From bfd169e245ea040517e9809547e80613eecb4cbc Mon Sep 17 00:00:00 2001 From: Spyros Date: Mon, 2 Oct 2023 14:39:18 +0100 Subject: [PATCH] progress --- application/frontend/src/const.ts | 1 + .../frontend/src/pages/Explorer/explorer.scss | 79 +++++-- .../frontend/src/pages/Explorer/explorer.tsx | 63 +++++- .../src/pages/Explorer/visuals/circles.html | 1 - .../frontend/src/pages/circles/circles.scss | 25 +++ .../frontend/src/pages/circles/circles.tsx | 212 ++++++++++++++++++ application/frontend/src/routes.tsx | 8 + package.json | 1 + yarn.lock | 201 +++++++++++++++-- 9 files changed, 547 insertions(+), 44 deletions(-) create mode 100644 application/frontend/src/pages/circles/circles.scss create mode 100644 application/frontend/src/pages/circles/circles.tsx diff --git a/application/frontend/src/const.ts b/application/frontend/src/const.ts index c7063fcb6..84df7aa25 100644 --- a/application/frontend/src/const.ts +++ b/application/frontend/src/const.ts @@ -40,3 +40,4 @@ export const EXPLORER = '/explorer'; export const GAP_ANALYSIS = '/map_analysis'; export const GA_STRONG_UPPER_LIMIT = 2; // remember to change this in the Python code too +export const CIRCLES = '/circles'; diff --git a/application/frontend/src/pages/Explorer/explorer.scss b/application/frontend/src/pages/Explorer/explorer.scss index aa98a40d2..8f99e8f80 100644 --- a/application/frontend/src/pages/Explorer/explorer.scss +++ b/application/frontend/src/pages/Explorer/explorer.scss @@ -5,13 +5,45 @@ } #explorer-content>.group { - border-top: 1px dotted lightgrey; - border-left: 6px solid lightgrey; - margin: 4px; - margin-left: 46px; - padding: 5px; - vertical-align: top; - background-color: rgba(200, 200, 200, 0.2); + overflow: hidden; + white-space: nowrap; +} + +#explorer-content>.group-1 { + vertical-align: middle; + font-size: 120%; + font-weight: bold; + margin-left: 5px; + overflow: hidden; + white-space: nowrap; +} + +#explorer-content>.group-2 { + vertical-align: middle; + width: 500px; + overflow: hidden; + white-space: nowrap; + display: inline-block; + margin-right: 30px +} + +#explorer-content>#group-span { + color: grey; +} + +#explorer-content>#groupped-links-container { + margin-left: 6px; + font-size: 80%; + display: inline-block; + vertical-align: middle; +} + +#grouped-link { + margin: 2px; + display: inline-block; + border: 1px dashed lightgrey; + padding: 3px; + background-color: #f0f0f0; } #explorer-content>.doc-id { @@ -89,17 +121,32 @@ b { padding-top: 20px; padding-left: 12px; } -p{ - color: grey; margin-left: 26px; + +p { + color: grey; + margin-left: 26px; } -#explorer-wrapper{ - margin-left: 24px; margin-top: 20px; margin-bottom: 20px; color: grey; + +#explorer-wrapper { + margin-left: 24px; + margin-top: 20px; + margin-bottom: 20px; + color: grey; } -#filter{ - font-size: 16px; height: 32px; width: 320px; margin-bottom: 10px; +#filter { + font-size: 16px; + height: 32px; + width: 320px; + margin-bottom: 10px; } -#search-summary{ - display: inline-block; vertical-align: middle; + +#search-summary { + display: inline-block; + vertical-align: middle; } -#graphs{font-size: 80%; color: grey;} \ No newline at end of file + +#graphs { + font-size: 80%; + color: grey; +} \ No newline at end of file diff --git a/application/frontend/src/pages/Explorer/explorer.tsx b/application/frontend/src/pages/Explorer/explorer.tsx index 888d6cb2d..015a25904 100644 --- a/application/frontend/src/pages/Explorer/explorer.tsx +++ b/application/frontend/src/pages/Explorer/explorer.tsx @@ -9,7 +9,7 @@ import { ClearFilterButton, FilterButton } from '../../components/FilterButton/F import { LoadingAndErrorIndicator } from '../../components/LoadingAndErrorIndicator'; import { useEnvironment } from '../../hooks'; import { applyFilters, filterContext } from '../../hooks/applyFilters'; -import { Document } from '../../types'; +import { Document, LinkedDocument } from '../../types'; import { groupLinksByType } from '../../utils'; import { SearchResults } from '../Search/components/SearchResults'; @@ -40,13 +40,13 @@ export const Explorer = () => { } ); const docs = localStorage.getItem("documents") - useEffect(()=>{ + useEffect(() => { if (docs != null) { setData(JSON.parse(docs).sort((a, b) => (a.id + '').localeCompare(b.id + ''))); setFilteredData(data) } - },[docs]) - + }, [docs]) + const query = useQuery( 'everything', () => { @@ -89,20 +89,67 @@ export const Explorer = () => { } } - function processNode(item) { - if (!item) { + + function processGroupedLinks(link) { + let title = "" + if (link.document.hyperlink) { + title = link.document.name; + if (link.sections.length > 0) { + title += ':\n - '; + title += link.sections.join('\n - '); + } + } + return ( + + ) + } + + function processNode(item: Document) { + if (!item || !item.id) { return (<>) } + + const groupedLinks: LinkedDocument[] = []; + const groupedLinksMap = []; + item.links?.filter(link => link.ltype === 'Linked To').forEach(link => { + const doc = link.ltype + ' ' + link.document.doctype + ' ' + link.document.name; + if (!groupedLinksMap[doc]) { + groupedLinksMap[doc] = link + groupedLinksMap[doc].sections = [] + groupedLinks.push(link); + } + if (link.document.section) { + groupedLinksMap[doc].sections.push(link.document.section); + } + }); + let name + if (filter.length && item.name.toLocaleLowerCase() === filter.toLocaleLowerCase()) { + name = {filter.charAt(0).toUpperCase() + filter.slice(1)} + } return (
- {item?.name} + {item.id} : + {name}
+
- {item?.links?.forEach(child => processNode(child))} + { + item.links?.map(child => + processNode(child.document) + ) + }
diff --git a/application/frontend/src/pages/Explorer/visuals/circles.html b/application/frontend/src/pages/Explorer/visuals/circles.html index f0a1e96d5..113bafe22 100644 --- a/application/frontend/src/pages/Explorer/visuals/circles.html +++ b/application/frontend/src/pages/Explorer/visuals/circles.html @@ -52,7 +52,6 @@ .size([diameter - margin, diameter - margin]) .padding(2); - const links = [{"doctype": "CRE", "id": "787-638", "links": [{"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "036-275", "name": "Make (centrally) available secure coding resources for programmers"}, "ltype": "Contains"}], "name": "Technical instructions"}, {"doctype": "CRE", "id": "616-305", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-15", "name": "NIST 800-53 v5", "section": "SA-15 Development Process, Standards, and Tools"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Secure development life cycle", "sectionID": "8.25"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-3", "name": "NIST 800-53 v5", "section": "SA-3 System Development Life Cycle"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Secure Application Design and Development", "sectionID": "AIS-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-8", "name": "NIST 800-53 v5", "section": "SA-8 Security and Privacy Engineering Principles"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-3", "name": "NIST 800-53 v5", "section": "SI-3 Malicious Code Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the use of a secure software development lifecycle that addresses security in all stages of development.", "sectionID": "V1.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html", "name": "OWASP Proactive Controls", "section": "C1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "326-704", "name": "Architecture/design processes", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "124-564", "name": "Configuration Management", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "424-242", "name": "Decommissioning"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "745-356", "name": "Development process audit trail"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "244-750", "name": "Technical application security training"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "787-638", "name": "Technical instructions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "820-877", "name": "Technical system documentation"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "148-853", "name": "Setup and maintain a secure software development process"}, "ltype": "Related"}], "name": "Development processes for security"}, {"doctype": "CRE", "id": "148-420", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-10", "name": "NIST 800-53 v5", "section": "AU-10 Non-repudiation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-8", "name": "NIST 800-53 v5", "section": "AU-8 Time Stamps"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-9", "name": "NIST 800-53 v5", "section": "AU-9 Protection of Audit Information"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/", "name": "OWASP Top 10 2021", "section": "Logging and Monitoring Failures", "sectionID": "A09"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "260-200", "name": "Log in consistent format across system"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "026-280", "name": "Securely transfer logs (remotely)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "713-684", "name": "Log access protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "821-541", "name": "Log injection protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "770-362", "name": "Log time synchronization"}, "ltype": "Contains"}], "name": "Log integrity"}, {"doctype": "CRE", "id": "863-636", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions.", "sectionID": "V7.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html", "name": "OWASP Proactive Controls", "section": "C10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/544.html", "name": "CWE", "section": "", "sectionID": "544"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ERRH-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Error Handling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "513-183", "name": "Error handling"}, "ltype": "Is Part Of"}], "name": "Use exception handling uniformly"}, {"doctype": "CRE", "id": "455-358", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.", "sectionID": "V3.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/539.html", "name": "CWE", "section": "", "sectionID": "539"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02; WSTG-CLNT-12"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "716-526", "name": "Session token generation"}, "ltype": "Is Part Of"}], "name": "When storing session tokens in browser, use secure methods only"}, {"doctype": "CRE", "id": "261-010", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Application and Interface Security Policy and Procedures", "sectionID": "AIS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "571-271", "name": "Program management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "118-775", "name": "Manage an internal secure software development community"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "251-446", "name": "Organize stakeholder commitment for secure software development"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "417-342", "name": "Provide reusable application security controls"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "635-851", "name": "Steer the secure software development program"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "148-853", "name": "Setup and maintain a secure software development process"}, "ltype": "Contains"}], "name": "Program management for secure software development"}, {"doctype": "CRE", "id": "208-830", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-4", "name": "NIST 800-53 v5", "section": "SC-4 Information in Shared System Resources"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "046-257", "name": "Clear authentication data from client storage"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "617-524", "name": "Do not store sensitive data on client (browser) storage"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "846-302", "name": "Prevent caching of sensitive data in server components"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "157-430", "name": "Protect and clear cached sensitive data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "473-758", "name": "Set sufficient anti-caching headers"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "715-304", "name": "Zeroize sensitive information in memory after use"}, "ltype": "Contains"}], "name": "Manage temporary storage"}, {"doctype": "CRE", "id": "152-725", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/419.html", "name": "CWE", "section": "", "sectionID": "419"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Web Service Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}], "name": "Limit access to admin/management functionality"}, {"doctype": "CRE", "id": "770-362", "links": [{"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "770-361", "name": "Synchronize time zones for logs"}, "ltype": "Contains"}], "name": "Log time synchronization"}, {"doctype": "CRE", "id": "626-250", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-6", "name": "NIST 800-53 v5", "section": "SI-6 Security and Privacy Function Verification"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/architecture-assessment/stream-a", "name": "SAMM", "section": "Achitecture validation", "sectionID": "V-AA-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.", "sectionID": "PW.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-7", "name": "NIST 800-53 v5", "section": "SI-7 Software, Firmware, and Information Integrity"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/architecture-assessment/stream-b", "name": "SAMM", "section": "Achitecture mitigation", "sectionID": "V-AA-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Is Part Of"}], "name": "Design review"}, {"doctype": "CRE", "id": "480-071", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers.", "sectionID": "V14.4.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1021.html", "name": "CWE", "section": "", "sectionID": "1021"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's 'frame-ancestors' directive.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "X-Frame-Options Defined via META (Non-compliant with Spec)", "sectionID": "10020-3", "tags": ["10020-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's 'frame-ancestors' directive.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "X-Frame-Options Setting Malformed", "sectionID": "10020-4", "tags": ["10020-4", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "Missing Anti-clickjacking Header", "sectionID": "10020-1", "tags": ["10020-1", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure only a single X-Frame-Options header is present in the response.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "Multiple X-Frame-Options Header Entries", "sectionID": "10020-2", "tags": ["Passive", "10020-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/103.html", "name": "CAPEC", "section": "Clickjacking", "sectionID": "103", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/181.html", "name": "CAPEC", "section": "Flash File Overlay", "sectionID": "181", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/222.html", "name": "CAPEC", "section": "iFrame Overlay", "sectionID": "222", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/504.html", "name": "CAPEC", "section": "Task Impersonation", "sectionID": "504", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/506.html", "name": "CAPEC", "section": "Tapjacking", "sectionID": "506", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/587.html", "name": "CAPEC", "section": "Cross Frame Scripting (XFS)", "sectionID": "587", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/654.html", "name": "CAPEC", "section": "Credential Prompt Impersonation", "sectionID": "654", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}], "name": "Prevent Click jacking through X-Frame-Options or CSP"}, {"doctype": "CRE", "id": "713-684", "links": [{"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "713-683", "name": "Protect logs against unauthorized access"}, "ltype": "Contains"}], "name": "Log access protection"}, {"doctype": "CRE", "id": "567-755", "links": [{"document": {"doctype": "CRE", "id": "464-513", "name": "Assurance processes"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "427-113", "name": "Security governance regarding people"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "563-088", "name": "Security organizing processes"}, "ltype": "Contains"}], "name": "Governance processes for security"}, {"doctype": "CRE", "id": "464-084", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks.", "sectionID": "V13.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/352.html", "name": "CWE", "section": "", "sectionID": "352"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java", "name": "ZAP Rule", "section": "Absence of Anti-CSRF Tokens", "sectionID": "10202", "tags": ["10202", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRule.java", "name": "ZAP Rule", "section": "Anti-CSRF Tokens Check", "sectionID": "20012", "tags": ["Active", "20012"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/462.html", "name": "CAPEC", "section": "Cross-Domain Search Timing", "sectionID": "462", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/467.html", "name": "CAPEC", "section": "Cross Site Identification", "sectionID": "467", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "071-288", "name": "RESTful"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "CSRF protection"}, "ltype": "Related"}], "name": "Add CSRF protection for cookie based REST services", "tags": ["CSRF protection"]}, {"doctype": "CRE", "id": "112-648", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Change Control and Configuration Management", "sectionID": "CCC"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Change management", "sectionID": "8.32"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "010-678", "name": "Improvement management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "124-564", "name": "Configuration Management", "tags": ["Configuration"]}, "ltype": "Related"}], "name": "Change management"}, {"doctype": "CRE", "id": "857-718", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding.", "sectionID": "V5.3.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/78.html", "name": "CWE", "section": "", "sectionID": "78"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-12"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Update Bash on the server to the latest version", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - Shell Shock", "sectionID": "10048", "tags": ["Active", "10048"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade Spring Framework to versions 5.3.18, 5.2.20, or newer.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java", "name": "ZAP Rule", "section": "Spring4Shell", "sectionID": "40045", "tags": ["Active", "40045"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java", "name": "ZAP Rule", "section": "Remote OS Command Injection", "sectionID": "90020", "tags": ["Active", "90020"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/15.html", "name": "CAPEC", "section": "Command Delimiters", "sectionID": "15", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/6.html", "name": "CAPEC", "section": "Argument Injection", "sectionID": "6", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against OS command injection attack"}, {"doctype": "CRE", "id": "683-036", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-40", "name": "NIST 800-53 v5", "section": "SC-40 Wireless Link Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Is Part Of"}], "name": "Wireless link protection"}, {"doctype": "CRE", "id": "080-373", "links": [{"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "456-636", "name": "Add integrity check to SOAP payload"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "611-051", "name": "Enforce schema on XML structure/field"}, "ltype": "Contains"}], "name": "SOAP"}, {"doctype": "CRE", "id": "026-280", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation.", "sectionID": "V1.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Is Part Of"}], "name": "Securely transfer logs (remotely)"}, {"doctype": "CRE", "id": "135-200", "links": [{"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}], "name": "Review of security policies"}, {"doctype": "CRE", "id": "585-408", "links": [{"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forged%20Coupon", "name": "OWASP Juice Shop", "section": "Forged Coupon", "sectionID": "forgedCouponChallenge", "tags": ["Cryptographic Issues"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Imaginary%20Challenge", "name": "OWASP Juice Shop", "section": "Imaginary Challenge", "sectionID": "continueCodeChallenge", "tags": ["Cryptographic Issues"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Nested%20Easter%20Egg", "name": "OWASP Juice Shop", "section": "Nested Easter Egg", "sectionID": "easterEggLevelTwoChallenge", "tags": ["Cryptographic Issues"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Premium%20Paywall", "name": "OWASP Juice Shop", "section": "Premium Paywall", "sectionID": "premiumPaywallChallenge", "tags": ["Cryptographic Issues"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Weird%20Crypto", "name": "OWASP Juice Shop", "section": "Weird Crypto", "sectionID": "weirdCryptoChallenge", "tags": ["Cryptographic Issues"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "287-251", "name": "Use a unique challenge nonce of sufficient size"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "002-801", "name": "Use approved cryptographic algorithms for generation, seeding and verification"}, "ltype": "Contains"}], "name": "Challenge nonce cryptography", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "028-727", "links": [{"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "464-084", "name": "Add CSRF protection for cookie based REST services", "tags": ["CSRF protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "342-055", "name": "Set \"samesite\" attribute for cookie-based session tokens", "tags": ["CSRF protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "060-472", "name": "Use CSRF protection against authenticated functionality, add anti-automation controls for unauthenticated functionality", "tags": ["CSRF protection"]}, "ltype": "Related"}], "name": "CSRF protection"}, {"doctype": "CRE", "id": "613-286", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/", "name": "OWASP Top 10 2021", "section": "Vulnerable and Outdated Components", "sectionID": "A06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/secure-build/stream-b", "name": "SAMM", "section": "Software Dependencies", "sectionID": "I-SB-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.", "sectionID": "RV.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "732-148", "name": "Vulnerability management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "053-751", "name": "Force build pipeline to check outdated/insecure components"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "863-521", "name": "Maintain/manage inventory of third party components"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "715-334", "name": "Update third party components build- or compile time"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "007-274", "name": "Patching and updating system components"}, "ltype": "Related"}], "name": "Dependency management"}, {"doctype": "CRE", "id": "767-701", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred.", "sectionID": "V9.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTTP Strict Transport Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Verify strong TLS algorithms by testing"}, {"doctype": "CRE", "id": "082-530", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored.", "sectionID": "V2.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/916.html", "name": "CWE", "section": "", "sectionID": "916"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Password Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use unique random salt with sufficient entropy for each credential"}, {"doctype": "CRE", "id": "307-507", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application employs integrity protections, such as code signing or subresource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet.", "sectionID": "V10.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/353.html", "name": "CWE", "section": "", "sectionID": "353"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Make software integrity verification information available to software acquirers.", "sectionID": "PS.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/389.html", "name": "CAPEC", "section": "Content Spoofing Via Application API Manipulation", "sectionID": "389", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/665.html", "name": "CAPEC", "section": "Exploitation of Thunderbolt Protection Flaws", "sectionID": "665", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/74.html", "name": "CAPEC", "section": "Manipulating State", "sectionID": "74", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/75.html", "name": "CAPEC", "section": "Manipulating Writeable Configuration Files", "sectionID": "75", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Related"}], "name": "Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code"}, {"doctype": "CRE", "id": "482-771", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that sign, range, and input validation techniques are used to prevent integer overflows.", "sectionID": "V5.4.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/190.html", "name": "CWE", "section": "", "sectionID": "190"}, "ltype": "Linked To"}, {"document": {"description": "In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java", "name": "ZAP Rule", "section": "Integer Overflow Error", "sectionID": "30003", "tags": ["Active", "30003"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/92.html", "name": "CAPEC", "section": "Forced Integer Overflow", "sectionID": "92", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "866-553", "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Check boundaries against integer overflow weaknesses"}, {"doctype": "CRE", "id": "405-411", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker.", "sectionID": "V14.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/346.html", "name": "CWE", "section": "", "sectionID": "346"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/141.html", "name": "CAPEC", "section": "Cache Poisoning", "sectionID": "141", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/160.html", "name": "CAPEC", "section": "Exploit Script-Based APIs", "sectionID": "160", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/510.html", "name": "CAPEC", "section": "SaaS User Request Forgery", "sectionID": "510", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/75.html", "name": "CAPEC", "section": "Manipulating Writeable Configuration Files", "sectionID": "75", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/89.html", "name": "CAPEC", "section": "Pharming", "sectionID": "89", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Avoid using of Origin header for authentication of access control"}, {"doctype": "CRE", "id": "177-260", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-10", "name": "NIST 800-53 v5", "section": "AC-10 CONCURRENT SESSION CONTROL"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-11", "name": "NIST 800-53 v5", "section": "IA-11 RE-AUTHENTICATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-23", "name": "NIST 800-53 v5", "section": "SC-23 SESSION AUTHENTICITY"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/", "name": "OWASP Top 10 2021", "section": "Identification and Authentication Failures", "sectionID": "A07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/", "name": "OWASP Top 10 2021", "section": "Broken Access Controls", "sectionID": "A01"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "402-133", "name": "Do not expose session token in URL"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "582-541", "name": "Re-authenticate before sensitive transactions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "470-731", "name": "Minimize session life"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "258-115", "name": "Re-authentication from federation or assertion"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "114-277", "name": "Session integrity"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "716-526", "name": "Session token generation"}, "ltype": "Contains"}], "name": "Session management"}, {"doctype": "CRE", "id": "004-517", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-18", "name": "NIST 800-53 v5", "section": "SC-18 Mobile Code"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Application security requirements", "sectionID": "8.26"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/security-requirements/stream-a", "name": "SAMM", "section": "Software Requirements", "sectionID": "D-SR-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Application Security Baseline Requirements", "sectionID": "AIS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information transfer", "sectionID": "5.14"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/policy-and-compliance/stream-a/", "name": "SAMM", "section": "Policy & Standards", "sectionID": "G-PC-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.", "sectionID": "PO.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "510-324", "name": "Compliance"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "782-234", "name": "Clear policy compliant I/O requirements"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "072-713", "name": "Manage standard technologies and frameworks"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "787-638", "name": "Technical instructions"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}], "name": "Security requirements"}, {"doctype": "CRE", "id": "745-356", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.", "sectionID": "PO.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "464-513", "name": "Assurance processes"}, "ltype": "Related"}], "name": "Development process audit trail"}, {"doctype": "CRE", "id": "118-775", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/education-and-guidance/stream-b", "name": "SAMM", "section": "Organization and Culture", "sectionID": "G-EG-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "013-021", "name": "Roles and responsibilities"}, "ltype": "Related"}], "name": "Manage an internal secure software development community"}, {"doctype": "CRE", "id": "186-540", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.", "sectionID": "V8.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/319.html", "name": "CWE", "section": "", "sectionID": "319"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/117.html", "name": "CAPEC", "section": "Interception", "sectionID": "117", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "341-076", "name": "Minimize communication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Do not expose data through HTTP verb", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "772-358", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify password hints or knowledge-based authentication (so-called \"secret questions\") are not present.", "sectionID": "V2.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/640.html", "name": "CWE", "section": "", "sectionID": "640"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-08"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/50.html", "name": "CAPEC", "section": "Password Recovery Exploitation", "sectionID": "50", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Is Part Of"}], "name": "Do not use password hints or secret questions"}, {"doctype": "CRE", "id": "586-842", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/", "name": "OWASP Top 10 2021", "section": "Identification and Authentication Failures", "sectionID": "A07"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "065-183", "name": "Disallow default credentials"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "813-610", "name": "Do not use static secrets"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "235-658", "name": "Notify user about credential change"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "327-505", "name": "Change password with presence of old and new password"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "138-448", "name": "Inform users for authentication renewal"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "808-425", "name": "Notify users about anomalies in their usage patterns"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "751-176", "name": "Offer password changing functionality"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "673-736", "name": "Enable option to log out from all active session"}, "ltype": "Related"}], "name": "Secure user management"}, {"doctype": "CRE", "id": "368-633", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))", "sectionID": "V4.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html", "name": "OWASP Proactive Controls", "section": "C7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-IDNT-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Access Control Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Privileged access rights", "sectionID": "8.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}], "name": "Enforce least privilege"}, {"doctype": "CRE", "id": "267-468", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.", "sectionID": "V6.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/311.html", "name": "CWE", "section": "", "sectionID": "311"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "User Privacy Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Configure your web or application server to use SSL (https).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRule.java", "name": "ZAP Rule", "section": "HTTP Only Site", "sectionID": "10106", "tags": ["Active", "10106"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java", "name": "ZAP Rule", "section": "Secure Pages Include Mixed Content", "sectionID": "10040", "tags": ["10040", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpsAsHttpScanRule.java", "name": "ZAP Rule", "section": "HTTPS Content Available via HTTP", "sectionID": "10047", "tags": ["Active", "10047"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/157.html", "name": "CAPEC", "section": "Sniffing Attacks", "sectionID": "157", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/158.html", "name": "CAPEC", "section": "Sniffing Network Traffic", "sectionID": "158", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/204.html", "name": "CAPEC", "section": "Lifting Sensitive Data Embedded in Cache", "sectionID": "204", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/37.html", "name": "CAPEC", "section": "Retrieve Embedded Sensitive Data", "sectionID": "37", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/609.html", "name": "CAPEC", "section": "Cellular Traffic Intercept", "sectionID": "609", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "275-483", "name": "Securely store regulated data"}, "ltype": "Is Part Of"}], "name": "Encrypt financial data at rest"}, {"doctype": "CRE", "id": "650-560", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.", "sectionID": "V4.