Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: merge 13.2.4 to 11.1.4 #971

Closed
elarlang opened this issue Apr 14, 2021 · 4 comments
Closed

Proposal: merge 13.2.4 to 11.1.4 #971

elarlang opened this issue Apr 14, 2021 · 4 comments

Comments

@elarlang
Copy link
Collaborator

Current 13.2.4:

Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated.

  • Level: 2, 3
  • CWE: 770

Current 11.1.4:

Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks.

  • Level: 1, 2, 3
  • CWE: 770

Those seems like duplicates. Would like to know more, why there is separate requirement (13.2.4) for API, with different level.

If there is no good reason, I prefer to merge them to 11.1.4. Personally I don't see the need for special requirement for an API, as it does not contain anything specific.
@jmanico
Copy link
Member

jmanico commented Apr 15, 2021

I think merging them into 11.1.4 is a good idea. A merge would look like:

Verify that application has anti-automation controls to protect against excessive calls such as mass data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks, especially if the API is unauthenticated.

The point being, this is almost impossible to accomplish for un-authenticated users.

@danielcuthbert
Copy link
Collaborator

it is also timely given a fair number of services (linkedin, clubhouse etc) who have been impacted by this attack. Agree with you both here, no need for it to be API specific

@elarlang
Copy link
Collaborator Author

This repeated "excessive" does not feel good, and "especially this one case" also.

Verify that application has anti-automation controls to protect against excessive calls such as mass data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks especially if the API is unauthenticated.

Proposal:

Verify that application has anti-automation controls to protect against excessive calls such as mass data exfiltration, business logic requests, file uploads or denial of service attacks.

@jmanico
Copy link
Member

jmanico commented Apr 20, 2021 via email

@elarlang elarlang mentioned this issue Apr 20, 2021
Merged
jmanico added a commit that referenced this issue Apr 20, 2021
@jmanico
Merge pull request #974 from elarlang/asvs-issue-971
379131d 
merge anti-automation requirements (closes #971)
elarlang pushed a commit to elarlang/ASVS that referenced this issue Oct 25, 2021
update 11.1.4 description (OWASP#971)
635a67e
elarlang pushed a commit to elarlang/ASVS that referenced this issue Oct 25, 2021
deleted 13.2.4 description (OWASP#971)
ba03e5e
@elarlang elarlang mentioned this issue Oct 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @danielcuthbert @elarlang