ASVS Item #Requirement
V2.1Verify all pages and resources require authentication except tho specifically intended to be public (Principle of complete mediation).
V2.2Verify all password fields do not echo the ur’s password when it is entered.dove的意思
V2.4Verify all authentication controls are enforced on the rver side.great gatsby
V2.5Verify all authentication controls (including libraries that call external authentication rvices) have a centralized implementation.
V2.6Verify all authentication controls fail curely to ensure attackers cannot log in.
V2.7Verify password entry fields allow or encourage the u of passphras, and do not prevent long passphras or highly complex passwords being entered, and provide a sufficient minimum strength to protect against the u of commonly chon passwords.
goodafternoon
V2.8Verify all account identity authentication functions (such as registration, update profile, forgot urname, forgot password, disabled / lost token, help desk or IVR) that might regain access to the account are at least as resistant to attack as the primary authentication mechanism.
V2.9Verify urs can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism.
V2.12Verify that all authentication decisions are logged. This should include requests with missing required information, needed for curity investigations.
V2.13salted using a salt that is unique to that account (e.g., internal ur ID, account creation) and u bcrypt, scrypt or PBKDF2 before storing the password.
V2.16Verify that credentials, and all other identity information handled by the application(s), do not traver unencrypted or weakly encrypted links.
V2.17Verify that the forgotten password function and other recovery paths do not reveal the current password and that the new password is not nt in clear text to the ur.
V2.18Verify that urname enumeration is not possible via login, password ret, or forgot account functionality.
V2.19Verify there are no default passwords in u for the application framework or any components ud by the application (such as “
admin/password”).
V2.20Verify that a resource governor is in place to protect against vertical (a single account tested against all possible passwords) and horizontal brute forcing (all accounts tested with the same “Password1”). A correct credential entry should incur no delay. Both the governor mechanisms should be active simultaneously to protect against diagonal and distributed attacks.
V2.21Verify that all authentication credentials for accessing rvices external to the application are encrypted and stored in a protected location (not in source code).
V2.22other recovery paths nd a link including a time-limited activation token rather than the password itlf. Additional authentication bad on soft-tokens (e.g. SMS token, native mobile applications, etc.) can be required as well before the link is nt over.
V2.23Verify that forgot password functionality does not lock or otherwi disable the account until after the ur has successfully changed their password. This is to prevent valid urs from being locked out.
blueprintV2.24Verify that there are no shared knowledge questions/answers (so called "cret" questions and answers).
V2.25Verify that the system can be configured to disallow the u of a configurable number of previous passwords.
V2.26Verify re-authentication, step up or adaptive authentication, SMS or other two factor authentication, or transaction signing is required before any application-specific nsitive operations are permitted as per the risk profile of the application.
V3.1Verify that the framework’s default ssion management control implementation is ud by the application.
提高口头表达能力
V3.2Verify that ssions are invalidated when the ur logs out.
V3.3Verify that ssions timeout after a specified period of inactivity.
V3.4Verify that ssions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).
V3.5Verify that all pages that require authentication to access them have logout links.
V3.6Verify that the ssion id is never disclod other than in cookie headers; particularly in URLs, e
rror messages, or logs. This includes verifying that the application does not support URL rewriting of ssion cookies.
V3.7Verify that the ssion id is changed on login to prevent ssion fixation.
V3.8Verify that the ssion id is changed upon re-authentication.
V3.10Verify that only ssion ids generated by the application framework are recognized as valid by the application.
V3.11Verify that authenticated ssion tokens are sufficiently long and random to withstand ssion guessing attacks.
V3.12Verify that authenticated ssion tokens using cookies have their path t to an appropriately restrictive value for that site. The domain cookie attribute restriction should not be t unless for a business requirement, such as single sign on.
V3.14Verify that authenticated ssion tokens using cookies nt via HTTP, are protected by the u of "HttpOnly".
V3.15Verify that authenticated ssion tokens using cookies are protected with the "cure" attribute and a strict transport curity header (such as Strict-Transport-Security: max-age=60000; includeSubDomains) are prent.
V3.16Verify that the application does not permit duplicate concurrent ur ssions, originating from different machines.
prevalent什么意思
V4.1Verify that urs can only access cured functions or rvices for which they posss specific authorization.
V4.2Verify that urs can only access cured URLs for which they posss specific authorization.humoresque
V4.3Verify that urs can only access cured data files for which they posss specific authorization.
V4.4Verify that direct object references are protected, such that only authorized objects or data are accessible to each ur (for example, protect against direct object reference tampering).
V4.5Verify that directory browsing is disabled unless deliberately desired.
V4.8Verify that access controls fail curely.
hyderabadV4.9Verify that the same access control rules implied by the prentation layer are enforced on the rver side for that ur role, such that controls and parameters cannot be re-enabled or re-added from higher privilege urs.
V4.10Verify that all ur and data attributes and policy information ud by access controls cannot be manipulated by end urs unless specifically authorized.
V4.11Verify that all access controls are enforced on the rver side.
V4.12Verify that there is a centralized mechanism (including libraries that call external authorization rvices) for protecting access to each type of protected resource.
V4.14Verify that all access control decisions are be logged and all failed decisions are logged.
V4.16Verify that the application or framework generates strong random anti-CSRF tokens unique to the ur as part of all high value transactions or accessing nsitive data, and that the application verifies the prence of this token with the proper value for the current ur when processing the requests.
V4.17Aggregate access control protection – verify the system can protect against aggregate or conti
nuous access of cured functions, resources, or data. For example, possibly by the u of a resource governor to limit the number of edits per hour or to prevent the entire databa from being scraped by an individual ur.
barf
V5.1Verify that the runtime environment is not susceptible to buffer overflows, or that curity controls prevent buffer overflows.
how interesting
V5.3Verify that all input validation failures result in input rejection.
V5.4Verify that a character t, such as UTF-8, is specified for all sources of input.
V5.5Verify that all input validation or encoding routines are performed and enforced on the rver side.
V5.6Verify that a single input validation control is ud by the application for each type of data that is accepted.
V5.7Verify that all input validation failures are logged.
V5.8Verify that all input data is canonicalized for all downstream decoders or interpreters prior to validation.
V5.10Verify that the runtime environment is not susceptible to SQL Injection, or that curity controls prevent SQL Injection.