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/602.html", "name": "CWE", "section": "", "sectionID": "602"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Access Control Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/162.html", "name": "CAPEC", "section": "Manipulating Hidden Fields", "sectionID": "162", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/202.html", "name": "CAPEC", "section": "Create Malicious Client", "sectionID": "202", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/207.html", "name": "CAPEC", "section": "Removing Important Client Functionality", "sectionID": "207", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/208.html", "name": "CAPEC", "section": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", "sectionID": "208", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Enforce access control on trusted service layer", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "268-272", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires.", "sectionID": "V8.3.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Is Part Of"}], "name": "Classify personal data regarding retention so that old or outdated data is deleted"}, {"doctype": "CRE", "id": "338-370", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that there are no periodic credential rotation or password history requirements.", "sectionID": "V2.1.10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/263.html", "name": "CWE", "section": "", "sectionID": "263"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Do not enforce password rotation rules or history requirements"}, {"doctype": "CRE", "id": "577-260", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that if application assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.", "sectionID": "V14.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/829.html", "name": "CWE", "section": "", "sectionID": "829"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Please upgrade to the latest version of ExampleLibrary.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java", "name": "ZAP Rule", "section": "Vulnerable JS Library", "sectionID": "10003", "tags": ["Passive", "10003"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java", "name": "ZAP Rule", "section": "Cross-Domain JavaScript Source File Inclusion", "sectionID": "10017", "tags": ["10017", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/175.html", "name": "CAPEC", "section": "Code Inclusion", "sectionID": "175", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/201.html", "name": "CAPEC", "section": "Serialized Data External Linking", "sectionID": "201", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/228.html", "name": "CAPEC", "section": "DTD Injection", "sectionID": "228", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/251.html", "name": "CAPEC", "section": "Local Code Inclusion", "sectionID": "251", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/252.html", "name": "CAPEC", "section": "PHP Local File Inclusion", "sectionID": "252", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/253.html", "name": "CAPEC", "section": "Remote Code Inclusion", "sectionID": "253", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/263.html", "name": "CAPEC", "section": "Force Use of Corrupted Files", "sectionID": "263", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/538.html", "name": "CAPEC", "section": "Open-Source Library Manipulation", "sectionID": "538", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/549.html", "name": "CAPEC", "section": "Local Execution of Code", "sectionID": "549", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/640.html", "name": "CAPEC", "section": "Inclusion of Code in Existing Process", "sectionID": "640", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/660.html", "name": "CAPEC", "section": "Root/Jailbreak Detection Evasion via Hooking", "sectionID": "660", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/695.html", "name": "CAPEC", "section": "Repo Jacking", "sectionID": "695", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Enforce integrity check for externally hosted assets (eg SRI)"}, {"doctype": "CRE", "id": "257-117", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that regular backups of important data are performed and that test restoration of data is performed.", "sectionID": "V8.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/19.html", "name": "CWE", "section": "", "sectionID": "19"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "163-776", "name": "Backup"}, "ltype": "Is Part Of"}], "name": "Perform regular backups of important data and test restoration"}, {"doctype": "CRE", "id": "483-883", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.", "sectionID": "V3.5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/345.html", "name": "CWE", "section": "", "sectionID": "345"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "JSON Web Token for Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Provide a valid integrity attribute to the tag.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java", "name": "ZAP Rule", "section": "Sub Resource Integrity Attribute Missing", "sectionID": "90003", "tags": ["90003", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure each page is setting the specific and appropriate content-type value for the content being delivered.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java", "name": "ZAP Rule", "section": "Content-Type Header Missing", "sectionID": "10019", "tags": ["Passive", "10019"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/141.html", "name": "CAPEC", "section": "Cache Poisoning", "sectionID": "141", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/148.html", "name": "CAPEC", "section": "Content Spoofing", "sectionID": "148", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/218.html", "name": "CAPEC", "section": "Spoofing of UDDI/ebXML Messages", "sectionID": "218", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/665.html", "name": "CAPEC", "section": "Exploitation of Thunderbolt Protection Flaws", "sectionID": "665", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/701.html", "name": "CAPEC", "section": "Browser in the Middle (BiTM)", "sectionID": "701", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "114-277", "name": "Session integrity"}, "ltype": "Is Part Of"}], "name": "When using stateless tokens, ensure cryptographically secure characteristics"}, {"doctype": "CRE", "id": "163-518", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the application checks compressed files (e.g. zip, gz, docx, odt) against maximum allowed uncompressed size and against maximum number of files before uncompressing the file.", "sectionID": "V12.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/409.html", "name": "CWE", "section": "", "sectionID": "409"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Check uploaded archives for decompression attacks (eg zip bombs)", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "551-054", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations.", "sectionID": "V3.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/798.html", "name": "CWE", "section": "", "sectionID": "798"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "JSON Web Token for Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/191.html", "name": "CAPEC", "section": "Read Sensitive Constants Within an Executable", "sectionID": "191", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Blockchain%20Hype", "name": "OWASP Juice Shop", "section": "Blockchain Hype", "sectionID": "tokenSaleChallenge", "tags": ["Security through Obscurity"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Privacy%20Policy%20Inspection", "name": "OWASP Juice Shop", "section": "Privacy Policy Inspection", "sectionID": "privacyPolicyProofChallenge", "tags": ["Security through Obscurity"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Steganography", "name": "OWASP Juice Shop", "section": "Steganography", "sectionID": "hiddenImageChallenge", "tags": ["Security through Obscurity"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "114-277", "name": "Session integrity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}], "name": "Use ephemeral secrets rather than static secrets"}, {"doctype": "CRE", "id": "157-430", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.", "sectionID": "V8.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/524.html", "name": "CWE", "section": "", "sectionID": "524"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Storable but Non-Cacheable Content", "sectionID": "10049-2", "tags": ["Passive", "10049-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Storable and Cacheable Content", "sectionID": "10049-3", "tags": ["10049-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Non-Storable Content", "sectionID": "10049-1", "tags": ["10049-1", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/204.html", "name": "CAPEC", "section": "Lifting Sensitive Data Embedded in Cache", "sectionID": "204", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}], "name": "Protect and clear cached sensitive data"}, {"doctype": "CRE", "id": "417-342", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.", "sectionID": "PW.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "344-611", "name": "Use centralized reusable security controls", "tags": ["Architecture"]}, "ltype": "Related"}], "name": "Provide reusable application security controls"}, {"doctype": "CRE", "id": "112-273", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload and serving of known malicious content.", "sectionID": "V12.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/509.html", "name": "CWE", "section": "", "sectionID": "509"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-09"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Is Part Of"}], "name": "Scan untrusted files for malware"}, {"doctype": "CRE", "id": "074-873", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-17", "name": "NIST 800-53 v5", "section": "PM-17 Protecting Controlled Unclassified Information on External Systems"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information deletion", "sectionID": "8.10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/operational-management/stream-a", "name": "SAMM", "section": "Data Protection", "sectionID": "O-OM-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-23", "name": "NIST 800-53 v5", "section": "PM-23 Data Governance Body"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "287-823", "name": "Asset management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "268-272", "name": "Classify personal data regarding retention so that old or outdated data is deleted"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "765-788", "name": "Classify sensitive data in protection levels"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "731-120", "name": "Document requirements for (data) protection levels"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "227-045", "name": "Identify sensitive data and subject it to a policy"}, "ltype": "Contains"}], "name": "Data classification and handling"}, {"doctype": "CRE", "id": "622-835", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.", "sectionID": "V2.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/330.html", "name": "CWE", "section": "", "sectionID": "330"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "A.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/485.html", "name": "CAPEC", "section": "Signature Spoofing by Key Recreation", "sectionID": "485", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Generate initial passwords with sufficient secure random, short expiration time and do not allow to reuse the initial password."}, {"doctype": "CRE", "id": "065-183", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if passwords are required for service authentication, the service account used is not a default credential. (e.g. root/root or admin/admin are default in some services during installation).", "sectionID": "V2.10.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/255.html", "name": "CWE", "section": "", "sectionID": "255"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}], "name": "Disallow default credentials"}, {"doctype": "CRE", "id": "284-521", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud.", "sectionID": "V4.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/732.html", "name": "CWE", "section": "", "sectionID": "732"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/122.html", "name": "CAPEC", "section": "Privilege Abuse", "sectionID": "122", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/180.html", "name": "CAPEC", "section": "Exploiting Incorrectly Configured Access Control Security Levels", "sectionID": "180", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/206.html", "name": "CAPEC", "section": "Signing Malicious Code", "sectionID": "206", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/234.html", "name": "CAPEC", "section": "Hijacking a privileged process", "sectionID": "234", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/61.html", "name": "CAPEC", "section": "Session Fixation", "sectionID": "61", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/642.html", "name": "CAPEC", "section": "Replace Binaries", "sectionID": "642", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Enforce additional authorization and segregation of duties"}, {"doctype": "CRE", "id": "824-732", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that format strings do not take potentially hostile input, and are constant.", "sectionID": "V5.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/134.html", "name": "CWE", "section": "", "sectionID": "134"}, "ltype": "Linked To"}, {"document": {"description": "Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java", "name": "ZAP Rule", "section": "Format String Error", "sectionID": "30002", "tags": ["Active", "30002"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/135.html", "name": "CAPEC", "section": "Format String Injection", "sectionID": "135", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "866-553", "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Force format strings as constants"}, {"doctype": "CRE", "id": "076-470", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know.", "sectionID": "V2.8.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Biometric authenticators only as secondary factors"}, {"doctype": "CRE", "id": "080-466", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-10", "name": "NIST 800-53 v5", "section": "SA-10 Developer Configuration Management"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Access to source code", "sectionID": "8.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Store all forms of code \u2013 including source", "sectionID": "PS.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "124-564", "name": "Configuration Management", "tags": ["Configuration"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "757-271", "name": "Use source code control system with change traceability and access control"}, "ltype": "Contains"}], "name": "Developer Configuration Management"}, {"doctype": "CRE", "id": "268-088", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that a query allow list or a combination of depth limiting and amount limiting is used to prevent GraphQL or data layer expression Denial of Service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used.", "sectionID": "V13.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/770.html", "name": "CWE", "section": "", "sectionID": "770"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/125.html", "name": "CAPEC", "section": "Flooding", "sectionID": "125", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/130.html", "name": "CAPEC", "section": "Excessive Allocation", "sectionID": "130", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/197.html", "name": "CAPEC", "section": "Exponential Data Expansion", "sectionID": "197", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/229.html", "name": "CAPEC", "section": "Serialized Data Parameter Blowup", "sectionID": "229", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/469.html", "name": "CAPEC", "section": "HTTP DoS", "sectionID": "469", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/482.html", "name": "CAPEC", "section": "TCP Flood", "sectionID": "482", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/486.html", "name": "CAPEC", "section": "UDP Flood", "sectionID": "486", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/487.html", "name": "CAPEC", "section": "ICMP Flood", "sectionID": "487", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/488.html", "name": "CAPEC", "section": "HTTP Flood", "sectionID": "488", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/489.html", "name": "CAPEC", "section": "SSL Flood", "sectionID": "489", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/490.html", "name": "CAPEC", "section": "Amplification", "sectionID": "490", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/491.html", "name": "CAPEC", "section": "Quadratic Data Expansion", "sectionID": "491", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/493.html", "name": "CAPEC", "section": "SOAP Array Blowup", "sectionID": "493", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/494.html", "name": "CAPEC", "section": "TCP Fragmentation", "sectionID": "494", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/495.html", "name": "CAPEC", "section": "UDP Fragmentation", "sectionID": "495", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/496.html", "name": "CAPEC", "section": "ICMP Fragmentation", "sectionID": "496", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/528.html", "name": "CAPEC", "section": "XML Flood", "sectionID": "528", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Limit query impact GraphQL/data layer expression DoS", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "101-217", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that lookup secrets can be used only once.", "sectionID": "V2.6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use lookup secrets only once"}, {"doctype": "CRE", "id": "634-733", "links": [{"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "605-735", "name": "Authenticate all external connections", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "537-367", "name": "Enable certification revocation"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "530-671", "name": "Mutually authenticate application components"}, "ltype": "Contains"}], "name": "Communication authentication"}, {"doctype": "CRE", "id": "715-304", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data.", "sectionID": "V8.3.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/226.html", "name": "CWE", "section": "", "sectionID": "226"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/37.html", "name": "CAPEC", "section": "Retrieve Embedded Sensitive Data", "sectionID": "37", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}], "name": "Zeroize sensitive information in memory after use"}, {"doctype": "CRE", "id": "664-571", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.", "sectionID": "V6.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/338.html", "name": "CWE", "section": "", "sectionID": "338"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "542-270", "name": "Secure random values", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Ensure proper generation of secure random", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "053-751", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions.", "sectionID": "V1.14.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1104.html", "name": "CWE", "section": "", "sectionID": "1104"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Is Part Of"}], "name": "Force build pipeline to check outdated/insecure components"}, {"doctype": "CRE", "id": "636-854", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols.", "sectionID": "V9.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/319.html", "name": "CWE", "section": "", "sectionID": "319"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/117.html", "name": "CAPEC", "section": "Interception", "sectionID": "117", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Encrypt all communications"}, {"doctype": "CRE", "id": "265-800", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application source code and third party libraries do not contain malicious code, such as salami attacks, logic bypasses, or logic bombs.", "sectionID": "V10.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/511.html", "name": "CWE", "section": "", "sectionID": "511"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Check source code and third party libraries to not contain malicious code"}, {"doctype": "CRE", "id": "538-770", "links": [{"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "117-371", "name": "Use a centralized access control mechanism", "tags": ["Architecture"]}, "ltype": "Contains"}], "name": "Data access control"}, {"doctype": "CRE", "id": "402-133", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application never reveals session tokens in URL parameters.", "sectionID": "V3.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/598.html", "name": "CWE", "section": "", "sectionID": "598"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}], "name": "Do not expose session token in URL"}, {"doctype": "CRE", "id": "657-084", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports.", "sectionID": "V5.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/918.html", "name": "CWE", "section": "", "sectionID": "918"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SsrfScanRule.java", "name": "ZAP Rule", "section": "Server Side Request Forgery", "sectionID": "40046", "tags": ["Active", "40046"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "SSRF protection"}, "ltype": "Related"}], "name": "(SSRF) When depending on internal server input, use validation sanitization and whitelisting", "tags": ["SSRF protection"]}, {"doctype": "CRE", "id": "724-770", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-14", "name": "NIST 800-53 v5", "section": "AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-16", "name": "NIST 800-53 v5", "section": "AC-16 Security and Privacy Attributes"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-2", "name": "NIST 800-53 v5", "section": "AC-2 ACCOUNT MANAGEMENT"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-24", "name": "NIST 800-53 v5", "section": "AC-24 Access Control Decisions"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-5", "name": "NIST 800-53 v5", "section": "AC-5 SEPARATION OF DUTIES"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-2", "name": "NIST 800-53 v5", "section": "SC-2 Separation of System and User Functionality"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A01_2021-Broken_Access_Control/", "name": "OWASP Top 10 2021", "section": "Broken Access Controls", "sectionID": "A01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-19", "name": "NIST 800-53 v5", "section": "AC-19 Access Control for Mobile Devices"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-25", "name": "NIST 800-53 v5", "section": "AC-25 Reference Monitor"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "247-250", "name": "Access control processes"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "132-146", "name": "Apply defense-in-depth techniques/processes for protection, detection, and timely response to network-based attacks.", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "273-600", "name": "Segregate components of differing trust levels"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "278-413", "name": "Mutually authenticate application components. Minimize privileges", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "538-770", "name": "Data access control"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "551-400", "name": "Allow user revocation of Oauth tokens"}, "ltype": "Related"}], "name": "Technical application access control"}, {"doctype": "CRE", "id": "731-120", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture.", "sectionID": "V1.8.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "User Privacy Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Labelling of information", "sectionID": "5.13"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Is Part Of"}], "name": "Document requirements for (data) protection levels"}, {"doctype": "CRE", "id": "831-563", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers).", "sectionID": "V5.5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/502.html", "name": "CWE", "section": "", "sectionID": "502"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Deserialization of untrusted data is inherently dangerous and should be avoided.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java", "name": "ZAP Rule", "section": "Java Serialization Object", "sectionID": "90002", "tags": ["90002", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/586.html", "name": "CAPEC", "section": "Object Injection", "sectionID": "586", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Is Part Of"}], "name": "Avoid deserialization logic"}, {"doctype": "CRE", "id": "530-671", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that application components verify the authenticity of each side in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains.", "sectionID": "V1.9.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/295.html", "name": "CWE", "section": "", "sectionID": "295"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/475.html", "name": "CAPEC", "section": "Signature Spoofing by Improper Validation", "sectionID": "475", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "634-733", "name": "Communication authentication"}, "ltype": "Is Part Of"}], "name": "Mutually authenticate application components"}, {"doctype": "CRE", "id": "117-371", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.", "sectionID": "V1.4.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html", "name": "OWASP Proactive Controls", "section": "C7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/284.html", "name": "CWE", "section": "", "sectionID": "284"}, "ltype": "Linked To"}, {"document": {"description": "Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Username%20Idor%20Scanner.js", "name": "ZAP Rule", "section": "Username Hash Found in WebSocket message", "sectionID": "110007", "tags": ["110007", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. ", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java", "name": "ZAP Rule", "section": "Username Hash Found", "sectionID": "10057", "tags": ["10057", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/19.html", "name": "CAPEC", "section": "Embedding Scripts within Scripts", "sectionID": "19", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/441.html", "name": "CAPEC", "section": "Malicious Logic Insertion", "sectionID": "441", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/478.html", "name": "CAPEC", "section": "Modification of Windows Service Configuration", "sectionID": "478", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/479.html", "name": "CAPEC", "section": "Malicious Root Certificate", "sectionID": "479", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/502.html", "name": "CAPEC", "section": "Intent Spoof", "sectionID": "502", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/503.html", "name": "CAPEC", "section": "WebView Exposure", "sectionID": "503", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/536.html", "name": "CAPEC", "section": "Data Injected During Configuration", "sectionID": "536", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/546.html", "name": "CAPEC", "section": "Incomplete Data Deletion in a Multi-Tenant Environment", "sectionID": "546", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/550.html", "name": "CAPEC", "section": "Install New Service", "sectionID": "550", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/551.html", "name": "CAPEC", "section": "Modify Existing Service", "sectionID": "551", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/552.html", "name": "CAPEC", "section": "Install Rootkit ", "sectionID": "552", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/556.html", "name": "CAPEC", "section": "Replace File Extension Handlers", "sectionID": "556", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/558.html", "name": "CAPEC", "section": "Replace Trusted Executable", "sectionID": "558", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/562.html", "name": "CAPEC", "section": "Modify Shared File", "sectionID": "562", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/563.html", "name": "CAPEC", "section": "Add Malicious File to Shared Webroot", "sectionID": "563", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/564.html", "name": "CAPEC", "section": "Run Software at Logon", "sectionID": "564", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/578.html", "name": "CAPEC", "section": "Disable Security Software", "sectionID": "578", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "538-770", "name": "Data access control"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Use a centralized access control mechanism", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "846-302", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.", "sectionID": "V8.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/524.html", "name": "CWE", "section": "", "sectionID": "524"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Storable but Non-Cacheable Content", "sectionID": "10049-2", "tags": ["Passive", "10049-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Storable and Cacheable Content", "sectionID": "10049-3", "tags": ["10049-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java", "name": "ZAP Rule", "section": "Non-Storable Content", "sectionID": "10049-1", "tags": ["10049-1", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/204.html", "name": "CAPEC", "section": "Lifting Sensitive Data Embedded in Cache", "sectionID": "204", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}], "name": "Prevent caching of sensitive data in server components"}, {"doctype": "CRE", "id": "061-186", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.", "sectionID": "V13.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Web Service Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "SSRF protection"}, "ltype": "Related"}], "name": "Force uniform encoders and parsers throughout system", "tags": ["SSRF protection"]}, {"doctype": "CRE", "id": "418-853", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt.", "sectionID": "V11.1.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/754.html", "name": "CWE", "section": "", "sectionID": "754"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "058-083", "name": "Monitoring"}, "ltype": "Related"}], "name": "Monitor unusual activities on system", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "180-488", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use.", "sectionID": "V14.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services.", "sectionID": "PW.9.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.", "sectionID": "PW.9.2"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that only POST is accepted where POST is expected.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java", "name": "ZAP Rule", "section": "GET for POST", "sectionID": "10058", "tags": ["Active", "10058"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java", "name": "ZAP Rule", "section": "Deprecated Feature Policy Header Set", "sectionID": "10063-2", "tags": ["10063-2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Is Part Of"}], "name": "Proper Configuration for all applications and frameworks"}, {"doctype": "CRE", "id": "036-810", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks.", "sectionID": "V6.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/310.html", "name": "CWE", "section": "", "sectionID": "310"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "141-555", "name": "Fail securely"}, "ltype": "Related"}], "name": "Let cryptographic modules fail securely"}, {"doctype": "CRE", "id": "058-527", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-20", "name": "NIST 800-53 v5", "section": "SC-20 Secure Name/address Resolution Service (authoritative Source)"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-21", "name": "NIST 800-53 v5", "section": "SC-21 Secure Name/address Resolution Service (recursive or Caching Resolver)"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "336-512", "name": "Ensure integrity of DNS entries and domains", "tags": ["Secure name/address resolution service"]}, "ltype": "Related"}], "name": "Secure name/address resolution service"}, {"doctype": "CRE", "id": "801-310", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles.", "sectionID": "V1.4.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html", "name": "OWASP Proactive Controls", "section": "C7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/275.html", "name": "CWE", "section": "", "sectionID": "275"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Use ABAC/FBAC on data/feature level, even when using RBAC for permissions"}, {"doctype": "CRE", "id": "455-885", "links": [{"document": {"doctype": "CRE", "id": "633-428", "name": "Authentication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "158-874", "name": "Allow long passwords"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "103-707", "name": "Allow unicode in passwords"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "715-681", "name": "Avoid password truncation, with exception of consecutive spaces"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "338-370", "name": "Do not enforce password rotation rules or history requirements"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "807-565", "name": "Do not limit character types for password composition"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "027-555", "name": "Enforce user passwords are of sufficient minimum length"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "604-025", "name": "Provide a password strength meter"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "576-651", "name": "Validate new passwords are not in commonly breached passwords list"}, "ltype": "Contains"}], "name": "Credentials directives"}, {"doctype": "CRE", "id": "421-513", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the application protects against Reflective File Download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.", "sectionID": "V12.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/641.html", "name": "CWE", "section": "", "sectionID": "641"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}], "name": "Ignore/at least validate filenames from untrusted origin (against RFD)"}, {"doctype": "CRE", "id": "224-321", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records.", "sectionID": "V6.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/311.html", "name": "CWE", "section": "", "sectionID": "311"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "User Privacy Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Configure your web or application server to use SSL (https).