | -| **14.7.2** | [ADDED] Verify that communications between back-end application components, including APIs, middleware and data layers, are performed with the least necessary privileges. | | ✓ | ✓ | 272 | +| **14.6.1** | [GRAMMAR, MOVED FROM 12.6.1] Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data or files from. | ✓ | ✓ | ✓ | 918 | +| **14.6.2** | [ADDED] Verify that communications between back-end application components, including APIs, middleware and data layers, are performed with the least necessary privileges. | | ✓ | ✓ | 272 | ## References diff --git a/5.0/en/0x50-V50-Web-Frontend-Security.md b/5.0/en/0x50-V50-Web-Frontend-Security.md index fbfa5898d..7a8f54d75 100644 --- a/5.0/en/0x50-V50-Web-Frontend-Security.md +++ b/5.0/en/0x50-V50-Web-Frontend-Security.md @@ -69,6 +69,7 @@ it may need other separate section for "end-user protection via UI" | :---: | :--- | :---: | :---: | :---: | :---: | | **50.7.1** | [ADDED, SPLIT FROM 5.1.5] Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation. | | | ✓ | | | **50.7.2** | [MODIFIED, MOVED FROM 1.14.6] Verify the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. | | ✓ | ✓ | 477 | +| **50.7.3** | [ADDED] Verify that the web application warns users who are using an old browser which does not support HTTP security features on which the application relies. The list of old browsers must be periodically reviewed and updated. | | | ✓ | 1104 | ## References