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRule.java", "name": "ZAP Rule", "section": "HTTP Only Site", "sectionID": "10106", "tags": ["Active", "10106"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java", "name": "ZAP Rule", "section": "Secure Pages Include Mixed Content", "sectionID": "10040", "tags": ["10040", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpsAsHttpScanRule.java", "name": "ZAP Rule", "section": "HTTPS Content Available via HTTP", "sectionID": "10047", "tags": ["Active", "10047"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/157.html", "name": "CAPEC", "section": "Sniffing Attacks", "sectionID": "157", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/158.html", "name": "CAPEC", "section": "Sniffing Network Traffic", "sectionID": "158", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/204.html", "name": "CAPEC", "section": "Lifting Sensitive Data Embedded in Cache", "sectionID": "204", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/37.html", "name": "CAPEC", "section": "Retrieve Embedded Sensitive Data", "sectionID": "37", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/609.html", "name": "CAPEC", "section": "Cellular Traffic Intercept", "sectionID": "609", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "275-483", "name": "Securely store regulated data"}, "ltype": "Is Part Of"}], "name": "Encrypt health data at rest"}, {"doctype": "CRE", "id": "881-434", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.", "sectionID": "V5.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/147.html", "name": "CWE", "section": "", "sectionID": "147"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/460.html", "name": "CAPEC", "section": "HTTP Parameter Pollution (HPP)", "sectionID": "460", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize user input before passing content to mail systems (SMTP/IMAP injection)"}, {"doctype": "CRE", "id": "850-376", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Datacenter security", "sectionID": "DCS"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "163-776", "name": "Backup"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "148-227", "name": "Endpoint management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "157-587", "name": "Equipment management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "522-616", "name": "Media protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "125-010", "name": "Password management systems"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "234-282", "name": "Physical & environment protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Related"}], "name": "Facilities management"}, {"doctype": "CRE", "id": "208-355", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion.", "sectionID": "V14.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Ensure repeatability of deployment"}, {"doctype": "CRE", "id": "354-752", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that clear text out of band (NIST \"restricted\") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.", "sectionID": "V2.7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Do not offer weak (clear text) multi-factor authenticators by default"}, {"doctype": "CRE", "id": "130-550", "links": [{"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "545-243", "name": "Block execution/output of uploaded files"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "175-235", "name": "Validate file type of data from untrusted sources"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "040-843", "name": "File download"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "758-262", "name": "File storage"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Contains"}], "name": "File handling"}, {"doctype": "CRE", "id": "316-272", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the \"null\" origin.", "sectionID": "V14.5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/346.html", "name": "CWE", "section": "", "sectionID": "346"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/141.html", "name": "CAPEC", "section": "Cache Poisoning", "sectionID": "141", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/160.html", "name": "CAPEC", "section": "Exploit Script-Based APIs", "sectionID": "160", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/510.html", "name": "CAPEC", "section": "SaaS User Request Forgery", "sectionID": "510", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/75.html", "name": "CAPEC", "section": "Manipulating Writeable Configuration Files", "sectionID": "75", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/89.html", "name": "CAPEC", "section": "Pharming", "sectionID": "89", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Whitelist CORS resources"}, {"doctype": "CRE", "id": "015-063", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required.", "sectionID": "V8.3.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/532.html", "name": "CWE", "section": "", "sectionID": "532"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/215.html", "name": "CAPEC", "section": "Fuzzing for application mapping", "sectionID": "215", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "843-841", "name": "Log discretely"}, "ltype": "Related"}], "name": "Log access to sensitive data"}, {"doctype": "CRE", "id": "065-388", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that all responses contain a X-Content-Type-Options: nosniff header.", "sectionID": "V14.4.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}], "name": "Configure X-Content-Type-Options properly"}, {"doctype": "CRE", "id": "622-203", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash.", "sectionID": "V2.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/916.html", "name": "CWE", "section": "", "sectionID": "916"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Password Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Store passwords salted and hashed"}, {"doctype": "CRE", "id": "110-531", "links": [{"document": {"doctype": "CRE", "id": "232-034", "name": "Set '_Host' prefix for cookie-based session tokens"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "342-055", "name": "Set \"samesite\" attribute for cookie-based session tokens", "tags": ["CSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "688-081", "name": "Set \"secure\" attribute for cookie-based session tokens"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "804-220", "name": "Set httponly attribute for cookie-based session tokens", "tags": ["XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "705-182", "name": "Set path attribute in cookie-based session tokens as precise as possible"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}], "name": "Cookie-config"}, {"doctype": "CRE", "id": "847-247", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Interoperability and portability policy and procedures", "sectionID": "IPY"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}], "name": "Interoperability and portability policy and procedures"}, {"doctype": "CRE", "id": "232-217", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content.", "sectionID": "V5.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/601.html", "name": "CWE", "section": "", "sectionID": "601"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Mass Assignment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java", "name": "ZAP Rule", "section": "External Redirect", "sectionID": "20019-3", "tags": ["Active", "20019-3"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java", "name": "ZAP Rule", "section": "External Redirect", "sectionID": "20019-1", "tags": ["Active", "20019-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java", "name": "ZAP Rule", "section": "External Redirect", "sectionID": "20019-4", "tags": ["Active", "20019-4"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java", "name": "ZAP Rule", "section": "External Redirect", "sectionID": "20019-2", "tags": ["Active", "20019-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/178.html", "name": "CAPEC", "section": "Cross-Site Flashing", "sectionID": "178", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Outdated%20Allowlist", "name": "OWASP Juice Shop", "section": "Outdated Allowlist", "sectionID": "redirectCryptoCurrencyChallenge", "tags": ["Unvalidated Redirects"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Allowlist%20Bypass", "name": "OWASP Juice Shop", "section": "Allowlist Bypass", "sectionID": "redirectChallenge", "tags": ["Unvalidated Redirects"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Whitelist redirected/forwarded URLs"}, {"doctype": "CRE", "id": "171-222", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that binary signatures, trusted connections, and verified endpoints are used to deploy binaries to remote devices.", "sectionID": "V1.14.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/494.html", "name": "CWE", "section": "", "sectionID": "494"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/184.html", "name": "CAPEC", "section": "Software Integrity Attack", "sectionID": "184", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/185.html", "name": "CAPEC", "section": "Malicious Software Download", "sectionID": "185", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/186.html", "name": "CAPEC", "section": "Malicious Software Update", "sectionID": "186", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/187.html", "name": "CAPEC", "section": "Malicious Automated Software Update via Redirection", "sectionID": "187", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/533.html", "name": "CAPEC", "section": "Malicious Manual Software Update", "sectionID": "533", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/538.html", "name": "CAPEC", "section": "Open-Source Library Manipulation", "sectionID": "538", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/657.html", "name": "CAPEC", "section": "Malicious Automated Software Update via Spoofing", "sectionID": "657", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/662.html", "name": "CAPEC", "section": "Adversary in the Browser (AiTB)", "sectionID": "662", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/691.html", "name": "CAPEC", "section": "Spoof Open-Source Software Metadata", "sectionID": "691", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/692.html", "name": "CAPEC", "section": "Spoof Version Control System Commit Metadata", "sectionID": "692", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/693.html", "name": "CAPEC", "section": "StarJacking", "sectionID": "693", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/695.html", "name": "CAPEC", "section": "Repo Jacking", "sectionID": "695", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Check binary integrity before deployment"}, {"doctype": "CRE", "id": "233-748", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/environment-management/stream-a", "name": "SAMM", "section": "Configuration Hardening", "sectionID": "O-EM-A"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "180-488", "name": "Proper Configuration for all applications and frameworks"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "814-322", "name": "Whitelist data sources and sinks", "tags": ["SSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Contains"}], "name": "Configuration hardening", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "032-213", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations.", "sectionID": "V6.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use an isolated security module for cryptographic operations"}, {"doctype": "CRE", "id": "227-045", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.", "sectionID": "V8.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/200.html", "name": "CWE", "section": "", "sectionID": "200"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-12", "name": "NIST 800-53 v5", "section": "SI-12 Information Management and Retention"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Intellectual property rights", "sectionID": "5.32"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Protection of records", "sectionID": "5.33"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Debug%20Error%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages via WebSocket", "sectionID": "110003", "tags": ["110003", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-1", "tags": ["Passive", "3-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java", "name": "ZAP Rule", "section": "Timestamp Disclosure", "sectionID": "10096", "tags": ["10096", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "ASP.NET ViewState Disclosure", "sectionID": "10094-1", "tags": ["Passive", "10094-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Referer Exposes Session ID", "sectionID": "3-3", "tags": ["3-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java", "name": "ZAP Rule", "section": "Proxy Disclosure", "sectionID": "40025", "tags": ["Active", "40025"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Before allowing images to be stored on the server and/or transmitted to the browser, strip out the embedded location information from image. This could mean removing all Exif data or just the GPS component. Other data, like serial numbers, should also be removed.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/imagelocationscanner/src/main/java/org/zaproxy/zap/extension/imagelocationscanner/ImageLocationScanRule.java", "name": "ZAP Rule", "section": "Image Exposes Location or Privacy Data", "sectionID": "10103", "tags": ["Passive", "10103"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove emails that are not public.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Email%20Disclosure.js", "name": "ZAP Rule", "section": "Email address found in WebSocket message", "sectionID": "110004", "tags": ["110004", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks its Webserver Application via 'Server' HTTP Response Header Field", "sectionID": "10036-1", "tags": ["Passive", "10036-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages", "sectionID": "10023", "tags": ["Passive", "10023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java", "name": "ZAP Rule", "section": "Private IP Disclosure", "sectionID": "2", "tags": ["2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRule.java", "name": "ZAP Rule", "section": "In Page Banner Information Leak", "sectionID": "10009", "tags": ["10009", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in HTTP Referrer Header", "sectionID": "10025", "tags": ["10025", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java", "name": "ZAP Rule", "section": "X-Debug-Token Information Leak", "sectionID": "10056", "tags": ["Passive", "10056"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java", "name": "ZAP Rule", "section": "X-Backend-Server Header Information Leak", "sectionID": "10039", "tags": ["10039", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "TBA", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java", "name": "ZAP Rule", "section": "Insecure HTTP Method", "sectionID": "90028", "tags": ["Active", "90028"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/XML%20Comments%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments in XML via WebSocket", "sectionID": "110008", "tags": ["110008", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java", "name": "ZAP Rule", "section": "X-ChromeLogger-Data (XCOLD) Header Information Leak", "sectionID": "10052", "tags": ["Passive", "10052"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress 'X-Powered-By' headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)", "sectionID": "10037", "tags": ["10037", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-2", "tags": ["Passive", "3-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in URL", "sectionID": "10024", "tags": ["10024", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java", "name": "ZAP Rule", "section": "Cookie Slack Detector", "sectionID": "90027", "tags": ["Active", "90027"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Version Information via 'Server' HTTP Response Header Field", "sectionID": "10036-2", "tags": ["Passive", "10036-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java", "name": "ZAP Rule", "section": "Possible Username Enumeration", "sectionID": "40023", "tags": ["Active", "40023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments", "sectionID": "10027", "tags": ["10027", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "Base64 Disclosure", "sectionID": "10094-3", "tags": ["Passive", "10094-3"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java", "name": "ZAP Rule", "section": "Application Error Disclosure", "sectionID": "90022", "tags": ["90022", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/116.html", "name": "CAPEC", "section": "Excavation", "sectionID": "116", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/169.html", "name": "CAPEC", "section": "Footprinting", "sectionID": "169", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/224.html", "name": "CAPEC", "section": "Fingerprinting", "sectionID": "224", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/285.html", "name": "CAPEC", "section": "ICMP Echo Request Ping", "sectionID": "285", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/287.html", "name": "CAPEC", "section": "TCP SYN Scan", "sectionID": "287", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/290.html", "name": "CAPEC", "section": "Enumerate Mail Exchange (MX) Records", "sectionID": "290", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/291.html", "name": "CAPEC", "section": "DNS Zone Transfers", "sectionID": "291", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/292.html", "name": "CAPEC", "section": "Host Discovery", "sectionID": "292", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/293.html", "name": "CAPEC", "section": "Traceroute Route Enumeration", "sectionID": "293", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/294.html", "name": "CAPEC", "section": "ICMP Address Mask Request", "sectionID": "294", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/295.html", "name": "CAPEC", "section": "Timestamp Request", "sectionID": "295", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/296.html", "name": "CAPEC", "section": "ICMP Information Request", "sectionID": "296", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/297.html", "name": "CAPEC", "section": "TCP ACK Ping", "sectionID": "297", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/298.html", "name": "CAPEC", "section": "UDP Ping", "sectionID": "298", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/299.html", "name": "CAPEC", "section": "TCP SYN Ping", "sectionID": "299", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/300.html", "name": "CAPEC", "section": "Port Scanning", "sectionID": "300", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/301.html", "name": "CAPEC", "section": "TCP Connect Scan", "sectionID": "301", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/302.html", "name": "CAPEC", "section": "TCP FIN Scan", "sectionID": "302", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/303.html", "name": "CAPEC", "section": "TCP Xmas Scan", "sectionID": "303", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/304.html", "name": "CAPEC", "section": "TCP Null Scan", "sectionID": "304", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/305.html", "name": "CAPEC", "section": "TCP ACK Scan", "sectionID": "305", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/306.html", "name": "CAPEC", "section": "TCP Window Scan", "sectionID": "306", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/307.html", "name": "CAPEC", "section": "TCP RPC Scan", "sectionID": "307", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/308.html", "name": "CAPEC", "section": "UDP Scan", "sectionID": "308", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/309.html", "name": "CAPEC", "section": "Network Topology Mapping", "sectionID": "309", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/310.html", "name": "CAPEC", "section": "Scanning for Vulnerable Software", "sectionID": "310", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/312.html", "name": "CAPEC", "section": "Active OS Fingerprinting", "sectionID": "312", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/313.html", "name": "CAPEC", "section": "Passive OS Fingerprinting", "sectionID": "313", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/317.html", "name": "CAPEC", "section": "IP ID Sequencing Probe", "sectionID": "317", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/318.html", "name": "CAPEC", "section": "IP 'ID' Echoed Byte-Order Probe", "sectionID": "318", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/319.html", "name": "CAPEC", "section": "IP (DF) 'Don't Fragment Bit' Echoing Probe", "sectionID": "319", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/320.html", "name": "CAPEC", "section": "TCP Timestamp Probe", "sectionID": "320", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/321.html", "name": "CAPEC", "section": "TCP Sequence Number Probe", "sectionID": "321", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/322.html", "name": "CAPEC", "section": "TCP (ISN) Greatest Common Divisor Probe", "sectionID": "322", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/323.html", "name": "CAPEC", "section": "TCP (ISN) Counter Rate Probe", "sectionID": "323", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/324.html", "name": "CAPEC", "section": "TCP (ISN) Sequence Predictability Probe", "sectionID": "324", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/325.html", "name": "CAPEC", "section": "TCP Congestion Control Flag (ECN) Probe", "sectionID": "325", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/326.html", "name": "CAPEC", "section": "TCP Initial Window Size Probe", "sectionID": "326", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/327.html", "name": "CAPEC", "section": "TCP Options Probe", "sectionID": "327", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/328.html", "name": "CAPEC", "section": "TCP 'RST' Flag Checksum Probe", "sectionID": "328", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/329.html", "name": "CAPEC", "section": "ICMP Error Message Quoting Probe", "sectionID": "329", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/330.html", "name": "CAPEC", "section": "ICMP Error Message Echoing Integrity Probe", "sectionID": "330", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/472.html", "name": "CAPEC", "section": "Browser Fingerprinting", "sectionID": "472", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/497.html", "name": "CAPEC", "section": "File Discovery", "sectionID": "497", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/508.html", "name": "CAPEC", "section": "Shoulder Surfing", "sectionID": "508", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/573.html", "name": "CAPEC", "section": "Process Footprinting", "sectionID": "573", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/574.html", "name": "CAPEC", "section": "Services Footprinting", "sectionID": "574", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/575.html", "name": "CAPEC", "section": "Account Footprinting", "sectionID": "575", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/576.html", "name": "CAPEC", "section": "Group Permission Footprinting", "sectionID": "576", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/577.html", "name": "CAPEC", "section": "Owner Footprinting", "sectionID": "577", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/616.html", "name": "CAPEC", "section": "Establish Rogue Location", "sectionID": "616", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/643.html", "name": "CAPEC", "section": "Identify Shared Files/Directories on System", "sectionID": "643", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/646.html", "name": "CAPEC", "section": "Peripheral Footprinting", "sectionID": "646", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/651.html", "name": "CAPEC", "section": "Eavesdropping", "sectionID": "651", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Is Part Of"}], "name": "Identify sensitive data and subject it to a policy"}, {"doctype": "CRE", "id": "576-042", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.", "sectionID": "V1.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/306.html", "name": "CWE", "section": "", "sectionID": "306"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/12.html", "name": "CAPEC", "section": "Choosing Message Identifier", "sectionID": "12", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/166.html", "name": "CAPEC", "section": "Force the System to Reset Values", "sectionID": "166", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/216.html", "name": "CAPEC", "section": "Communication Channel Manipulation", "sectionID": "216", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/36.html", "name": "CAPEC", "section": "Using Unpublished Interfaces or Functionality", "sectionID": "36", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "146-556", "name": "Authenticate consistently"}, "ltype": "Is Part Of"}], "name": "Consistently apply authentication strength"}, {"doctype": "CRE", "id": "618-403", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the user if they haven't used a session within that period.", "sectionID": "V3.6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "258-115", "name": "Re-authentication from federation or assertion"}, "ltype": "Is Part Of"}], "name": "Enforce authentication timeout when dealing with an authentication third party (CSP)"}, {"doctype": "CRE", "id": "831-570", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows.", "sectionID": "V5.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/120.html", "name": "CWE", "section": "", "sectionID": "120"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-13"}, "ltype": "Linked To"}, {"document": {"description": "Rewrite the background program using proper return length checking. This will require a recompile of the background executable.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java", "name": "ZAP Rule", "section": "Buffer Overflow", "sectionID": "30001", "tags": ["Active", "30001"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/100.html", "name": "CAPEC", "section": "Overflow Buffers", "sectionID": "100", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/44.html", "name": "CAPEC", "section": "Overflow Binary Resource File", "sectionID": "44", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/92.html", "name": "CAPEC", "section": "Forced Integer Overflow", "sectionID": "92", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "866-553", "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Use memory-safe functions exclusively"}, {"doctype": "CRE", "id": "362-550", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Privacy and protection of personal identifiable information (PII)", "sectionID": "5.34"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "571-640", "name": "Personal data handling management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "447-083", "name": "Privacy-preserving personal data logic"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "482-866", "name": "Encrypt personal data at rest"}, "ltype": "Related"}], "name": "Personal data handling"}, {"doctype": "CRE", "id": "767-435", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations.", "sectionID": "V2.4.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/916.html", "name": "CWE", "section": "", "sectionID": "916"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Password Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Set the highest feasible iteration count for PBKDF2"}, {"doctype": "CRE", "id": "842-876", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-1", "name": "NIST 800-53 v5", "section": "AU-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-11", "name": "NIST 800-53 v5", "section": "AU-11 Audit Record Retention"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-12", "name": "NIST 800-53 v5", "section": "AU-12 Audit Record Generation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-16", "name": "NIST 800-53 v5", "section": "AU-16 Cross-organizational Audit Logging"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-4", "name": "NIST 800-53 v5", "section": "AU-4 Audit Log Storage Capacity"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-5", "name": "NIST 800-53 v5", "section": "AU-5 Response to Audit Logging Process Failures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-6", "name": "NIST 800-53 v5", "section": "AU-6 Audit Record Review, Analysis, and Reporting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-7", "name": "NIST 800-53 v5", "section": "AU-7 Audit Record Reduction and Report Generation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-11", "name": "NIST 800-53 v5", "section": "SI-11 Error Handling"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Logging", "sectionID": "8.15"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "513-183", "name": "Error handling"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "141-555", "name": "Fail securely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "843-841", "name": "Log discretely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "058-083", "name": "Monitoring"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "725-682", "name": "Enable configurable alert against usage anomalies", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "668-364", "name": "Log TLS connection failures"}, "ltype": "Related"}], "name": "Logging and error handling"}, {"doctype": "CRE", "id": "065-782", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period.", "sectionID": "V3.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "470-731", "name": "Minimize session life"}, "ltype": "Is Part Of"}], "name": "Ensure session timeout (soft/hard)"}, {"doctype": "CRE", "id": "813-610", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys or shared accounts with privileged access.", "sectionID": "V2.10.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}], "name": "Do not use static secrets"}, {"doctype": "CRE", "id": "660-867", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies.", "sectionID": "V11.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/841.html", "name": "CWE", "section": "", "sectionID": "841"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-$$"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "307-242", "name": "Security risk assessment"}, "ltype": "Related"}], "name": "Implement business logic limits against identified business risks"}, {"doctype": "CRE", "id": "287-251", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device.", "sectionID": "V2.9.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/330.html", "name": "CWE", "section": "", "sectionID": "330"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/485.html", "name": "CAPEC", "section": "Signature Spoofing by Key Recreation", "sectionID": "485", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "585-408", "name": "Challenge nonce cryptography", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use a unique challenge nonce of sufficient size"}, {"doctype": "CRE", "id": "742-431", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.", "sectionID": "V6.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/327.html", "name": "CWE", "section": "", "sectionID": "327"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/475.html", "name": "CAPEC", "section": "Signature Spoofing by Improper Validation", "sectionID": "475", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/608.html", "name": "CAPEC", "section": "Cryptanalysis of Cellular Encryption", "sectionID": "608", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/614.html", "name": "CAPEC", "section": "Rooting SIM Cards", "sectionID": "614", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/97.html", "name": "CAPEC", "section": "Cryptanalysis", "sectionID": "97", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use approved cryptographic algorithms"}, {"doctype": "CRE", "id": "612-435", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.", "sectionID": "V7.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html", "name": "OWASP Proactive Controls", "section": "C10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/209.html", "name": "CWE", "section": "", "sectionID": "210"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ERRH-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Error Handling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "513-183", "name": "Error handling"}, "ltype": "Is Part Of"}], "name": "Show generic message for security exceptions or unanticipated exceptions"}, {"doctype": "CRE", "id": "201-246", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.", "sectionID": "V4.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/419.html", "name": "CWE", "section": "", "sectionID": "419"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Related"}], "name": "Use multifactor authentication on administrative interfaces"}, {"doctype": "CRE", "id": "660-052", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the application will not accept large files that could fill up storage or cause a denial of service.", "sectionID": "V12.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/400.html", "name": "CWE", "section": "", "sectionID": "400"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade your Apache server to a currently stable version. Alternative solutions or workarounds are outlined in the references. ", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ApacheRangeHeaderDosScanRule.java", "name": "ZAP Rule", "section": "Apache Range Header DoS (CVE-2011-3192)", "sectionID": "10053", "tags": ["Active", "10053"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/227.html", "name": "CAPEC", "section": "Sustained Client Engagement", "sectionID": "227", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/492.html", "name": "CAPEC", "section": "Regular Expression Exponential Blowup", "sectionID": "492", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Validate max input/file sizes", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "078-427", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, with a minimum of 10.", "sectionID": "V2.4.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/916.html", "name": "CWE", "section": "", "sectionID": "916"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Password Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Set the highest feasible work factor for bcrypt"}, {"doctype": "CRE", "id": "013-021", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-13", "name": "NIST 800-53 v5", "section": "PM-13 Security and Privacy Workforce"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security roles and responsibilities", "sectionID": "5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.", "sectionID": "PO.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-2", "name": "NIST 800-53 v5", "section": "PM-2 Information Security Program Leadership Role"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-29", "name": "NIST 800-53 v5", "section": "PM-29 Risk Management Program Leadership Roles"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "427-113", "name": "Security governance regarding people"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "247-250", "name": "Access control processes"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "118-775", "name": "Manage an internal secure software development community"}, "ltype": "Related"}], "name": "Roles and responsibilities"}, {"doctype": "CRE", "id": "486-813", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-2", "name": "NIST 800-53 v5", "section": "CM-2 BASELINE CONFIGURATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-6", "name": "NIST 800-53 v5", "section": "CM-6 Configuration Settings"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/", "name": "OWASP Top 10 2021", "section": "Security Misconfiguration", "sectionID": "A05"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "124-564", "name": "Configuration Management", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "154-031", "name": "Harden application by excluding unwanted functionality", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "462-245", "name": "Remove unnecessary elements from external components (e.g. features, documentation, configuration)", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "308-515", "name": "Prevent security disclosure", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "764-507", "name": "Restrict XML parsing (against XXE)", "tags": ["Configuration", "Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "333-888", "name": "Do not expose data through API URLs", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "186-540", "name": "Do not expose data through HTTP verb", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "430-636", "name": "Verify TLS certificates and trust chain", "tags": ["Configuration"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "615-744", "name": "Protect against directory browsing/discovery attacks", "tags": ["Configuration"]}, "ltype": "Related"}], "name": "Configuration"}, {"doctype": "CRE", "id": "582-541", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.", "sectionID": "V3.7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/306.html", "name": "CWE", "section": "", "sectionID": "306"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transaction_Authorization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transaction Authorization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/12.html", "name": "CAPEC", "section": "Choosing Message Identifier", "sectionID": "12", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/166.html", "name": "CAPEC", "section": "Force the System to Reset Values", "sectionID": "166", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/216.html", "name": "CAPEC", "section": "Communication Channel Manipulation", "sectionID": "216", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/36.html", "name": "CAPEC", "section": "Using Unpublished Interfaces or Functionality", "sectionID": "36", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}], "name": "Re-authenticate before sensitive transactions"}, {"doctype": "CRE", "id": "326-704", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-8", "name": "NIST 800-53 v5", "section": "PL-8 SECURITY AND PRIVACY ARCHITECTURES"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/security-architecture/stream-a", "name": "SAMM", "section": "Architecture Design", "sectionID": "D-SA-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-17", "name": "NIST 800-53 v5", "section": "SA-17 Developer Security and Privacy Architecture and Design"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-20", "name": "NIST 800-53 v5", "section": "SA-20 Customized Development of Critical Components"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-27", "name": "NIST 800-53 v5", "section": "SC-27 Platform-independent Applications"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-29", "name": "NIST 800-53 v5", "section": "SC-29 Heterogeneity"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-23", "name": "NIST 800-53 v5", "section": "SA-23 Specialization"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Secure system architecture and engineering principles", "sectionID": "8.27"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "708-355", "name": "Secure implemented architecture", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "068-102", "name": "Describe high-level system architecture and perform threat modeling on it every critical change and regularly"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "072-713", "name": "Manage standard technologies and frameworks"}, "ltype": "Contains"}], "name": "Architecture/design processes", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "027-210", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that random GUIDs are created using the GUID v4 algorithm, and a Cryptographically-secure Pseudo-random Number Generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable.", "sectionID": "V6.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/338.html", "name": "CWE", "section": "", "sectionID": "338"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "542-270", "name": "Secure random values", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Create random GUIDs with cryptographically secure random number generators"}, {"doctype": "CRE", "id": "881-321", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access.", "sectionID": "V2.10.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/522.html", "name": "CWE", "section": "", "sectionID": "522"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/474.html", "name": "CAPEC", "section": "Signature Spoofing by Key Theft", "sectionID": "474", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/50.html", "name": "CAPEC", "section": "Password Recovery Exploitation", "sectionID": "50", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/551.html", "name": "CAPEC", "section": "Modify Existing Service", "sectionID": "551", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Store credentials securely"}, {"doctype": "CRE", "id": "525-361", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key.", "sectionID": "V2.2.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Authenticate by OTP token entry or user-initiated action on multi factor device"}, {"doctype": "CRE", "id": "275-483", "links": [{"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "267-468", "name": "Encrypt financial data at rest"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "224-321", "name": "Encrypt health data at rest"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "482-866", "name": "Encrypt personal data at rest"}, "ltype": "Contains"}], "name": "Securely store regulated data"}, {"doctype": "CRE", "id": "048-612", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that all logging components appropriately encode data to prevent log injection.", "sectionID": "V7.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/117.html", "name": "CWE", "section": "", "sectionID": "117"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade Log4j2 to version 2.17.1 or newer. In previous releases (>2.10) this behavior can be mitigated by setting system property 'log4j2.formatMsgNoLookups' to 'true' or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting 'com.sun.jndi.rmi.object.trustURLCodebase' and 'com.sun.jndi.cosnaming.object.trustURLCodebase' to 'false'.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java", "name": "ZAP Rule", "section": "Log4Shell (CVE-2021-44228)", "sectionID": "40043-1", "tags": ["Active", "40043-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade Apache Commons Text prior to version 1.10.0 or newer.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/Text4ShellScanRule.java", "name": "ZAP Rule", "section": "Text4shell (CVE-2022-42889)", "sectionID": "40047", "tags": ["Active", "40047"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade Log4j2 to version 2.17.1 or newer.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Log4ShellScanRule.java", "name": "ZAP Rule", "section": "Log4Shell (CVE-2021-45046)", "sectionID": "40043-2", "tags": ["Active", "40043-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/268.html", "name": "CAPEC", "section": "Audit Log Manipulation", "sectionID": "268", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/93.html", "name": "CAPEC", "section": "Log Injection-Tampering-Forging", "sectionID": "93", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "821-541", "name": "Log injection protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}], "name": "Encode user input before logging", "tags": ["Injection protection"]}, {"doctype": "CRE", "id": "737-086", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI).", "sectionID": "V12.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/73.html", "name": "CWE", "section": "", "sectionID": "73"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}], "name": "Ignore/at least validate filename metadata from untrusted origin (local file context, eg LFI)"}, {"doctype": "CRE", "id": "777-470", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs.", "sectionID": "V12.3.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/829.html", "name": "CWE", "section": "", "sectionID": "829"}, "ltype": "Linked To"}, {"document": {"description": "Please upgrade to the latest version of ExampleLibrary.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java", "name": "ZAP Rule", "section": "Vulnerable JS Library", "sectionID": "10003", "tags": ["Passive", "10003"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java", "name": "ZAP Rule", "section": "Cross-Domain JavaScript Source File Inclusion", "sectionID": "10017", "tags": ["10017", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/175.html", "name": "CAPEC", "section": "Code Inclusion", "sectionID": "175", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/201.html", "name": "CAPEC", "section": "Serialized Data External Linking", "sectionID": "201", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/228.html", "name": "CAPEC", "section": "DTD Injection", "sectionID": "228", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/251.html", "name": "CAPEC", "section": "Local Code Inclusion", "sectionID": "251", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/252.html", "name": "CAPEC", "section": "PHP Local File Inclusion", "sectionID": "252", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/253.html", "name": "CAPEC", "section": "Remote Code Inclusion", "sectionID": "253", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/263.html", "name": "CAPEC", "section": "Force Use of Corrupted Files", "sectionID": "263", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/538.html", "name": "CAPEC", "section": "Open-Source Library Manipulation", "sectionID": "538", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/549.html", "name": "CAPEC", "section": "Local Execution of Code", "sectionID": "549", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/640.html", "name": "CAPEC", "section": "Inclusion of Code in Existing Process", "sectionID": "640", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/660.html", "name": "CAPEC", "section": "Root/Jailbreak Detection Evasion via Hooking", "sectionID": "660", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/695.html", "name": "CAPEC", "section": "Repo Jacking", "sectionID": "695", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}], "name": "Ignore/block execution logic from untrusted sources"}, {"doctype": "CRE", "id": "704-530", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that session tokens possess at least 64 bits of entropy.", "sectionID": "V3.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/331.html", "name": "CWE", "section": "", "sectionID": "331"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "716-526", "name": "Session token generation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Enforce high entropy session tokens", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "841-710", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that all authentication decisions are logged, without storing sensitive session tokens or passwords. This should include requests with relevant metadata needed for security investigations.", "sectionID": "V7.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/778.html", "name": "CWE", "section": "", "sectionID": "778"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Is Part Of"}], "name": "Log authentication decisions without exposing sensitive data"}, {"doctype": "CRE", "id": "058-083", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Logging and Monitoring", "sectionID": "LOG"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Monitoring activities", "sectionID": "8.16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/incident-management/stream-a", "name": "SAMM", "section": "Incident Detection", "sectionID": "O-IM-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-4", "name": "NIST 800-53 v5", "section": "SI-4 System Monitoring"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "887-750", "name": "Detect and respond"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "176-154", "name": "Monitor expectation of usage intensity (e.g. number of requests)", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "418-853", "name": "Monitor unusual activities on system", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}], "name": "Monitoring"}, {"doctype": "CRE", "id": "736-237", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that all API responses contain a Content-Disposition: attachment; filename=\"api.json\" header (or other appropriate filename for the content type).", "sectionID": "V14.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}], "name": "Set metadata/content-Disposition for API responses"}, {"doctype": "CRE", "id": "463-820", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.", "sectionID": "V12.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/770.html", "name": "CWE", "section": "", "sectionID": "770"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/125.html", "name": "CAPEC", "section": "Flooding", "sectionID": "125", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/130.html", "name": "CAPEC", "section": "Excessive Allocation", "sectionID": "130", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/197.html", "name": "CAPEC", "section": "Exponential Data Expansion", "sectionID": "197", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/229.html", "name": "CAPEC", "section": "Serialized Data Parameter Blowup", "sectionID": "229", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/469.html", "name": "CAPEC", "section": "HTTP DoS", "sectionID": "469", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/482.html", "name": "CAPEC", "section": "TCP Flood", "sectionID": "482", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/486.html", "name": "CAPEC", "section": "UDP Flood", "sectionID": "486", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/487.html", "name": "CAPEC", "section": "ICMP Flood", "sectionID": "487", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/488.html", "name": "CAPEC", "section": "HTTP Flood", "sectionID": "488", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/489.html", "name": "CAPEC", "section": "SSL Flood", "sectionID": "489", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/490.html", "name": "CAPEC", "section": "Amplification", "sectionID": "490", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/491.html", "name": "CAPEC", "section": "Quadratic Data Expansion", "sectionID": "491", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/493.html", "name": "CAPEC", "section": "SOAP Array Blowup", "sectionID": "493", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/494.html", "name": "CAPEC", "section": "TCP Fragmentation", "sectionID": "494", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/495.html", "name": "CAPEC", "section": "UDP Fragmentation", "sectionID": "495", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/496.html", "name": "CAPEC", "section": "ICMP Fragmentation", "sectionID": "496", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/528.html", "name": "CAPEC", "section": "XML Flood", "sectionID": "528", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Limit size and number of uploaded files", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "253-452", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts.", "sectionID": "V14.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Securely automate build and deployment in pipeline"}, {"doctype": "CRE", "id": "114-853", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Equipment maintenance", "sectionID": "7.13"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-1", "name": "NIST 800-53 v5", "section": "MA-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Secure disposal or re-use of equipment", "sectionID": "7.14"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-2", "name": "NIST 800-53 v5", "section": "MA-2 Controlled Maintenance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-3", "name": "NIST 800-53 v5", "section": "MA-3 Maintenance Tools"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-4", "name": "NIST 800-53 v5", "section": "MA-4 Nonlocal Maintenance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-5", "name": "NIST 800-53 v5", "section": "MA-5 Maintenance Personnel"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-6", "name": "NIST 800-53 v5", "section": "MA-6 Timely Maintenance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MA-7", "name": "NIST 800-53 v5", "section": "MA-7 Field Maintenance"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "157-587", "name": "Equipment management"}, "ltype": "Is Part Of"}], "name": "Maintenance"}, {"doctype": "CRE", "id": "344-611", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls.", "sectionID": "V1.1.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html", "name": "OWASP Proactive Controls", "section": "C10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/637.html", "name": "CWE", "section": "", "sectionID": "637"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Threat Modeling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Attack Surface Analysis Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services.", "sectionID": "PW.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "708-355", "name": "Secure implemented architecture", "tags": ["Architecture"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "417-342", "name": "Provide reusable application security controls"}, "ltype": "Related"}], "name": "Use centralized reusable security controls", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "705-182", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that if the application is published under a domain name with other applications that set or use session cookies that might disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible.", "sectionID": "V3.4.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1.1"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that only POST is accepted where POST is expected.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java", "name": "ZAP Rule", "section": "GET for POST", "sectionID": "10058", "tags": ["Active", "10058"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java", "name": "ZAP Rule", "section": "Deprecated Feature Policy Header Set", "sectionID": "10063-2", "tags": ["10063-2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Is Part Of"}], "name": "Set path attribute in cookie-based session tokens as precise as possible"}, {"doctype": "CRE", "id": "551-400", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application allows users to revoke OAuth tokens that form trust relationships with linked applications.", "sectionID": "V3.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/290.html", "name": "CWE", "section": "", "sectionID": "290"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "JSON Web Token for Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/461.html", "name": "CAPEC", "section": "Web Services API Signature Forgery Leveraging Hash Function Extension Weakness", "sectionID": "461", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/476.html", "name": "CAPEC", "section": "Signature Spoofing by Misrepresentation", "sectionID": "476", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/667.html", "name": "CAPEC", "section": "Bluetooth Impersonation AttackS (BIAS)", "sectionID": "667", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "258-115", "name": "Re-authentication from federation or assertion"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}], "name": "Allow user revocation of Oauth tokens"}, {"doctype": "CRE", "id": "746-705", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis.", "sectionID": "V11.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/770.html", "name": "CWE", "section": "", "sectionID": "770"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-$$"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/125.html", "name": "CAPEC", "section": "Flooding", "sectionID": "125", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/130.html", "name": "CAPEC", "section": "Excessive Allocation", "sectionID": "130", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/197.html", "name": "CAPEC", "section": "Exponential Data Expansion", "sectionID": "197", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/229.html", "name": "CAPEC", "section": "Serialized Data Parameter Blowup", "sectionID": "229", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/469.html", "name": "CAPEC", "section": "HTTP DoS", "sectionID": "469", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/482.html", "name": "CAPEC", "section": "TCP Flood", "sectionID": "482", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/486.html", "name": "CAPEC", "section": "UDP Flood", "sectionID": "486", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/487.html", "name": "CAPEC", "section": "ICMP Flood", "sectionID": "487", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/488.html", "name": "CAPEC", "section": "HTTP Flood", "sectionID": "488", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/489.html", "name": "CAPEC", "section": "SSL Flood", "sectionID": "489", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/490.html", "name": "CAPEC", "section": "Amplification", "sectionID": "490", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/491.html", "name": "CAPEC", "section": "Quadratic Data Expansion", "sectionID": "491", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/493.html", "name": "CAPEC", "section": "SOAP Array Blowup", "sectionID": "493", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/494.html", "name": "CAPEC", "section": "TCP Fragmentation", "sectionID": "494", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/495.html", "name": "CAPEC", "section": "UDP Fragmentation", "sectionID": "495", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/496.html", "name": "CAPEC", "section": "ICMP Fragmentation", "sectionID": "496", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/528.html", "name": "CAPEC", "section": "XML Flood", "sectionID": "528", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Limit/authorize user's access to functionality"}, {"doctype": "CRE", "id": "418-525", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application source code and third party libraries do not contain time bombs by searching for date and time related functions.", "sectionID": "V10.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/511.html", "name": "CWE", "section": "", "sectionID": "511"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Check source code and third party libraries to not contain timebombs"}, {"doctype": "CRE", "id": "146-556", "links": [{"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "576-042", "name": "Consistently apply authentication strength"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "278-413", "name": "Mutually authenticate application components. Minimize privileges", "tags": ["Architecture"]}, "ltype": "Contains"}], "name": "Authenticate consistently"}, {"doctype": "CRE", "id": "251-446", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities.", "sectionID": "PO.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Is Part Of"}], "name": "Organize stakeholder commitment for secure software development"}, {"doctype": "CRE", "id": "571-640", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-18", "name": "NIST 800-53 v5", "section": "PM-18 Privacy Program Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-19", "name": "NIST 800-53 v5", "section": "PM-19 Privacy Program Leadership Role"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-20", "name": "NIST 800-53 v5", "section": "PM-20 Dissemination of Privacy Program Information"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-22", "name": "NIST 800-53 v5", "section": "PM-22 Personally Identifiable Information Quality Management"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-25", "name": "NIST 800-53 v5", "section": "PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-27", "name": "NIST 800-53 v5", "section": "PM-27 Privacy Reporting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-24", "name": "NIST 800-53 v5", "section": "PM-24 Data Integrity Board"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-1", "name": "NIST 800-53 v5", "section": "PT-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-2", "name": "NIST 800-53 v5", "section": "PT-2 Authority to Process Personally Identifiable Information"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-3", "name": "NIST 800-53 v5", "section": "PT-3 Personally Identifiable Information Processing Purposes"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-4", "name": "NIST 800-53 v5", "section": "PT-4 Consent"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-5", "name": "NIST 800-53 v5", "section": "PT-5 Privacy Notice"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-6", "name": "NIST 800-53 v5", "section": "PT-6 System of Records Notice"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-7", "name": "NIST 800-53 v5", "section": "PT-7 Specific Categories of Personally Identifiable Information"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-8", "name": "NIST 800-53 v5", "section": "PT-8 Computer Matching Requirements"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-21", "name": "NIST 800-53 v5", "section": "PM-21 Accounting of Disclosures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Data Security and Privacy Lifecycle Management", "sectionID": "DSP"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-18", "name": "NIST 800-53 v5", "section": "SI-18 Personally Identifiable Information Quality Operations"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-19", "name": "NIST 800-53 v5", "section": "SI-19 De-identification"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "287-823", "name": "Asset management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "362-550", "name": "Personal data handling"}, "ltype": "Related"}], "name": "Personal data handling management"}, {"doctype": "CRE", "id": "760-764", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A03_2021-Injection/", "name": "OWASP Top 10 2021", "section": "Injection", "sectionID": "A03"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Christmas%20Special", "name": "OWASP Juice Shop", "section": "Christmas Special", "sectionID": "christmasSpecialChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Database%20Schema", "name": "OWASP Juice Shop", "section": "Database Schema", "sectionID": "dbSchemaChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Ephemeral%20Accountant", "name": "OWASP Juice Shop", "section": "Ephemeral Accountant", "sectionID": "ephemeralAccountantChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Admin", "name": "OWASP Juice Shop", "section": "Login Admin", "sectionID": "loginAdminChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Bender", "name": "OWASP Juice Shop", "section": "Login Bender", "sectionID": "loginBenderChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Jim", "name": "OWASP Juice Shop", "section": "Login Jim", "sectionID": "loginJimChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=NoSQL%20DoS", "name": "OWASP Juice Shop", "section": "NoSQL DoS", "sectionID": "noSqlCommandChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=NoSQL%20Exfiltration", "name": "OWASP Juice Shop", "section": "NoSQL Exfiltration", "sectionID": "noSqlOrdersChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=NoSQL%20Manipulation", "name": "OWASP Juice Shop", "section": "NoSQL Manipulation", "sectionID": "noSqlReviewsChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=SSTi", "name": "OWASP Juice Shop", "section": "SSTi", "sectionID": "sstiChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=User%20Credentials", "name": "OWASP Juice Shop", "section": "User Credentials", "sectionID": "unionSqlInjectionChallenge", "tags": ["Injection"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "384-344", "name": "Store and serve user-uploaded files such that they cannot execute/damage server or client", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "866-553", "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "764-507", "name": "Restrict XML parsing (against XXE)", "tags": ["Configuration", "Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "048-612", "name": "Encode user input before logging", "tags": ["Injection protection"]}, "ltype": "Related"}], "name": "Injection protection", "tags": ["XSS protection"]}, {"doctype": "CRE", "id": "673-736", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that users are able to view and (having re-entered login credentials) log out of any or all currently active sessions and devices.", "sectionID": "V3.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "470-731", "name": "Minimize session life"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Related"}], "name": "Enable option to log out from all active session"}, {"doctype": "CRE", "id": "232-034", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that cookie-based session tokens use the \"__Host-\" prefix so cookies are only sent to the host that initially set the cookie.", "sectionID": "V3.4.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1.1"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that only POST is accepted where POST is expected.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java", "name": "ZAP Rule", "section": "GET for POST", "sectionID": "10058", "tags": ["Active", "10058"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java", "name": "ZAP Rule", "section": "Deprecated Feature Policy Header Set", "sectionID": "10063-2", "tags": ["10063-2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Is Part Of"}], "name": "Set '_Host' prefix for cookie-based session tokens"}, {"doctype": "CRE", "id": "341-076", "links": [{"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "333-888", "name": "Do not expose data through API URLs", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "186-540", "name": "Do not expose data through HTTP verb", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "217-112", "name": "Minimize the number of parameters in a request"}, "ltype": "Contains"}], "name": "Minimize communication"}, {"doctype": "CRE", "id": "732-873", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks.", "sectionID": "V5.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html", "name": "OWASP Proactive Controls", "section": "C3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/89.html", "name": "CWE", "section": "", "sectionID": "89"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - MySQL", "sectionID": "40019", "tags": ["Active", "40019"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - Hypersonic SQL", "sectionID": "40020", "tags": ["Active", "40020"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - MsSQL", "sectionID": "40027", "tags": ["Active", "40027"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - SQLite", "sectionID": "40024", "tags": ["Active", "40024"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java", "name": "ZAP Rule", "section": "Advanced SQL Injection", "sectionID": "90018", "tags": ["Active", "90018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - PostgreSQL", "sectionID": "40022", "tags": ["Active", "40022"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - Oracle", "sectionID": "40021", "tags": ["Active", "40021"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java", "name": "ZAP Rule", "section": "SQL Injection", "sectionID": "40018", "tags": ["Active", "40018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/470.html", "name": "CAPEC", "section": "Expanding Control over the Operating System from the Database", "sectionID": "470", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/66.html", "name": "CAPEC", "section": "SQL Injection", "sectionID": "66", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Lock/precompile queries (parameterization) to avoid injection attacks"}, {"doctype": "CRE", "id": "467-784", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-22", "name": "NIST 800-53 v5", "section": "SC-22 Architecture and Provisioning for Name/address Resolution Service"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Security of network services", "sectionID": "8.21"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-7", "name": "NIST 800-53 v5", "section": "SC-7 Boundary Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Web filtering", "sectionID": "8.23"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "336-512", "name": "Ensure integrity of DNS entries and domains", "tags": ["Secure name/address resolution service"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "515-021", "name": "Sandbox, containerize and/or isolate applications at the network level", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "132-146", "name": "Apply defense-in-depth techniques/processes for protection, detection, and timely response to network-based attacks.", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "273-600", "name": "Segregate components of differing trust levels"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Related"}], "name": "Network security"}, {"doctype": "CRE", "id": "473-177", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-34", "name": "NIST 800-53 v5", "section": "SC-34 Non-modifiable Executable Programs"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/secure-build/stream-a", "name": "SAMM", "section": "Build Process", "sectionID": "I-SB-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Automated Secure Application Deployment", "sectionID": "AIS-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/secure-deployment/stream-a", "name": "SAMM", "section": "Deployment Process", "sectionID": "I-SD-A"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "307-507", "name": "Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "347-352", "name": "Set and confirm integrity of security deployment configuration"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "263-184", "name": "Automate secure build and deployment, especially with SDI"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "171-222", "name": "Check binary integrity before deployment"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "208-355", "name": "Ensure repeatability of deployment"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "028-254", "name": "Secure auto-updates over full stack"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "461-680", "name": "Securely archive builds and build information"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "253-452", "name": "Securely automate build and deployment in pipeline"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "314-131", "name": "Use features in compile and build tools for executable security"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Related"}], "name": "Deploy/build"}, {"doctype": "CRE", "id": "653-242", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers, e-mail addresses, telephone numbers, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match).", "sectionID": "V5.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/20.html", "name": "CWE", "section": "", "sectionID": "20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-00"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Mass Assignment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java", "name": "ZAP Rule", "section": "Relative Path Confusion", "sectionID": "10051", "tags": ["Active", "10051"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "All forms must specify the action URL.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Override", "sectionID": "10026", "tags": ["Passive", "10026"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Properly sanitize the user input for parameter delimiters", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Pollution", "sectionID": "20014", "tags": ["Active", "20014"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - CVE-2012-1823", "sectionID": "20018", "tags": ["Active", "20018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Source Code Disclosure - CVE-2012-1823", "sectionID": "20017", "tags": ["Active", "20017"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java", "name": "ZAP Rule", "section": "Httpoxy - Proxy Header Misuse", "sectionID": "10107", "tags": ["Active", "10107"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/101.html", "name": "CAPEC", "section": "Server Side Include (SSI) Injection", "sectionID": "101", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/120.html", "name": "CAPEC", "section": "Double Encoding", "sectionID": "120", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/135.html", "name": "CAPEC", "section": "Format String Injection", "sectionID": "135", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/136.html", "name": "CAPEC", "section": "LDAP Injection", "sectionID": "136", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/153.html", "name": "CAPEC", "section": "Input Data Manipulation", "sectionID": "153", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/182.html", "name": "CAPEC", "section": "Flash Injection", "sectionID": "182", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/23.html", "name": "CAPEC", "section": "File Content Injection", "sectionID": "23", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/250.html", "name": "CAPEC", "section": "XML Injection", "sectionID": "250", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/261.html", "name": "CAPEC", "section": "Fuzzing for garnering other adjacent user/sensitive data", "sectionID": "261", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/28.html", "name": "CAPEC", "section": "Fuzzing", "sectionID": "28", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/3.html", "name": "CAPEC", "section": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters", "sectionID": "3", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/52.html", "name": "CAPEC", "section": "Embedding NULL Bytes", "sectionID": "52", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/53.html", "name": "CAPEC", "section": "Postfix, Null Terminate, and Backslash", "sectionID": "53", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/588.html", "name": "CAPEC", "section": "DOM-Based XSS", "sectionID": "588", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/63.html", "name": "CAPEC", "section": "Cross-Site Scripting (XSS)", "sectionID": "63", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/83.html", "name": "CAPEC", "section": "XPath Injection", "sectionID": "83", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Enforce schema on type/contents of structured data"}, {"doctype": "CRE", "id": "411-684", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Perform the code review and/or code analysis based on the organization\u2019s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team\u2019s workflow or issue tracking system.", "sectionID": "PW.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.", "sectionID": "PW.7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Is Part Of"}], "name": "Manual code review"}, {"doctype": "CRE", "id": "789-320", "links": [{"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "630-577", "name": "Allow password helpers, including paste functionality"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "487-305", "name": "Provide options to view entire password or last typed character"}, "ltype": "Contains"}], "name": "Login functionality"}, {"doctype": "CRE", "id": "623-550", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-5", "name": "NIST 800-53 v5", "section": "SC-5 DENIAL-OF-SERVICE PROTECTION"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "132-146", "name": "Apply defense-in-depth techniques/processes for protection, detection, and timely response to network-based attacks.", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "630-573", "name": "Detect and protect against automation abuse", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "163-518", "name": "Check uploaded archives for decompression attacks (eg zip bombs)", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "463-820", "name": "Limit size and number of uploaded files", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "660-052", "name": "Validate max input/file sizes", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "176-154", "name": "Monitor expectation of usage intensity (e.g. number of requests)", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "268-088", "name": "Limit query impact GraphQL/data layer expression DoS", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "725-682", "name": "Enable configurable alert against usage anomalies", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "456-535", "name": "Monitor for realistic \"human time\" business logic flows", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "418-853", "name": "Monitor unusual activities on system", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "267-031", "name": "Protect the availability of resources by providing more to higher-priority processes", "tags": ["Denial Of Service protection"]}, "ltype": "Related"}], "name": "Denial Of Service protection"}, {"doctype": "CRE", "id": "520-617", "links": [{"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "543-621", "name": "Do not reveal the current password during password recovery"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "772-358", "name": "Do not use password hints or secret questions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "358-860", "name": "Require proof of identity of the same level as during enrollment when recovering OTP or MFA"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "270-634", "name": "Send authentication secrets encrypted"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "581-525", "name": "Use secure recovery mechanisms for forgotten passwords"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "235-658", "name": "Notify user about credential change"}, "ltype": "Related"}], "name": "Credential recovery"}, {"doctype": "CRE", "id": "067-050", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form.", "sectionID": "V7.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/532.html", "name": "CWE", "section": "", "sectionID": "532"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/215.html", "name": "CAPEC", "section": "Fuzzing for application mapping", "sectionID": "215", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "843-841", "name": "Log discretely"}, "ltype": "Is Part Of"}], "name": "Do not log credentials or payment details"}, {"doctype": "CRE", "id": "808-425", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations. The use of push notifications - rather than SMS or email - is preferred, but in the absence of push notifications, SMS or email is acceptable as long as no sensitive information is disclosed in the notification.", "sectionID": "V2.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/620.html", "name": "CWE", "section": "", "sectionID": "620"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}], "name": "Notify users about anomalies in their usage patterns"}, {"doctype": "CRE", "id": "247-250", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-1", "name": "NIST 800-53 v5", "section": "AC-1 POLICY AND PROCEDURES"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Access control", "sectionID": "5.15"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-10", "name": "NIST 800-53 v5", "section": "PM-10 Authorization Process"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Identity & Access Management", "sectionID": "IAM"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Access rights", "sectionID": "5.18"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-20", "name": "NIST 800-53 v5", "section": "AC-20 Use of External Systems"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Identity management", "sectionID": "5.16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-21", "name": "NIST 800-53 v5", "section": "AC-21 Information Sharing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Segregation of duties", "sectionID": "5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-22", "name": "NIST 800-53 v5", "section": "AC-22 Publicly Accessible Content"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-23", "name": "NIST 800-53 v5", "section": "AC-23 Data Mining Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-4", "name": "NIST 800-53 v5", "section": "AC-4 Information Flow Enforcement"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information access restriction", "sectionID": "8.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "013-021", "name": "Roles and responsibilities"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "623-347", "name": "Disallow shared high privileged accounts"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Is Part Of"}], "name": "Access control processes"}, {"doctype": "CRE", "id": "547-283", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.", "sectionID": "V5.3.9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/829.html", "name": "CWE", "section": "", "sectionID": "829"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Please upgrade to the latest version of ExampleLibrary.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java", "name": "ZAP Rule", "section": "Vulnerable JS Library", "sectionID": "10003", "tags": ["Passive", "10003"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java", "name": "ZAP Rule", "section": "Cross-Domain JavaScript Source File Inclusion", "sectionID": "10017", "tags": ["10017", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/175.html", "name": "CAPEC", "section": "Code Inclusion", "sectionID": "175", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/201.html", "name": "CAPEC", "section": "Serialized Data External Linking", "sectionID": "201", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/228.html", "name": "CAPEC", "section": "DTD Injection", "sectionID": "228", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/251.html", "name": "CAPEC", "section": "Local Code Inclusion", "sectionID": "251", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/252.html", "name": "CAPEC", "section": "PHP Local File Inclusion", "sectionID": "252", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/253.html", "name": "CAPEC", "section": "Remote Code Inclusion", "sectionID": "253", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/263.html", "name": "CAPEC", "section": "Force Use of Corrupted Files", "sectionID": "263", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/538.html", "name": "CAPEC", "section": "Open-Source Library Manipulation", "sectionID": "538", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/549.html", "name": "CAPEC", "section": "Local Execution of Code", "sectionID": "549", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/640.html", "name": "CAPEC", "section": "Inclusion of Code in Existing Process", "sectionID": "640", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/660.html", "name": "CAPEC", "section": "Root/Jailbreak Detection Evasion via Hooking", "sectionID": "660", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/695.html", "name": "CAPEC", "section": "Repo Jacking", "sectionID": "695", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against LFI / RFI"}, {"doctype": "CRE", "id": "863-521", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that a Software Bill of Materials (SBOM) is maintained of all third party libraries in use.", "sectionID": "V14.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html", "name": "OWASP Proactive Controls", "section": "C2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).", "sectionID": "PS.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Is Part Of"}], "name": "Maintain/manage inventory of third party components"}, {"doctype": "CRE", "id": "527-034", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers.", "sectionID": "V1.9.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html", "name": "OWASP Proactive Controls", "section": "C3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/319.html", "name": "CWE", "section": "", "sectionID": "319"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/117.html", "name": "CAPEC", "section": "Interception", "sectionID": "117", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "435-702", "name": "Communication encryption", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Protect communication between application components", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "307-242", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-1", "name": "NIST 800-53 v5", "section": "RA-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/threat-assessment/stream-a", "name": "SAMM", "section": "Application risk profile", "sectionID": "D-TA-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-2", "name": "NIST 800-53 v5", "section": "RA-2 Security Categorization"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-3", "name": "NIST 800-53 v5", "section": "RA-3 Risk Assessment"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-5", "name": "NIST 800-53 v5", "section": "RA-5 Vulnerability Monitoring and Scanning"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-6", "name": "NIST 800-53 v5", "section": "RA-6 Technical Surveillance Countermeasures Survey"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-7", "name": "NIST 800-53 v5", "section": "RA-7 Risk Response"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-8", "name": "NIST 800-53 v5", "section": "RA-8 Privacy Impact Assessments"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-9", "name": "NIST 800-53 v5", "section": "RA-9 Criticality Analysis"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-11", "name": "NIST 800-53 v5", "section": "PM-11 Mission and Business Process Definition"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-28", "name": "NIST 800-53 v5", "section": "PM-28 Risk Framing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-8", "name": "NIST 800-53 v5", "section": "PM-8 Critical Infrastructure Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-9", "name": "NIST 800-53 v5", "section": "PM-9 Risk Management Strategy"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "888-770", "name": "Threat intelligence - stay up to date with new threats and consider them"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "068-102", "name": "Describe high-level system architecture and perform threat modeling on it every critical change and regularly"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "660-867", "name": "Implement business logic limits against identified business risks"}, "ltype": "Related"}], "name": "Security risk assessment"}, {"doctype": "CRE", "id": "278-646", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-11", "name": "NIST 800-53 v5", "section": "SC-11 Trusted Path"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-16", "name": "NIST 800-53 v5", "section": "SC-16 Transmission of Security and Privacy Attributes"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8", "name": "NIST 800-53 v5", "section": "SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-17", "name": "NIST 800-53 v5", "section": "AC-17 Remote Access"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-18", "name": "NIST 800-53 v5", "section": "AC-18 Wireless Access"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-3", "name": "NIST 800-53 v5", "section": "CA-3 Information Exchange"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-9", "name": "NIST 800-53 v5", "section": "CA-9 Internal System Connections"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "634-733", "name": "Communication authentication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "435-702", "name": "Communication encryption", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "341-076", "name": "Minimize communication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "683-036", "name": "Wireless link protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "270-634", "name": "Send authentication secrets encrypted"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "036-147", "name": "Configure HSTS configuration properly"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "456-636", "name": "Add integrity check to SOAP payload"}, "ltype": "Related"}], "name": "Secure communication"}, {"doctype": "CRE", "id": "435-702", "links": [{"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "527-034", "name": "Protect communication between application components", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "426-842", "name": "Verify the authenticity of both headers and payload", "tags": ["Cryptography"]}, "ltype": "Contains"}], "name": "Communication encryption", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "727-043", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that session tokens are generated using approved cryptographic algorithms.", "sectionID": "V3.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/331.html", "name": "CWE", "section": "", "sectionID": "331"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "716-526", "name": "Session token generation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Ensure secure algorithms for generating session tokens", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "118-110", "links": [{"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "061-186", "name": "Force uniform encoders and parsers throughout system", "tags": ["SSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "532-878", "name": "Limit REST HTTP methods"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "377-680", "name": "Reject non-whitelisted content types"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "612-252", "name": "Separate GraphQL (or similar) authorization logic from data layer", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "071-288", "name": "RESTful"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "080-373", "name": "SOAP"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "630-573", "name": "Detect and protect against automation abuse", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}], "name": "API/web services"}, {"doctype": "CRE", "id": "838-636", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered.", "sectionID": "V10.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/507.html", "name": "CWE", "section": "", "sectionID": "507"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Check source code and third party libraries to not contain backdoors"}, {"doctype": "CRE", "id": "513-845", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that lookup secrets are resistant to offline attacks, such as predictable values.", "sectionID": "V2.6.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/310.html", "name": "CWE", "section": "", "sectionID": "310"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use unpredictable multi-factor lookup secrets"}, {"doctype": "CRE", "id": "036-725", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header.", "sectionID": "V14.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/173.html", "name": "CWE", "section": "", "sectionID": "173"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/120.html", "name": "CAPEC", "section": "Double Encoding", "sectionID": "120", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/3.html", "name": "CAPEC", "section": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters", "sectionID": "3", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/4.html", "name": "CAPEC", "section": "Using Alternative IP Address Encodings", "sectionID": "4", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/52.html", "name": "CAPEC", "section": "Embedding NULL Bytes", "sectionID": "52", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/53.html", "name": "CAPEC", "section": "Postfix, Null Terminate, and Backslash", "sectionID": "53", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}], "name": "Set content HTTP response type"}, {"doctype": "CRE", "id": "470-731", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-11", "name": "NIST 800-53 v5", "section": "AC-11 DEVICE LOCK"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-12", "name": "NIST 800-53 v5", "section": "AC-12 SESSION TERMINATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-10", "name": "NIST 800-53 v5", "section": "SC-10 NETWORK DISCONNECT"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "673-736", "name": "Enable option to log out from all active session"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "065-782", "name": "Ensure session timeout (soft/hard)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "238-346", "name": "Terminate all sessions when password is changed"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "457-165", "name": "Terminate session after logout"}, "ltype": "Contains"}], "name": "Minimize session life"}, {"doctype": "CRE", "id": "148-227", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-45", "name": "NIST 800-53 v5", "section": "SC-45 System Time Synchronization"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Clock synchronization", "sectionID": "8.17"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-49", "name": "NIST 800-53 v5", "section": "SC-49 Hardware-enforced Separation and Policy Enforcement"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Remote working", "sectionID": "6.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-51", "name": "NIST 800-53 v5", "section": "SC-51 Hardware-based Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "User end point devices", "sectionID": "8.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-25", "name": "NIST 800-53 v5", "section": "SC-25 Thin Nodes"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-2", "name": "NIST 800-53 v5", "section": "PL-2 System Security and Privacy Plans"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Universal Endpoint Management", "sectionID": "UEM"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Installation of software on operational systems", "sectionID": "8.19"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-8", "name": "NIST 800-53 v5", "section": "SI-8 Spam Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "286-500", "name": "OS security"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "007-274", "name": "Patching and updating system components"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "872-574", "name": "Virus/malware protection"}, "ltype": "Contains"}], "name": "Endpoint management"}, {"doctype": "CRE", "id": "257-668", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities.", "sectionID": "V14.4.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1021.html", "name": "CWE", "section": "", "sectionID": "1021"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's 'frame-ancestors' directive.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "X-Frame-Options Defined via META (Non-compliant with Spec)", "sectionID": "10020-3", "tags": ["10020-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's 'frame-ancestors' directive.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "X-Frame-Options Setting Malformed", "sectionID": "10020-4", "tags": ["10020-4", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "Missing Anti-clickjacking Header", "sectionID": "10020-1", "tags": ["10020-1", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure only a single X-Frame-Options header is present in the response.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java", "name": "ZAP Rule", "section": "Multiple X-Frame-Options Header Entries", "sectionID": "10020-2", "tags": ["Passive", "10020-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/103.html", "name": "CAPEC", "section": "Clickjacking", "sectionID": "103", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/181.html", "name": "CAPEC", "section": "Flash File Overlay", "sectionID": "181", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/222.html", "name": "CAPEC", "section": "iFrame Overlay", "sectionID": "222", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/504.html", "name": "CAPEC", "section": "Task Impersonation", "sectionID": "504", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/506.html", "name": "CAPEC", "section": "Tapjacking", "sectionID": "506", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/587.html", "name": "CAPEC", "section": "Cross Frame Scripting (XFS)", "sectionID": "587", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/654.html", "name": "CAPEC", "section": "Credential Prompt Impersonation", "sectionID": "654", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}], "name": "Configure CSP configuration properly", "tags": ["XSS protection"]}, {"doctype": "CRE", "id": "612-252", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.", "sectionID": "V13.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Separate GraphQL (or similar) authorization logic from data layer", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "010-308", "links": [{"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Admin%20Registration", "name": "OWASP Juice Shop", "section": "Admin Registration", "sectionID": "registerAdminChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Empty%20User%20Registration", "name": "OWASP Juice Shop", "section": "Empty User Registration", "sectionID": "emptyUserRegistration", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Expired%20Coupon", "name": "OWASP Juice Shop", "section": "Expired Coupon", "sectionID": "manipulateClockChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Payback%20Time", "name": "OWASP Juice Shop", "section": "Payback Time", "sectionID": "negativeOrderChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Repetitive%20Registration", "name": "OWASP Juice Shop", "section": "Repetitive Registration", "sectionID": "passwordRepeatChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Upload%20Size", "name": "OWASP Juice Shop", "section": "Upload Size", "sectionID": "uploadSizeChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Upload%20Type", "name": "OWASP Juice Shop", "section": "Upload Type", "sectionID": "uploadTypeChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Zero%20Stars", "name": "OWASP Juice Shop", "section": "Zero Stars", "sectionID": "zeroStarsChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Missing%20Encoding", "name": "OWASP Juice Shop", "section": "Missing Encoding", "sectionID": "missingEncodingChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Deluxe%20Fraud", "name": "OWASP Juice Shop", "section": "Deluxe Fraud", "sectionID": "freeDeluxeChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Poison%20Null%20Byte", "name": "OWASP Juice Shop", "section": "Poison Null Byte", "sectionID": "nullByteChallenge", "tags": ["Improper Input Validation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "848-711", "name": "Enforce input validation on a trusted service layer", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "653-242", "name": "Enforce schema on type/contents of structured data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "176-154", "name": "Monitor expectation of usage intensity (e.g. number of requests)", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "042-550", "name": "Protect against mass parameter assignment attack"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "743-237", "name": "Validatie/enforce HTTP inputs (against HTTP parameter pollution attacks)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "031-447", "name": "Whitelist all external (HTTP) input"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "232-217", "name": "Whitelist redirected/forwarded URLs"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "146-706", "name": "Enforce JSON schema before processing"}, "ltype": "Contains"}], "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, {"doctype": "CRE", "id": "263-184", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts.", "sectionID": "V1.14.4"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Automate secure build and deployment, especially with SDI"}, {"doctype": "CRE", "id": "027-555", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined).", "sectionID": "V2.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Enforce user passwords are of sufficient minimum length"}, {"doctype": "CRE", "id": "736-554", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection.", "sectionID": "V1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/502.html", "name": "CWE", "section": "", "sectionID": "502"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Deserialization of untrusted data is inherently dangerous and should be avoided.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java", "name": "ZAP Rule", "section": "Java Serialization Object", "sectionID": "90002", "tags": ["90002", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/586.html", "name": "CAPEC", "section": "Object Injection", "sectionID": "586", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Is Part Of"}], "name": "Block serialization of content from untrusted clients"}, {"doctype": "CRE", "id": "184-284", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures.", "sectionID": "V7.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/778.html", "name": "CWE", "section": "", "sectionID": "778"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Related"}], "name": "Log all security relevant events"}, {"doctype": "CRE", "id": "681-823", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that time-based OTPs have a defined lifetime before expiring.", "sectionID": "V2.8.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Defined lifetime of time-based one-time password"}, {"doctype": "CRE", "id": "387-848", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON.", "sectionID": "V5.5.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/95.html", "name": "CWE", "section": "", "sectionID": "95"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/35.html", "name": "CAPEC", "section": "Leverage Executable Code in Non-Executable Files", "sectionID": "35", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Is Part Of"}], "name": "Parse JSON safely"}, {"doctype": "CRE", "id": "155-155", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A04_2021-Insecure_Design/", "name": "OWASP Top 10 2021", "section": "Insecure Design", "sectionID": "A04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "326-704", "name": "Architecture/design processes", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "708-355", "name": "Secure implemented architecture", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "820-878", "name": "Document all trust boundaries and significant data flows", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "344-611", "name": "Use centralized reusable security controls", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "515-021", "name": "Sandbox, containerize and/or isolate applications at the network level", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "113-133", "name": "Use centralized authentication mechanism", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "278-413", "name": "Mutually authenticate application components. Minimize privileges", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "612-252", "name": "Separate GraphQL (or similar) authorization logic from data layer", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "848-711", "name": "Enforce input validation on a trusted service layer", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "117-371", "name": "Use a centralized access control mechanism", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "640-364", "name": "Enforce access control on trusted parts/serverside", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "650-560", "name": "Enforce access control on trusted service layer", "tags": ["Architecture"]}, "ltype": "Related"}], "name": "Architecture"}, {"doctype": "CRE", "id": "605-735", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated.", "sectionID": "V9.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "634-733", "name": "Communication authentication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Authenticate all external connections", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "764-507", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks.", "sectionID": "V5.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/611.html", "name": "CWE", "section": "", "sectionID": "611"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "TBA", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XxeScanRule.java", "name": "ZAP Rule", "section": "XML External Entity Attack", "sectionID": "90023", "tags": ["Active", "90023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/221.html", "name": "CAPEC", "section": "Data Serialization External Entities Blowup", "sectionID": "221", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Restrict XML parsing (against XXE)", "tags": ["Configuration", "Injection protection"]}, {"doctype": "CRE", "id": "103-707", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords.", "sectionID": "V2.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Allow unicode in passwords"}, {"doctype": "CRE", "id": "102-811", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the out of band authenticator and verifier communicates over a secure independent channel.", "sectionID": "V2.7.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/523.html", "name": "CWE", "section": "", "sectionID": "523"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Communicate out of band multi factor authentication requests, codes or tokens independently and securely"}, {"doctype": "CRE", "id": "866-553", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-16", "name": "NIST 800-53 v5", "section": "SI-16 Memory Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Privacy%20Policy", "name": "OWASP Juice Shop", "section": "Privacy Policy", "sectionID": "privacyPolicyChallenge", "tags": ["Miscellaneous"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Score%20Board", "name": "OWASP Juice Shop", "section": "Score Board", "sectionID": "scoreBoardChallenge", "tags": ["Miscellaneous"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Security%20Policy", "name": "OWASP Juice Shop", "section": "Security Policy", "sectionID": "securityPolicyChallenge", "tags": ["Miscellaneous"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Bully%20Chatbot", "name": "OWASP Juice Shop", "section": "Bully Chatbot", "sectionID": "bullyChatbotChallenge", "tags": ["Miscellaneous"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Mass%20Dispel", "name": "OWASP Juice Shop", "section": "Mass Dispel", "sectionID": "closeNotificationsChallenge", "tags": ["Miscellaneous"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "482-771", "name": "Check boundaries against integer overflow weaknesses"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "824-732", "name": "Force format strings as constants"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "831-570", "name": "Use memory-safe functions exclusively"}, "ltype": "Contains"}], "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, {"doctype": "CRE", "id": "646-462", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.", "sectionID": "V5.2.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/94.html", "name": "CWE", "section": "", "sectionID": "94"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Instead of inserting the user input in the template, use it as rendering argument.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java", "name": "ZAP Rule", "section": "Server Side Template Injection", "sectionID": "90035", "tags": ["Active", "90035"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java", "name": "ZAP Rule", "section": "ELMAH Information Leak", "sectionID": "40028", "tags": ["Active", "40028"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java", "name": "ZAP Rule", "section": "Server Side Code Injection - ASP Code Injection", "sectionID": "90019-2", "tags": ["Active", "90019-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java", "name": "ZAP Rule", "section": "Server Side Code Injection - PHP Code Injection", "sectionID": "90019-1", "tags": ["Active", "90019-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure the .htaccess file is not accessible.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java", "name": "ZAP Rule", "section": ".htaccess Information Leak", "sectionID": "40032", "tags": ["Active", "40032"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/242.html", "name": "CAPEC", "section": "Code Injection", "sectionID": "242", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/35.html", "name": "CAPEC", "section": "Leverage Executable Code in Non-Executable Files", "sectionID": "35", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize, disable, or sandbox untrusted scriptable or template language content"}, {"doctype": "CRE", "id": "132-146", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Network Defense", "sectionID": "IVS-09"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}], "name": "Apply defense-in-depth techniques/processes for protection, detection, and timely response to network-based attacks.", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "854-643", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Data masking", "sectionID": "8.11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Data leakage prevention", "sectionID": "8.12"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "356-282", "name": "Minimize sensitive data scattering and retention"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "601-182", "name": "Parallel execution robustness"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "447-083", "name": "Privacy-preserving personal data logic"}, "ltype": "Contains"}], "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "646-227", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if a time-based multi-factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device.", "sectionID": "V2.8.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Log and reject re-use of valid time-based OTP tokens and notify device holder."}, {"doctype": "CRE", "id": "786-224", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party.", "sectionID": "V6.2.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Authenticate encrypted data"}, {"doctype": "CRE", "id": "172-101", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-21", "name": "NIST 800-53 v5", "section": "SA-21 Developer Screening"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-1", "name": "NIST 800-53 v5", "section": "PS-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Management responsibilities", "sectionID": "5.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-2", "name": "NIST 800-53 v5", "section": "PS-2 Position Risk Designation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-3", "name": "NIST 800-53 v5", "section": "PS-3 Personnel Screening"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Screening", "sectionID": "6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-4", "name": "NIST 800-53 v5", "section": "PS-4 Personnel Termination"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Responsibilities after termination or change of employment", "sectionID": "6.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-5", "name": "NIST 800-53 v5", "section": "PS-5 Personnel Transfer"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Return of assets", "sectionID": "5.11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-6", "name": "NIST 800-53 v5", "section": "PS-6 Access Agreements"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Confidentiality or non-disclosure agreements", "sectionID": "6.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-7", "name": "NIST 800-53 v5", "section": "PS-7 External Personnel Security"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-8", "name": "NIST 800-53 v5", "section": "PS-8 Personnel Sanctions"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Disciplinary process", "sectionID": "6.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PS-9", "name": "NIST 800-53 v5", "section": "PS-9 Position Descriptions"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Terms and conditions of employment", "sectionID": "6.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "427-113", "name": "Security governance regarding people"}, "ltype": "Is Part Of"}], "name": "Personnel security"}, {"doctype": "CRE", "id": "762-451", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that users have a method to remove or export their data on demand.", "sectionID": "V8.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/212.html", "name": "CWE", "section": "", "sectionID": "212"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/168.html", "name": "CAPEC", "section": "Windows ::DATA Alternate Data Stream", "sectionID": "168", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "447-083", "name": "Privacy-preserving personal data logic"}, "ltype": "Is Part Of"}], "name": "Ensure users can remove or export their data"}, {"doctype": "CRE", "id": "483-715", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the application server only accepts the HTTP methods in use by the application/API, including pre-flight OPTIONS, and logs/alerts on any requests that are not valid for the application context.", "sectionID": "V14.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/749.html", "name": "CWE", "section": "", "sectionID": "749"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-06"}, "ltype": "Linked To"}, {"document": {"description": "See the references for security advice on the use of these functions.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java", "name": "ZAP Rule", "section": "Dangerous JS Functions", "sectionID": "10110", "tags": ["Passive", "10110"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/500.html", "name": "CAPEC", "section": "WebView Injection", "sectionID": "500", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "White-list HTTP methods"}, {"doctype": "CRE", "id": "617-524", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or cookies) does not contain sensitive data.", "sectionID": "V8.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/922.html", "name": "CWE", "section": "", "sectionID": "922"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-12"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}], "name": "Do not store sensitive data on client (browser) storage"}, {"doctype": "CRE", "id": "244-750", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-16", "name": "NIST 800-53 v5", "section": "SA-16 Developer-provided Training"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/education-and-guidance/stream-a", "name": "SAMM", "section": "Training and Awareness", "sectionID": "G-EG-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.", "sectionID": "PO.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "428-544", "name": "Security awareness training"}, "ltype": "Related"}], "name": "Technical application security training"}, {"doctype": "CRE", "id": "333-888", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.", "sectionID": "V13.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/598.html", "name": "CWE", "section": "", "sectionID": "598"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Web Service Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "341-076", "name": "Minimize communication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Do not expose data through API URLs", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "347-352", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering.", "sectionID": "V14.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Set and confirm integrity of security deployment configuration"}, {"doctype": "CRE", "id": "424-242", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/operational-management/stream-b", "name": "SAMM", "section": "System Decommissioning / Legacy Management", "sectionID": "O-OM-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Related"}], "name": "Decommissioning"}, {"doctype": "CRE", "id": "134-412", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application does not suffer from \"Time Of Check to Time Of Use\" (TOCTOU) issues or other race conditions for sensitive operations.", "sectionID": "V11.1.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/367.html", "name": "CWE", "section": "", "sectionID": "367"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/27.html", "name": "CAPEC", "section": "Leveraging Race Conditions via Symbolic Links", "sectionID": "27", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/29.html", "name": "CAPEC", "section": "Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions", "sectionID": "29", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "601-182", "name": "Parallel execution robustness"}, "ltype": "Is Part Of"}], "name": "Protect sensitive functionalities against race conditions"}, {"doctype": "CRE", "id": "162-655", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the definition and documentation of all application components in terms of the business or security functions they provide.", "sectionID": "V1.11.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1059.html", "name": "CWE", "section": "", "sectionID": "1059"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "820-877", "name": "Technical system documentation"}, "ltype": "Is Part Of"}], "name": "Documentation of all components' business or security function"}, {"doctype": "CRE", "id": "088-377", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team\u2019s workflow or issue tracking system.", "sectionID": "PW.8.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "207-435", "name": "Dynamic security testing"}, "ltype": "Is Part Of"}], "name": "Automated dynamic security testing"}, {"doctype": "CRE", "id": "804-220", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that cookie-based session tokens have the 'HttpOnly' attribute set.", "sectionID": "V3.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1004.html", "name": "CWE", "section": "", "sectionID": "1004"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1.1"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that the HttpOnly flag is set for all cookies.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java", "name": "ZAP Rule", "section": "Cookie No HttpOnly Flag", "sectionID": "10010", "tags": ["Passive", "10010"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}], "name": "Set httponly attribute for cookie-based session tokens", "tags": ["XSS protection"]}, {"doctype": "CRE", "id": "640-364", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client.", "sectionID": "V1.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/602.html", "name": "CWE", "section": "", "sectionID": "602"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/162.html", "name": "CAPEC", "section": "Manipulating Hidden Fields", "sectionID": "162", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/202.html", "name": "CAPEC", "section": "Create Malicious Client", "sectionID": "202", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/207.html", "name": "CAPEC", "section": "Removing Important Client Functionality", "sectionID": "207", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/208.html", "name": "CAPEC", "section": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", "sectionID": "208", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Enforce access control on trusted parts/serverside", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "576-651", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))", "sectionID": "V2.1.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Validate new passwords are not in commonly breached passwords list"}, {"doctype": "CRE", "id": "342-764", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the out of band verifier retains only a hashed version of the authentication code.", "sectionID": "V2.7.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/256.html", "name": "CWE", "section": "", "sectionID": "256"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Only store hashed authentication codes"}, {"doctype": "CRE", "id": "062-850", "links": [{"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "525-361", "name": "Authenticate by OTP token entry or user-initiated action on multi factor device"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "076-470", "name": "Biometric authenticators only as secondary factors"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "102-811", "name": "Communicate out of band multi factor authentication requests, codes or tokens independently and securely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "681-823", "name": "Defined lifetime of time-based one-time password"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "354-752", "name": "Do not offer weak (clear text) multi-factor authenticators by default"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "440-361", "name": "Ensure that physical single factor OTP generator can be revoked fully immediately when lost"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "816-631", "name": "Ensure timely expiration of out of band authentication request, code, or tokens"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "622-835", "name": "Generate initial passwords with sufficient secure random, short expiration time and do not allow to reuse the initial password."}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "346-640", "name": "Generate multi-factor lookup secrets with sufficient entropy"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "646-227", "name": "Log and reject re-use of valid time-based OTP tokens and notify device holder."}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "524-446", "name": "Mandate using multi factor authentication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "342-764", "name": "Only store hashed authentication codes"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "354-752", "name": "Prioritize strong multi-factor authenticators (e.g. NOT SMS/mail) for critical access"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "553-413", "name": "Support subscriber-provided authentication devices"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "841-757", "name": "Use approved cryptographic algorithms in generation, seeding and verification of OTPs", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "101-217", "name": "Use lookup secrets only once"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "168-186", "name": "Use out of band authentication requests, codes or tokens only once"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "206-254", "name": "Use secure random to generate initial authentication codes", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "543-428", "name": "Use security module to store one-time password verification keys", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "404-126", "name": "Use time-based OTP only once"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "513-845", "name": "Use unpredictable multi-factor lookup secrets"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "270-634", "name": "Send authentication secrets encrypted"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "201-246", "name": "Use multifactor authentication on administrative interfaces"}, "ltype": "Related"}], "name": "MFA/OTP", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "223-780", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/secure-deployment/stream-b", "name": "SAMM", "section": "Secret Management", "sectionID": "I-SD-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets/Secrets_Management_Cheat_Sheet.md", "name": "Cheat_sheets", "section": "Secrets Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques. Can you solve all the 15 challenges?) -->", "doctype": "Tool", "hyperlink": "https://github.com/commjoen/wrongsecrets", "name": "OWASP", "section": "", "tags": ["training", "secrets"], "tooltype": "Training"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "633-428", "name": "Authentication"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "774-888", "name": "Do not store secrets in the code"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "821-832", "name": "Ensure keys and passwords are replaceable"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "767-435", "name": "Set the highest feasible iteration count for PBKDF2"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "078-427", "name": "Set the highest feasible work factor for bcrypt"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "881-321", "name": "Store credentials securely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "783-255", "name": "Store cryptographic keys securely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "622-203", "name": "Store passwords salted and hashed"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "340-375", "name": "Use a dedicated secrets management solution"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "032-213", "name": "Use an isolated security module for cryptographic operations"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "508-702", "name": "Use key vaults"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "077-781", "name": "Use separately stored secret salt (pepper)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "082-530", "name": "Use unique random salt with sufficient entropy for each credential"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "287-305", "name": "Document explicit key/secret management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Is Part Of"}], "name": "Secret storage", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "228-551", "links": [{"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "248-646", "name": "Disable insecure SSL/TLS versions", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "745-045", "name": "Do not fall back to insecure protocols in TCP"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "636-854", "name": "Encrypt all communications"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "668-364", "name": "Log TLS connection failures"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "767-701", "name": "Verify strong TLS algorithms by testing"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "430-636", "name": "Verify TLS certificates and trust chain", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "558-807", "name": "Mutually authenticate application and credential service provider"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Is Part Of"}], "name": "TLS", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "537-367", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured.", "sectionID": "V9.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/299.html", "name": "CWE", "section": "", "sectionID": "299"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "634-733", "name": "Communication authentication"}, "ltype": "Is Part Of"}], "name": "Enable certification revocation"}, {"doctype": "CRE", "id": "461-680", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.", "sectionID": "PS.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Securely archive builds and build information"}, {"doctype": "CRE", "id": "664-080", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions.", "sectionID": "V13.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Web Service Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Enforce model-based authorization both at URI and final resource"}, {"doctype": "CRE", "id": "611-158", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections.", "sectionID": "V10.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/749.html", "name": "CWE", "section": "", "sectionID": "749"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Third Party Javascript Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "See the references for security advice on the use of these functions.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java", "name": "ZAP Rule", "section": "Dangerous JS Functions", "sectionID": "10110", "tags": ["Passive", "10110"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/500.html", "name": "CAPEC", "section": "WebView Injection", "sectionID": "500", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "832-555", "name": "Automated static security analysis of code and configuration"}, "ltype": "Is Part Of"}], "name": "Use static analysis tooling to detect potentially malicious actions"}, {"doctype": "CRE", "id": "036-275", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers.", "sectionID": "V1.1.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/637.html", "name": "CWE", "section": "", "sectionID": "637"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Threat Modeling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Attack Surface Analysis Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Secure coding", "sectionID": "8.28"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "787-638", "name": "Technical instructions"}, "ltype": "Is Part Of"}], "name": "Make (centrally) available secure coding resources for programmers"}, {"doctype": "CRE", "id": "531-558", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented.", "sectionID": "V5.3.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/90.html", "name": "CWE", "section": "", "sectionID": "90"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java", "name": "ZAP Rule", "section": "LDAP Injection", "sectionID": "40015", "tags": ["Active", "40015"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/136.html", "name": "CAPEC", "section": "LDAP Injection", "sectionID": "136", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against LDAP injection"}, {"doctype": "CRE", "id": "806-367", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that output encoding occurs close to or by the interpreter for which it is intended.", "sectionID": "V1.5.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Encode output near the consuming interpreter"}, {"doctype": "CRE", "id": "675-168", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal.", "sectionID": "V12.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/22.html", "name": "CWE", "section": "", "sectionID": "22"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java", "name": "ZAP Rule", "section": "Path Traversal", "sectionID": "6-2", "tags": ["Active", "6-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java", "name": "ZAP Rule", "section": "Path Traversal", "sectionID": "6-5", "tags": ["Active", "6-5"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java", "name": "ZAP Rule", "section": "Path Traversal", "sectionID": "6-4", "tags": ["Active", "6-4"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java", "name": "ZAP Rule", "section": "Path Traversal", "sectionID": "6-1", "tags": ["Active", "6-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java", "name": "ZAP Rule", "section": "Path Traversal", "sectionID": "6-3", "tags": ["Active", "6-3"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/126.html", "name": "CAPEC", "section": "Path Traversal", "sectionID": "126", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}], "name": "Sanitize filename metadata from untrusted origin if processing is required"}, {"doctype": "CRE", "id": "541-441", "links": [{"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "820-421", "name": "Authenticate HTTP headers added by a trusted proxy or SSO device"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "405-411", "name": "Avoid using of Origin header for authentication of access control"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "483-715", "name": "White-list HTTP methods"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "316-272", "name": "Whitelist CORS resources"}, "ltype": "Contains"}], "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, {"doctype": "CRE", "id": "836-068", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/", "name": "OWASP Top 10 2021", "section": "Software and Data Integrity Failures", "sectionID": "A08"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Blocked%20RCE%20DoS", "name": "OWASP Juice Shop", "section": "Blocked RCE DoS", "sectionID": "rceChallenge", "tags": ["Insecure Deserialization"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Successful%20RCE%20DoS", "name": "OWASP Juice Shop", "section": "Successful RCE DoS", "sectionID": "rceOccupyChallenge", "tags": ["Insecure Deserialization"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "831-563", "name": "Avoid deserialization logic"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "736-554", "name": "Block serialization of content from untrusted clients"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "387-848", "name": "Parse JSON safely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "762-616", "name": "Secure serialized objects (e.g. integrity checks)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "515-021", "name": "Sandbox, containerize and/or isolate applications at the network level", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "184-284", "name": "Log all security relevant events"}, "ltype": "Related"}], "name": "Deserialization Prevention"}, {"doctype": "CRE", "id": "715-334", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that all components are up to date, preferably using a dependency checker during build or compile time.", "sectionID": "V14.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html", "name": "OWASP Proactive Controls", "section": "C2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1026.html", "name": "CWE", "section": "", "sectionID": "1026"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Is Part Of"}], "name": "Update third party components build- or compile time"}, {"doctype": "CRE", "id": "114-277", "links": [{"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "551-054", "name": "Use ephemeral secrets rather than static secrets"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "483-883", "name": "When using stateless tokens, ensure cryptographically secure characteristics"}, "ltype": "Contains"}], "name": "Session integrity"}, {"doctype": "CRE", "id": "141-555", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-24", "name": "NIST 800-53 v5", "section": "SC-24 Fail in Known State"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-17", "name": "NIST 800-53 v5", "section": "SI-17 Fail-safe Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "036-810", "name": "Let cryptographic modules fail securely"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "166-151", "name": "Ensure that secure fail-safe is in place for access control"}, "ltype": "Related"}], "name": "Fail securely"}, {"doctype": "CRE", "id": "154-031", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality.", "sectionID": "V10.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/507.html", "name": "CWE", "section": "", "sectionID": "507"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Harden application by excluding unwanted functionality", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "571-271", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Policies for information security", "sectionID": "5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-9", "name": "NIST 800-53 v5", "section": "PL-9 Central Management"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Acceptable use of information and other associated assets", "sectionID": "5.10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-1", "name": "NIST 800-53 v5", "section": "PM-1 Information Security Program Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security in project management", "sectionID": "5.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-12", "name": "NIST 800-53 v5", "section": "PM-12 Insider Threat Program"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-14", "name": "NIST 800-53 v5", "section": "PM-14 Testing, Training, and Monitoring"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-26", "name": "NIST 800-53 v5", "section": "PM-26 Complaint Management"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-32", "name": "NIST 800-53 v5", "section": "PM-32 Purposing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-4", "name": "NIST 800-53 v5", "section": "PM-4 Plan of Action and Milestones Process"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-1", "name": "NIST 800-53 v5", "section": "SC-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-1", "name": "NIST 800-53 v5", "section": "SI-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "563-088", "name": "Security organizing processes"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "833-030", "name": "Connect with the community"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Contains"}], "name": "Program management"}, {"doctype": "CRE", "id": "441-132", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility.", "sectionID": "V6.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use weak crypto only for backwards compatibility"}, {"doctype": "CRE", "id": "384-344", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or other attacks from the uploaded file.", "sectionID": "V1.12.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/646.html", "name": "CWE", "section": "", "sectionID": "646"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "621-287", "name": "File upload"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}], "name": "Store and serve user-uploaded files such that they cannot execute/damage server or client", "tags": ["Injection protection", "XSS protection"]}, {"doctype": "CRE", "id": "430-636", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected.", "sectionID": "V9.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/295.html", "name": "CWE", "section": "", "sectionID": "295"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/475.html", "name": "CAPEC", "section": "Signature Spoofing by Improper Validation", "sectionID": "475", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Verify TLS certificates and trust chain", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "447-083", "links": [{"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "762-451", "name": "Ensure users can remove or export their data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "082-327", "name": "Inform users clearly about the collection and use of personal data, and use it only after opt-in consent."}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "362-550", "name": "Personal data handling"}, "ltype": "Related"}], "name": "Privacy-preserving personal data logic"}, {"doctype": "CRE", "id": "077-781", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that an additional iteration of a key derivation function is performed, using a salt value that is secret and known only to the verifier. Generate the salt value using an approved random bit generator [SP 800-90Ar1] and provide at least the minimum security strength specified in the latest revision of SP 800-131A. The secret salt value SHALL be stored separately from the hashed passwords (e.g., in a specialized device like a hardware security module).", "sectionID": "V2.4.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/916.html", "name": "CWE", "section": "", "sectionID": "916"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Password Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use separately stored secret salt (pepper)"}, {"doctype": "CRE", "id": "533-516", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled.", "sectionID": "V5.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/176.html", "name": "CWE", "section": "", "sectionID": "176"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/D-Encoded_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-APPE-D"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Encode output while preserving user input formatting"}, {"doctype": "CRE", "id": "743-110", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.", "sectionID": "V14.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/200.html", "name": "CWE", "section": "", "sectionID": "200"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INFO-##"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Error Handling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Debug%20Error%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages via WebSocket", "sectionID": "110003", "tags": ["110003", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-1", "tags": ["Passive", "3-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java", "name": "ZAP Rule", "section": "Timestamp Disclosure", "sectionID": "10096", "tags": ["10096", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "ASP.NET ViewState Disclosure", "sectionID": "10094-1", "tags": ["Passive", "10094-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Referer Exposes Session ID", "sectionID": "3-3", "tags": ["3-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java", "name": "ZAP Rule", "section": "Proxy Disclosure", "sectionID": "40025", "tags": ["Active", "40025"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Before allowing images to be stored on the server and/or transmitted to the browser, strip out the embedded location information from image. This could mean removing all Exif data or just the GPS component. Other data, like serial numbers, should also be removed.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/imagelocationscanner/src/main/java/org/zaproxy/zap/extension/imagelocationscanner/ImageLocationScanRule.java", "name": "ZAP Rule", "section": "Image Exposes Location or Privacy Data", "sectionID": "10103", "tags": ["Passive", "10103"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove emails that are not public.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Email%20Disclosure.js", "name": "ZAP Rule", "section": "Email address found in WebSocket message", "sectionID": "110004", "tags": ["110004", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks its Webserver Application via 'Server' HTTP Response Header Field", "sectionID": "10036-1", "tags": ["Passive", "10036-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages", "sectionID": "10023", "tags": ["Passive", "10023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java", "name": "ZAP Rule", "section": "Private IP Disclosure", "sectionID": "2", "tags": ["2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRule.java", "name": "ZAP Rule", "section": "In Page Banner Information Leak", "sectionID": "10009", "tags": ["10009", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in HTTP Referrer Header", "sectionID": "10025", "tags": ["10025", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java", "name": "ZAP Rule", "section": "X-Debug-Token Information Leak", "sectionID": "10056", "tags": ["Passive", "10056"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java", "name": "ZAP Rule", "section": "X-Backend-Server Header Information Leak", "sectionID": "10039", "tags": ["10039", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "TBA", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java", "name": "ZAP Rule", "section": "Insecure HTTP Method", "sectionID": "90028", "tags": ["Active", "90028"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/XML%20Comments%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments in XML via WebSocket", "sectionID": "110008", "tags": ["110008", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java", "name": "ZAP Rule", "section": "X-ChromeLogger-Data (XCOLD) Header Information Leak", "sectionID": "10052", "tags": ["Passive", "10052"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress 'X-Powered-By' headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)", "sectionID": "10037", "tags": ["10037", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-2", "tags": ["Passive", "3-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in URL", "sectionID": "10024", "tags": ["10024", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java", "name": "ZAP Rule", "section": "Cookie Slack Detector", "sectionID": "90027", "tags": ["Active", "90027"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Version Information via 'Server' HTTP Response Header Field", "sectionID": "10036-2", "tags": ["Passive", "10036-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java", "name": "ZAP Rule", "section": "Possible Username Enumeration", "sectionID": "40023", "tags": ["Active", "40023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments", "sectionID": "10027", "tags": ["10027", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "Base64 Disclosure", "sectionID": "10094-3", "tags": ["Passive", "10094-3"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java", "name": "ZAP Rule", "section": "Application Error Disclosure", "sectionID": "90022", "tags": ["90022", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/116.html", "name": "CAPEC", "section": "Excavation", "sectionID": "116", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/169.html", "name": "CAPEC", "section": "Footprinting", "sectionID": "169", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/224.html", "name": "CAPEC", "section": "Fingerprinting", "sectionID": "224", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/285.html", "name": "CAPEC", "section": "ICMP Echo Request Ping", "sectionID": "285", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/287.html", "name": "CAPEC", "section": "TCP SYN Scan", "sectionID": "287", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/290.html", "name": "CAPEC", "section": "Enumerate Mail Exchange (MX) Records", "sectionID": "290", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/291.html", "name": "CAPEC", "section": "DNS Zone Transfers", "sectionID": "291", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/292.html", "name": "CAPEC", "section": "Host Discovery", "sectionID": "292", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/293.html", "name": "CAPEC", "section": "Traceroute Route Enumeration", "sectionID": "293", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/294.html", "name": "CAPEC", "section": "ICMP Address Mask Request", "sectionID": "294", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/295.html", "name": "CAPEC", "section": "Timestamp Request", "sectionID": "295", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/296.html", "name": "CAPEC", "section": "ICMP Information Request", "sectionID": "296", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/297.html", "name": "CAPEC", "section": "TCP ACK Ping", "sectionID": "297", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/298.html", "name": "CAPEC", "section": "UDP Ping", "sectionID": "298", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/299.html", "name": "CAPEC", "section": "TCP SYN Ping", "sectionID": "299", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/300.html", "name": "CAPEC", "section": "Port Scanning", "sectionID": "300", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/301.html", "name": "CAPEC", "section": "TCP Connect Scan", "sectionID": "301", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/302.html", "name": "CAPEC", "section": "TCP FIN Scan", "sectionID": "302", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/303.html", "name": "CAPEC", "section": "TCP Xmas Scan", "sectionID": "303", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/304.html", "name": "CAPEC", "section": "TCP Null Scan", "sectionID": "304", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/305.html", "name": "CAPEC", "section": "TCP ACK Scan", "sectionID": "305", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/306.html", "name": "CAPEC", "section": "TCP Window Scan", "sectionID": "306", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/307.html", "name": "CAPEC", "section": "TCP RPC Scan", "sectionID": "307", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/308.html", "name": "CAPEC", "section": "UDP Scan", "sectionID": "308", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/309.html", "name": "CAPEC", "section": "Network Topology Mapping", "sectionID": "309", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/310.html", "name": "CAPEC", "section": "Scanning for Vulnerable Software", "sectionID": "310", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/312.html", "name": "CAPEC", "section": "Active OS Fingerprinting", "sectionID": "312", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/313.html", "name": "CAPEC", "section": "Passive OS Fingerprinting", "sectionID": "313", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/317.html", "name": "CAPEC", "section": "IP ID Sequencing Probe", "sectionID": "317", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/318.html", "name": "CAPEC", "section": "IP 'ID' Echoed Byte-Order Probe", "sectionID": "318", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/319.html", "name": "CAPEC", "section": "IP (DF) 'Don't Fragment Bit' Echoing Probe", "sectionID": "319", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/320.html", "name": "CAPEC", "section": "TCP Timestamp Probe", "sectionID": "320", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/321.html", "name": "CAPEC", "section": "TCP Sequence Number Probe", "sectionID": "321", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/322.html", "name": "CAPEC", "section": "TCP (ISN) Greatest Common Divisor Probe", "sectionID": "322", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/323.html", "name": "CAPEC", "section": "TCP (ISN) Counter Rate Probe", "sectionID": "323", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/324.html", "name": "CAPEC", "section": "TCP (ISN) Sequence Predictability Probe", "sectionID": "324", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/325.html", "name": "CAPEC", "section": "TCP Congestion Control Flag (ECN) Probe", "sectionID": "325", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/326.html", "name": "CAPEC", "section": "TCP Initial Window Size Probe", "sectionID": "326", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/327.html", "name": "CAPEC", "section": "TCP Options Probe", "sectionID": "327", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/328.html", "name": "CAPEC", "section": "TCP 'RST' Flag Checksum Probe", "sectionID": "328", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/329.html", "name": "CAPEC", "section": "ICMP Error Message Quoting Probe", "sectionID": "329", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/330.html", "name": "CAPEC", "section": "ICMP Error Message Echoing Integrity Probe", "sectionID": "330", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/472.html", "name": "CAPEC", "section": "Browser Fingerprinting", "sectionID": "472", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/497.html", "name": "CAPEC", "section": "File Discovery", "sectionID": "497", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/508.html", "name": "CAPEC", "section": "Shoulder Surfing", "sectionID": "508", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/573.html", "name": "CAPEC", "section": "Process Footprinting", "sectionID": "573", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/574.html", "name": "CAPEC", "section": "Services Footprinting", "sectionID": "574", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/575.html", "name": "CAPEC", "section": "Account Footprinting", "sectionID": "575", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/576.html", "name": "CAPEC", "section": "Group Permission Footprinting", "sectionID": "576", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/577.html", "name": "CAPEC", "section": "Owner Footprinting", "sectionID": "577", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/616.html", "name": "CAPEC", "section": "Establish Rogue Location", "sectionID": "616", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/643.html", "name": "CAPEC", "section": "Identify Shared Files/Directories on System", "sectionID": "643", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/646.html", "name": "CAPEC", "section": "Peripheral Footprinting", "sectionID": "646", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/651.html", "name": "CAPEC", "section": "Eavesdropping", "sectionID": "651", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "308-515", "name": "Prevent security disclosure", "tags": ["Configuration"]}, "ltype": "Is Part Of"}], "name": "Do not disclose technical information in HTTP header or response"}, {"doctype": "CRE", "id": "832-555", "links": [{"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "611-158", "name": "Use static analysis tooling to detect potentially malicious actions"}, "ltype": "Contains"}], "name": "Automated static security analysis of code and configuration"}, {"doctype": "CRE", "id": "546-564", "links": [{"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "CSRF protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "362-550", "name": "Personal data handling"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "058-527", "name": "Secure name/address resolution service"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "SSRF protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Contains"}], "name": "Cross-cutting concerns"}, {"doctype": "CRE", "id": "742-056", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks.", "sectionID": "V12.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/98.html", "name": "CWE", "section": "", "sectionID": "98"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteFileIncludeScanRule.java", "name": "ZAP Rule", "section": "Remote File Inclusion", "sectionID": "7", "tags": ["Active", "7"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/193.html", "name": "CAPEC", "section": "PHP Remote File Inclusion", "sectionID": "193", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "SSRF protection"}, "ltype": "Related"}], "name": "Ignore/at least validate filename metadata from untrusted origin (remote file context, eg RFI)", "tags": ["SSRF protection"]}, {"doctype": "CRE", "id": "258-115", "links": [{"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "551-400", "name": "Allow user revocation of Oauth tokens"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "618-403", "name": "Enforce authentication timeout when dealing with an authentication third party (CSP)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "052-821", "name": "When using an authentication third party (CSP), relay last authentication event to other parties in the chain"}, "ltype": "Contains"}], "name": "Re-authentication from federation or assertion"}, {"doctype": "CRE", "id": "457-165", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties.", "sectionID": "V3.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-23", "name": "NIST 800-53 v5", "section": "SC-23(1)"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "470-731", "name": "Minimize session life"}, "ltype": "Is Part Of"}], "name": "Terminate session after logout"}, {"doctype": "CRE", "id": "538-446", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length.", "sectionID": "V5.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/138.html", "name": "CWE", "section": "", "sectionID": "138"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-00"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/105.html", "name": "CAPEC", "section": "HTTP Request Splitting", "sectionID": "105", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/15.html", "name": "CAPEC", "section": "Command Delimiters", "sectionID": "15", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/34.html", "name": "CAPEC", "section": "HTTP Response Splitting", "sectionID": "34", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize unstructured data"}, {"doctype": "CRE", "id": "208-805", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures.", "sectionID": "V14.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/497.html", "name": "CWE", "section": "", "sectionID": "497"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Error Handling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/170.html", "name": "CAPEC", "section": "Web Application Fingerprinting", "sectionID": "170", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/694.html", "name": "CAPEC", "section": "System Location Discovery", "sectionID": "694", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "308-515", "name": "Prevent security disclosure", "tags": ["Configuration"]}, "ltype": "Is Part Of"}], "name": "Disable debug mode in production"}, {"doctype": "CRE", "id": "611-051", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place.", "sectionID": "V13.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/20.html", "name": "CWE", "section": "", "sectionID": "20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java", "name": "ZAP Rule", "section": "Relative Path Confusion", "sectionID": "10051", "tags": ["Active", "10051"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "All forms must specify the action URL.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Override", "sectionID": "10026", "tags": ["Passive", "10026"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Properly sanitize the user input for parameter delimiters", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Pollution", "sectionID": "20014", "tags": ["Active", "20014"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - CVE-2012-1823", "sectionID": "20018", "tags": ["Active", "20018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Source Code Disclosure - CVE-2012-1823", "sectionID": "20017", "tags": ["Active", "20017"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java", "name": "ZAP Rule", "section": "Httpoxy - Proxy Header Misuse", "sectionID": "10107", "tags": ["Active", "10107"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/101.html", "name": "CAPEC", "section": "Server Side Include (SSI) Injection", "sectionID": "101", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/120.html", "name": "CAPEC", "section": "Double Encoding", "sectionID": "120", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/135.html", "name": "CAPEC", "section": "Format String Injection", "sectionID": "135", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/136.html", "name": "CAPEC", "section": "LDAP Injection", "sectionID": "136", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/153.html", "name": "CAPEC", "section": "Input Data Manipulation", "sectionID": "153", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/182.html", "name": "CAPEC", "section": "Flash Injection", "sectionID": "182", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/23.html", "name": "CAPEC", "section": "File Content Injection", "sectionID": "23", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/250.html", "name": "CAPEC", "section": "XML Injection", "sectionID": "250", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/261.html", "name": "CAPEC", "section": "Fuzzing for garnering other adjacent user/sensitive data", "sectionID": "261", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/28.html", "name": "CAPEC", "section": "Fuzzing", "sectionID": "28", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/3.html", "name": "CAPEC", "section": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters", "sectionID": "3", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/52.html", "name": "CAPEC", "section": "Embedding NULL Bytes", "sectionID": "52", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/53.html", "name": "CAPEC", "section": "Postfix, Null Terminate, and Backslash", "sectionID": "53", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/588.html", "name": "CAPEC", "section": "DOM-Based XSS", "sectionID": "588", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/63.html", "name": "CAPEC", "section": "Cross-Site Scripting (XSS)", "sectionID": "63", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/83.html", "name": "CAPEC", "section": "XPath Injection", "sectionID": "83", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "080-373", "name": "SOAP"}, "ltype": "Is Part Of"}], "name": "Enforce schema on XML structure/field"}, {"doctype": "CRE", "id": "862-452", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-26", "name": "NIST 800-53 v5", "section": "SC-26 Decoys"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-30", "name": "NIST 800-53 v5", "section": "SC-30 Concealment and Misdirection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-35", "name": "NIST 800-53 v5", "section": "SC-35 External Malicious Code Identification"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-36", "name": "NIST 800-53 v5", "section": "SC-36 Distributed Processing and Storage"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Separation of development, test and production environments", "sectionID": "8.31"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-37", "name": "NIST 800-53 v5", "section": "SC-37 Out-of-band Channels"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-38", "name": "NIST 800-53 v5", "section": "SC-38 Operations Security"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-42", "name": "NIST 800-53 v5", "section": "SC-42 Sensor Capability and Data"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-43", "name": "NIST 800-53 v5", "section": "SC-43 Usage Restrictions"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-46", "name": "NIST 800-53 v5", "section": "SC-46 Cross Domain Policy Enforcement"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-47", "name": "NIST 800-53 v5", "section": "SC-47 Alternate Communications Paths"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-48", "name": "NIST 800-53 v5", "section": "SC-48 Sensor Relocation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-50", "name": "NIST 800-53 v5", "section": "SC-50 Software-enforced Separation and Policy Enforcement"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Documented operating procedures", "sectionID": "5.37"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Infrastructure and Virtualization Security Policy and Procedures", "sectionID": "IVS-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security for use of cloud services", "sectionID": "5.23"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "247-250", "name": "Access control processes"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "887-750", "name": "Detect and respond"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "010-678", "name": "Improvement management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "148-853", "name": "Setup and maintain a secure software development process"}, "ltype": "Related"}], "name": "Operating processes for security"}, {"doctype": "CRE", "id": "170-772", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-12", "name": "NIST 800-53 v5", "section": "SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Use of cryptography", "sectionID": "8.24"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-13", "name": "NIST 800-53 v5", "section": "SC-13 Cryptographic Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17", "name": "NIST 800-53 v5", "section": "SC-17 Public Key Infrastructure Certificates"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/", "name": "OWASP Top 10 2021", "section": "Cryptographic Failures", "sectionID": "A02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Cryptography, Encryption & Key Management", "sectionID": "CEK"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "333-858", "name": "Resist stolen credentials", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "585-408", "name": "Challenge nonce cryptography", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "841-757", "name": "Use approved cryptographic algorithms in generation, seeding and verification of OTPs", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "206-254", "name": "Use secure random to generate initial authentication codes", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "543-428", "name": "Use security module to store one-time password verification keys", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "605-735", "name": "Authenticate all external connections", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "435-702", "name": "Communication encryption", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "527-034", "name": "Protect communication between application components", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "426-842", "name": "Verify the authenticity of both headers and payload", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "248-646", "name": "Disable insecure SSL/TLS versions", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "542-270", "name": "Secure random values", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "664-571", "name": "Ensure proper generation of secure random", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "704-530", "name": "Enforce high entropy session tokens", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "727-043", "name": "Ensure secure algorithms for generating session tokens", "tags": ["Cryptography"]}, "ltype": "Related"}], "name": "Cryptography"}, {"doctype": "CRE", "id": "377-680", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).", "sectionID": "V13.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/434.html", "name": "CWE", "section": "", "sectionID": "434"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Web Service Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}], "name": "Reject non-whitelisted content types"}, {"doctype": "CRE", "id": "456-636", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service.", "sectionID": "V13.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/345.html", "name": "CWE", "section": "", "sectionID": "345"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Provide a valid integrity attribute to the tag.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java", "name": "ZAP Rule", "section": "Sub Resource Integrity Attribute Missing", "sectionID": "90003", "tags": ["90003", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure each page is setting the specific and appropriate content-type value for the content being delivered.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java", "name": "ZAP Rule", "section": "Content-Type Header Missing", "sectionID": "10019", "tags": ["Passive", "10019"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/141.html", "name": "CAPEC", "section": "Cache Poisoning", "sectionID": "141", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/148.html", "name": "CAPEC", "section": "Content Spoofing", "sectionID": "148", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/218.html", "name": "CAPEC", "section": "Spoofing of UDDI/ebXML Messages", "sectionID": "218", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/665.html", "name": "CAPEC", "section": "Exploitation of Thunderbolt Protection Flaws", "sectionID": "665", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/701.html", "name": "CAPEC", "section": "Browser in the Middle (BiTM)", "sectionID": "701", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "080-373", "name": "SOAP"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Related"}], "name": "Add integrity check to SOAP payload"}, {"doctype": "CRE", "id": "072-713", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/security-architecture/stream-b", "name": "SAMM", "section": "Technology Management", "sectionID": "D-SA-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "326-704", "name": "Architecture/design processes", "tags": ["Architecture"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Related"}], "name": "Manage standard technologies and frameworks"}, {"doctype": "CRE", "id": "404-126", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that time-based OTP can be used only once within the validity period.", "sectionID": "V2.8.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use time-based OTP only once"}, {"doctype": "CRE", "id": "134-207", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against XPath injection or XML injection attacks.", "sectionID": "V5.3.10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/643.html", "name": "CWE", "section": "", "sectionID": "643"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html; https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-07; WSTG-INPV-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/XpathInjectionScanRule.java", "name": "ZAP Rule", "section": "XPath Injection", "sectionID": "90021", "tags": ["Active", "90021"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against XML/XPath injection"}, {"doctype": "CRE", "id": "543-621", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify password credential recovery does not reveal the current password in any way.", "sectionID": "V2.5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/640.html", "name": "CWE", "section": "", "sectionID": "640"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/50.html", "name": "CAPEC", "section": "Password Recovery Exploitation", "sectionID": "50", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Is Part Of"}], "name": "Do not reveal the current password during password recovery"}, {"doctype": "CRE", "id": "064-808", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection.", "sectionID": "V5.3.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/89.html", "name": "CWE", "section": "", "sectionID": "89"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - MySQL", "sectionID": "40019", "tags": ["Active", "40019"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionHypersonicScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - Hypersonic SQL", "sectionID": "40020", "tags": ["Active", "40020"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - MsSQL", "sectionID": "40027", "tags": ["Active", "40027"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionSqLiteScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - SQLite", "sectionID": "40024", "tags": ["Active", "40024"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/sqliplugin/src/main/java/org/zaproxy/zap/extension/sqliplugin/SQLInjectionScanRule.java", "name": "ZAP Rule", "section": "Advanced SQL Injection", "sectionID": "90018", "tags": ["Active", "90018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - PostgreSQL", "sectionID": "40022", "tags": ["Active", "40022"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionOracleScanRule.java", "name": "ZAP Rule", "section": "SQL Injection - Oracle", "sectionID": "40021", "tags": ["Active", "40021"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java", "name": "ZAP Rule", "section": "SQL Injection", "sectionID": "40018", "tags": ["Active", "40018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/470.html", "name": "CAPEC", "section": "Expanding Control over the Operating System from the Database", "sectionID": "470", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/66.html", "name": "CAPEC", "section": "SQL Injection", "sectionID": "66", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Encode output context-specifically"}, {"doctype": "CRE", "id": "614-353", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that backups are stored securely to prevent data from being stolen or corrupted.", "sectionID": "V8.1.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/19.html", "name": "CWE", "section": "", "sectionID": "19"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "163-776", "name": "Backup"}, "ltype": "Is Part Of"}], "name": "Store backups securely"}, {"doctype": "CRE", "id": "336-512", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application has protection from subdomain takeovers if the application relies upon DNS entries or DNS subdomains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (*autogen-bucket-id*.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change.", "sectionID": "V10.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/350.html", "name": "CWE", "section": "", "sectionID": "350"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Production and Non-Production Environments", "sectionID": "IVS-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Networks security", "sectionID": "8.20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/275.html", "name": "CAPEC", "section": "DNS Rebinding", "sectionID": "275", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/89.html", "name": "CAPEC", "section": "Pharming", "sectionID": "89", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "058-527", "name": "Secure name/address resolution service"}, "ltype": "Related"}], "name": "Ensure integrity of DNS entries and domains", "tags": ["Secure name/address resolution service"]}, {"doctype": "CRE", "id": "068-102", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify definition and security analysis of the application's high-level architecture and all connected remote services.", "sectionID": "V1.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html", "name": "OWASP Proactive Controls", "section": "C1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1059.html", "name": "CWE", "section": "", "sectionID": "1059"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-31", "name": "NIST 800-53 v5", "section": "SC-31 Covert Channel Analysis"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Threat Modeling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Attack Surface Analysis Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/threat-assessment/stream-b", "name": "SAMM", "section": "Threat modeling", "sectionID": "D-TA-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Use forms of risk modeling \u2013 such as threat modeling, attack modeling, or attack surface mapping \u2013 to help assess the security risk for the software.", "sectionID": "PW.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "326-704", "name": "Architecture/design processes", "tags": ["Architecture"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "307-242", "name": "Security risk assessment"}, "ltype": "Related"}], "name": "Describe high-level system architecture and perform threat modeling on it every critical change and regularly"}, {"doctype": "CRE", "id": "673-475", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.", "sectionID": "V1.14.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/477.html", "name": "CWE", "section": "", "sectionID": "477"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Is Part Of"}], "name": "Disallow unsupported/deprecated client-side technologies"}, {"doctype": "CRE", "id": "821-541", "links": [{"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "048-612", "name": "Encode user input before logging", "tags": ["Injection protection"]}, "ltype": "Contains"}], "name": "Log injection protection"}, {"doctype": "CRE", "id": "843-841", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/", "name": "OWASP Top 10 2021", "section": "Logging and Monitoring Failures", "sectionID": "A09"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "067-050", "name": "Do not log credentials or payment details"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "240-274", "name": "Log only non-sensitive data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "015-063", "name": "Log access to sensitive data"}, "ltype": "Related"}], "name": "Log discretely"}, {"doctype": "CRE", "id": "163-776", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information backup", "sectionID": "8.13"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "240-464", "name": "Contingency planning"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "257-117", "name": "Perform regular backups of important data and test restoration"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "614-353", "name": "Store backups securely"}, "ltype": "Contains"}], "name": "Backup"}, {"doctype": "CRE", "id": "745-045", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that TLS is used for all client connectivity, and does not fall back to insecure or unencrypted communications.", "sectionID": "V9.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/319.html", "name": "CWE", "section": "", "sectionID": "319"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTTP Strict Transport Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/117.html", "name": "CAPEC", "section": "Interception", "sectionID": "117", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Do not fall back to insecure protocols in TCP"}, {"doctype": "CRE", "id": "148-853", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Identify and document all security requirements for the organization\u2019s software development infrastructures and processes, and maintain the requirements over time.", "sectionID": "PO.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.", "sectionID": "PO.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Follow recommended security practices to deploy, operate, and maintain tools and toolchains.", "sectionID": "PO.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Separate and protect each environment involved in software development.", "sectionID": "PO.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.", "sectionID": "PO.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Related"}], "name": "Setup and maintain a secure software development process"}, {"doctype": "CRE", "id": "123-124", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-6", "name": "NIST 800-53 v5", "section": "AC-6 LEAST PRIVILEGE"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "540-566", "name": "Let application request minimal permissions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "817-808", "name": "Deny new users by default"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "368-633", "name": "Enforce least privilege"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "152-725", "name": "Limit access to admin/management functionality"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "524-603", "name": "Limit modification of access controls to specifically authorized actors/users"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "330-281", "name": "Use least privilege OS accounts for system (components)"}, "ltype": "Contains"}], "name": "Minimize permissions"}, {"doctype": "CRE", "id": "708-355", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-14", "name": "NIST 800-53 v5", "section": "SI-14 Non-persistence"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-22", "name": "NIST 800-53 v5", "section": "SI-22 Information Diversity"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-23", "name": "NIST 800-53 v5", "section": "SI-23 Information Fragmentation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-3", "name": "NIST 800-53 v5", "section": "SC-3 Security Function Isolation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-32", "name": "NIST 800-53 v5", "section": "SC-32 System Partitioning"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-39", "name": "NIST 800-53 v5", "section": "SC-39 Process Isolation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-44", "name": "NIST 800-53 v5", "section": "SC-44 Detonation Chambers"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "326-704", "name": "Architecture/design processes", "tags": ["Architecture"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "344-611", "name": "Use centralized reusable security controls", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}], "name": "Secure implemented architecture", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "560-224", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-2", "name": "NIST 800-53 v5", "section": "SA-2 Allocation of Resources"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Capacity management", "sectionID": "8.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-3", "name": "NIST 800-53 v5", "section": "PM-3 Information Security and Privacy Resources"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Capacity and Resource Planning", "sectionID": "IVS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-1", "name": "NIST 800-53 v5", "section": "PL-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-10", "name": "NIST 800-53 v5", "section": "PL-10 Baseline Selection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-11", "name": "NIST 800-53 v5", "section": "PL-11 Baseline Tailoring"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-4", "name": "NIST 800-53 v5", "section": "PL-4 Rules of Behavior"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "563-088", "name": "Security organizing processes"}, "ltype": "Is Part Of"}], "name": "Planning and resource management"}, {"doctype": "CRE", "id": "400-007", "links": [{"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "504-340", "name": "Encrypt sensitive data with algorithms that provide both confidentiality and integrity"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "275-483", "name": "Securely store regulated data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "232-325", "name": "Treat client-secrets as insecure"}, "ltype": "Contains"}], "name": "Encrypt data at rest", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "833-030", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-15", "name": "NIST 800-53 v5", "section": "PM-15 Security and Privacy Groups and Associations"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Contact with special interest groups", "sectionID": "5.6"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "571-271", "name": "Program management"}, "ltype": "Is Part Of"}], "name": "Connect with the community"}, {"doctype": "CRE", "id": "060-472", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.", "sectionID": "V4.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/352.html", "name": "CWE", "section": "", "sectionID": "352"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Insecure Direct Object Reference Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java", "name": "ZAP Rule", "section": "Absence of Anti-CSRF Tokens", "sectionID": "10202", "tags": ["10202", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRule.java", "name": "ZAP Rule", "section": "Anti-CSRF Tokens Check", "sectionID": "20012", "tags": ["Active", "20012"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/462.html", "name": "CAPEC", "section": "Cross-Domain Search Timing", "sectionID": "462", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/467.html", "name": "CAPEC", "section": "Cross Site Identification", "sectionID": "467", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "CSRF protection"}, "ltype": "Related"}], "name": "Use CSRF protection against authenticated functionality, add anti-automation controls for unauthenticated functionality", "tags": ["CSRF protection"]}, {"doctype": "CRE", "id": "046-257", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.", "sectionID": "V8.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/922.html", "name": "CWE", "section": "", "sectionID": "922"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-12"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}], "name": "Clear authentication data from client storage"}, {"doctype": "CRE", "id": "428-544", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT-1", "name": "NIST 800-53 v5", "section": "AT-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT-2", "name": "NIST 800-53 v5", "section": "AT-2 Literacy Training and Awareness"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security awareness, education and training", "sectionID": "6.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT-3", "name": "NIST 800-53 v5", "section": "AT-3 Role-based Training"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT-4", "name": "NIST 800-53 v5", "section": "AT-4 Training Records"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AT-6", "name": "NIST 800-53 v5", "section": "AT-6 Training Feedback"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "244-750", "name": "Technical application security training"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "427-113", "name": "Security governance regarding people"}, "ltype": "Is Part Of"}], "name": "Security awareness training"}, {"doctype": "CRE", "id": "440-361", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify physical single-factor OTP generator can be revoked in case of theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location.", "sectionID": "V2.8.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Ensure that physical single factor OTP generator can be revoked fully immediately when lost"}, {"doctype": "CRE", "id": "304-667", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records.", "sectionID": "V4.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/639.html", "name": "CWE", "section": "", "sectionID": "639"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Insecure Direct Object Reference Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Protect API against unauthorized access/modification (IDOR)"}, {"doctype": "CRE", "id": "028-254", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update.", "sectionID": "V10.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that only POST is accepted where POST is expected.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java", "name": "ZAP Rule", "section": "GET for POST", "sectionID": "10058", "tags": ["Active", "10058"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java", "name": "ZAP Rule", "section": "Deprecated Feature Policy Header Set", "sectionID": "10063-2", "tags": ["10063-2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Secure auto-updates over full stack"}, {"doctype": "CRE", "id": "145-310", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject.", "sectionID": "V5.2.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/159.html", "name": "CWE", "section": "", "sectionID": "159"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize, disable, or sandbox untrusted SVG scriptable content"}, {"doctype": "CRE", "id": "240-464", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Business Continuity Management and Operational Resilience", "sectionID": "BCR"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Redundancy of information processing facilities", "sectionID": "8.14"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-1", "name": "NIST 800-53 v5", "section": "CP-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security during disruption", "sectionID": "5.29"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-10", "name": "NIST 800-53 v5", "section": "CP-10 System Recovery and Reconstitution"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "ICT readiness for business continuity", "sectionID": "5.30"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-11", "name": "NIST 800-53 v5", "section": "CP-11 Alternate Communications Protocols"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-12", "name": "NIST 800-53 v5", "section": "CP-12 Safe Mode"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-13", "name": "NIST 800-53 v5", "section": "CP-13 Alternative Security Mechanisms"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-2", "name": "NIST 800-53 v5", "section": "CP-2 Contingency Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-3", "name": "NIST 800-53 v5", "section": "CP-3 Contingency Training"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-4", "name": "NIST 800-53 v5", "section": "CP-4 Contingency Plan Testing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-6", "name": "NIST 800-53 v5", "section": "CP-6 Alternate Storage Site"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-7", "name": "NIST 800-53 v5", "section": "CP-7 Alternate Processing Site"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-8", "name": "NIST 800-53 v5", "section": "CP-8 Telecommunications Services"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CP-9", "name": "NIST 800-53 v5", "section": "CP-9 System Backup"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-13", "name": "NIST 800-53 v5", "section": "SI-13 Predictable Failure Prevention"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "163-776", "name": "Backup"}, "ltype": "Related"}], "name": "Contingency planning"}, {"doctype": "CRE", "id": "366-835", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS.", "sectionID": "V5.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/79.html", "name": "CWE", "section": "", "sectionID": "79"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "N/A", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssPrimeScanRule.java", "name": "ZAP Rule", "section": "Cross Site Scripting (Persistent) - Prime", "sectionID": "40016", "tags": ["Active", "40016"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/domxss/src/main/java/org/zaproxy/zap/extension/domxss/DomXssScanRule.java", "name": "ZAP Rule", "section": "Cross Site Scripting (DOM Based)", "sectionID": "40026", "tags": ["Active", "40026"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CrossSiteScriptingScanRule.java", "name": "ZAP Rule", "section": "Cross Site Scripting (Reflected)", "sectionID": "40012", "tags": ["Active", "40012"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "N/A", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssSpiderScanRule.java", "name": "ZAP Rule", "section": "Cross Site Scripting (Persistent) - Spider", "sectionID": "40017", "tags": ["Active", "40017"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/OutOfBandXssScanRule.java", "name": "ZAP Rule", "section": "Out of Band XSS", "sectionID": "40031", "tags": ["Active", "40031"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PersistentXssScanRule.java", "name": "ZAP Rule", "section": "Cross Site Scripting (Persistent)", "sectionID": "40014", "tags": ["Active", "40014"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/588.html", "name": "CAPEC", "section": "DOM-Based XSS", "sectionID": "588", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/591.html", "name": "CAPEC", "section": "Reflected XSS", "sectionID": "591", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/592.html", "name": "CAPEC", "section": "Stored XSS", "sectionID": "592", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/63.html", "name": "CAPEC", "section": "Cross-Site Scripting (XSS)", "sectionID": "63", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Escape output against XSS"}, {"doctype": "CRE", "id": "670-660", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state.", "sectionID": "V1.11.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/362.html", "name": "CWE", "section": "", "sectionID": "362"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/26.html", "name": "CAPEC", "section": "Leveraging Race Conditions", "sectionID": "26", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/29.html", "name": "CAPEC", "section": "Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions", "sectionID": "29", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "601-182", "name": "Parallel execution robustness"}, "ltype": "Is Part Of"}], "name": "Do not share unsynchronized state on high-value logic flows"}, {"doctype": "CRE", "id": "887-750", "links": [{"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "463-577", "name": "Incident response"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "058-083", "name": "Monitoring"}, "ltype": "Contains"}], "name": "Detect and respond"}, {"doctype": "CRE", "id": "504-340", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity.", "sectionID": "V8.3.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/327.html", "name": "CWE", "section": "", "sectionID": "327"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/475.html", "name": "CAPEC", "section": "Signature Spoofing by Improper Validation", "sectionID": "475", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/608.html", "name": "CAPEC", "section": "Cryptanalysis of Cellular Encryption", "sectionID": "608", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/614.html", "name": "CAPEC", "section": "Rooting SIM Cards", "sectionID": "614", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/97.html", "name": "CAPEC", "section": "Cryptanalysis", "sectionID": "97", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Encrypt sensitive data with algorithms that provide both confidentiality and integrity"}, {"doctype": "CRE", "id": "765-788", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all sensitive data is identified and classified into protection levels.", "sectionID": "V1.8.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "User Privacy Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Classification of information", "sectionID": "5.12"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Is Part Of"}], "name": "Classify sensitive data in protection levels"}, {"doctype": "CRE", "id": "715-223", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that third party components come from pre-defined, trusted and continually maintained repositories.", "sectionID": "V14.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html", "name": "OWASP Proactive Controls", "section": "C2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/829.html", "name": "CWE", "section": "", "sectionID": "829"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Please upgrade to the latest version of ExampleLibrary.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java", "name": "ZAP Rule", "section": "Vulnerable JS Library", "sectionID": "10003", "tags": ["Passive", "10003"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainScriptInclusionScanRule.java", "name": "ZAP Rule", "section": "Cross-Domain JavaScript Source File Inclusion", "sectionID": "10017", "tags": ["10017", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/175.html", "name": "CAPEC", "section": "Code Inclusion", "sectionID": "175", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/201.html", "name": "CAPEC", "section": "Serialized Data External Linking", "sectionID": "201", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/228.html", "name": "CAPEC", "section": "DTD Injection", "sectionID": "228", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/251.html", "name": "CAPEC", "section": "Local Code Inclusion", "sectionID": "251", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/252.html", "name": "CAPEC", "section": "PHP Local File Inclusion", "sectionID": "252", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/253.html", "name": "CAPEC", "section": "Remote Code Inclusion", "sectionID": "253", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/263.html", "name": "CAPEC", "section": "Force Use of Corrupted Files", "sectionID": "263", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/538.html", "name": "CAPEC", "section": "Open-Source Library Manipulation", "sectionID": "538", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/549.html", "name": "CAPEC", "section": "Local Execution of Code", "sectionID": "549", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/640.html", "name": "CAPEC", "section": "Inclusion of Code in Existing Process", "sectionID": "640", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/660.html", "name": "CAPEC", "section": "Root/Jailbreak Detection Evasion via Hooking", "sectionID": "660", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/695.html", "name": "CAPEC", "section": "Repo Jacking", "sectionID": "695", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/698.html", "name": "CAPEC", "section": "Install Malicious Extension", "sectionID": "698", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Ensure trusted origin of third party resources"}, {"doctype": "CRE", "id": "052-821", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that Credential Service Providers (CSPs) inform Relying Parties (RPs) of the last authentication event, to allow RPs to determine if they need to re-authenticate the user.", "sectionID": "V3.6.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "258-115", "name": "Re-authentication from federation or assertion"}, "ltype": "Is Part Of"}], "name": "When using an authentication third party (CSP), relay last authentication event to other parties in the chain"}, {"doctype": "CRE", "id": "630-573", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application has anti-automation controls to protect against excessive calls such as mass data exfiltration, business logic requests, file uploads or denial of service attacks.", "sectionID": "V11.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/770.html", "name": "CWE", "section": "", "sectionID": "770"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-$$"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/125.html", "name": "CAPEC", "section": "Flooding", "sectionID": "125", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/130.html", "name": "CAPEC", "section": "Excessive Allocation", "sectionID": "130", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/197.html", "name": "CAPEC", "section": "Exponential Data Expansion", "sectionID": "197", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/229.html", "name": "CAPEC", "section": "Serialized Data Parameter Blowup", "sectionID": "229", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/469.html", "name": "CAPEC", "section": "HTTP DoS", "sectionID": "469", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/482.html", "name": "CAPEC", "section": "TCP Flood", "sectionID": "482", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/486.html", "name": "CAPEC", "section": "UDP Flood", "sectionID": "486", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/487.html", "name": "CAPEC", "section": "ICMP Flood", "sectionID": "487", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/488.html", "name": "CAPEC", "section": "HTTP Flood", "sectionID": "488", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/489.html", "name": "CAPEC", "section": "SSL Flood", "sectionID": "489", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/490.html", "name": "CAPEC", "section": "Amplification", "sectionID": "490", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/491.html", "name": "CAPEC", "section": "Quadratic Data Expansion", "sectionID": "491", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/493.html", "name": "CAPEC", "section": "SOAP Array Blowup", "sectionID": "493", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/494.html", "name": "CAPEC", "section": "TCP Fragmentation", "sectionID": "494", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/495.html", "name": "CAPEC", "section": "UDP Fragmentation", "sectionID": "495", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/496.html", "name": "CAPEC", "section": "ICMP Fragmentation", "sectionID": "496", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/528.html", "name": "CAPEC", "section": "XML Flood", "sectionID": "528", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=CAPTCHA%20Bypass", "name": "OWASP Juice Shop", "section": "CAPTCHA Bypass", "sectionID": "captchaBypassChallenge", "tags": ["Broken Anti Automation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Extra%20Language", "name": "OWASP Juice Shop", "section": "Extra Language", "sectionID": "extraLanguageChallenge", "tags": ["Broken Anti Automation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Multiple%20Likes", "name": "OWASP Juice Shop", "section": "Multiple Likes", "sectionID": "timingAttackChallenge", "tags": ["Broken Anti Automation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reset%20Morty%27s%20Password", "name": "OWASP Juice Shop", "section": "Reset Morty's Password", "sectionID": "resetPasswordMortyChallenge", "tags": ["Broken Anti Automation"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Detect and protect against automation abuse", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "443-447", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations.", "sectionID": "V7.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Is Part Of"}], "name": "Log access control decisions"}, {"doctype": "CRE", "id": "764-765", "links": [{"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "657-084", "name": "(SSRF) When depending on internal server input, use validation sanitization and whitelisting", "tags": ["SSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "317-743", "name": "Do not use eval or dynamic code execution functions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "538-446", "name": "Sanitize unstructured data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "542-445", "name": "Sanitize untrusted HTML input"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "881-434", "name": "Sanitize user input before passing content to mail systems (SMTP/IMAP injection)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "646-462", "name": "Sanitize, disable, or sandbox untrusted scriptable or template language content"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "145-310", "name": "Sanitize, disable, or sandbox untrusted SVG scriptable content"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "422-005", "name": "Sanitize/sandbox user input where template-injection is a threat"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "268-088", "name": "Limit query impact GraphQL/data layer expression DoS", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}], "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, {"doctype": "CRE", "id": "636-347", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-secure-headers/#div-bestpractices", "name": "OWASP Secure Headers Project", "section": "configuration"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "257-668", "name": "Configure CSP configuration properly", "tags": ["XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "036-147", "name": "Configure HSTS configuration properly"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "268-100", "name": "Configure Referrer-Policy properly"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "065-388", "name": "Configure X-Content-Type-Options properly"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "480-071", "name": "Prevent Click jacking through X-Frame-Options or CSP"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "036-725", "name": "Set content HTTP response type"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "736-237", "name": "Set metadata/content-Disposition for API responses"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "473-758", "name": "Set sufficient anti-caching headers"}, "ltype": "Related"}], "name": "HTTP security headers"}, {"doctype": "CRE", "id": "558-807", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that where a Credential Service Provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints.", "sectionID": "V2.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/319.html", "name": "CWE", "section": "", "sectionID": "319"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/117.html", "name": "CAPEC", "section": "Interception", "sectionID": "117", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Related"}], "name": "Mutually authenticate application and credential service provider"}, {"doctype": "CRE", "id": "010-678", "links": [{"document": {"doctype": "CRE", "id": "862-452", "name": "Operating processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "112-648", "name": "Change management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "732-148", "name": "Vulnerability management"}, "ltype": "Contains"}], "name": "Improvement management"}, {"doctype": "CRE", "id": "422-005", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed.", "sectionID": "V5.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/94.html", "name": "CWE", "section": "", "sectionID": "94"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-18"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Instead of inserting the user input in the template, use it as rendering argument.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiScanRule.java", "name": "ZAP Rule", "section": "Server Side Template Injection", "sectionID": "90035", "tags": ["Active", "90035"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ElmahScanRule.java", "name": "ZAP Rule", "section": "ELMAH Information Leak", "sectionID": "40028", "tags": ["Active", "40028"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java", "name": "ZAP Rule", "section": "Server Side Code Injection - ASP Code Injection", "sectionID": "90019-2", "tags": ["Active", "90019-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CodeInjectionScanRule.java", "name": "ZAP Rule", "section": "Server Side Code Injection - PHP Code Injection", "sectionID": "90019-1", "tags": ["Active", "90019-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure the .htaccess file is not accessible.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HtAccessScanRule.java", "name": "ZAP Rule", "section": ".htaccess Information Leak", "sectionID": "40032", "tags": ["Active", "40032"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/242.html", "name": "CAPEC", "section": "Code Injection", "sectionID": "242", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/35.html", "name": "CAPEC", "section": "Leverage Executable Code in Non-Executable Files", "sectionID": "35", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize/sandbox user input where template-injection is a threat"}, {"doctype": "CRE", "id": "688-081", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that cookie-based session tokens have the 'Secure' attribute set.", "sectionID": "V3.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/614.html", "name": "CWE", "section": "", "sectionID": "614"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1.1"}, "ltype": "Linked To"}, {"document": {"description": "Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java", "name": "ZAP Rule", "section": "Cookie Without Secure Flag", "sectionID": "10011", "tags": ["Passive", "10011"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Is Part Of"}], "name": "Set \"secure\" attribute for cookie-based session tokens"}, {"doctype": "CRE", "id": "002-630", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify the application generates a new session token on user authentication.", "sectionID": "V3.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/384.html", "name": "CWE", "section": "", "sectionID": "384"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-23", "name": "NIST 800-53 v5", "section": "SC-23(3)"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java", "name": "ZAP Rule", "section": "Session Fixation", "sectionID": "40013", "tags": ["Active", "40013"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/196.html", "name": "CAPEC", "section": "Session Credential Falsification through Forging", "sectionID": "196", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/61.html", "name": "CAPEC", "section": "Session Fixation", "sectionID": "61", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "716-526", "name": "Session token generation"}, "ltype": "Is Part Of"}], "name": "Generate a new session token after authentication"}, {"doctype": "CRE", "id": "340-375", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets.", "sectionID": "V6.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/798.html", "name": "CWE", "section": "", "sectionID": "798"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/191.html", "name": "CAPEC", "section": "Read Sensitive Constants Within an Executable", "sectionID": "191", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use a dedicated secrets management solution"}, {"doctype": "CRE", "id": "234-282", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Physical security perimeters", "sectionID": "7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-1", "name": "NIST 800-53 v5", "section": "PE-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Clear desk and clear screen", "sectionID": "7.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-10", "name": "NIST 800-53 v5", "section": "PE-10 Emergency Shutoff"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-11", "name": "NIST 800-53 v5", "section": "PE-11 Emergency Power"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Supporting utilities", "sectionID": "7.11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-12", "name": "NIST 800-53 v5", "section": "PE-12 Emergency Lighting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-13", "name": "NIST 800-53 v5", "section": "PE-13 Fire Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Protecting against physical and environmental threats", "sectionID": "7.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-14", "name": "NIST 800-53 v5", "section": "PE-14 Environmental Controls"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-15", "name": "NIST 800-53 v5", "section": "PE-15 Water Damage Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-16", "name": "NIST 800-53 v5", "section": "PE-16 Delivery and Removal"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-17", "name": "NIST 800-53 v5", "section": "PE-17 Alternate Work Site"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Working in secure areas", "sectionID": "7.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-18", "name": "NIST 800-53 v5", "section": "PE-18 Location of System Components"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-19", "name": "NIST 800-53 v5", "section": "PE-19 Information Leakage"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-2", "name": "NIST 800-53 v5", "section": "PE-2 Physical Access Authorizations"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Physical entry", "sectionID": "7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-20", "name": "NIST 800-53 v5", "section": "PE-20 Asset Monitoring and Tracking"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-21", "name": "NIST 800-53 v5", "section": "PE-21 Electromagnetic Pulse Protection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-22", "name": "NIST 800-53 v5", "section": "PE-22 Component Marking"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-23", "name": "NIST 800-53 v5", "section": "PE-23 Facility Location"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-3", "name": "NIST 800-53 v5", "section": "PE-3 Physical Access Control"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Securing offices, rooms and facilities", "sectionID": "7.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-4", "name": "NIST 800-53 v5", "section": "PE-4 Access Control for Transmission"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-5", "name": "NIST 800-53 v5", "section": "PE-5 Access Control for Output Devices"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-6", "name": "NIST 800-53 v5", "section": "PE-6 Monitoring Physical Access"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Physical security monitoring", "sectionID": "7.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-8", "name": "NIST 800-53 v5", "section": "PE-8 Visitor Access Records"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PE-9", "name": "NIST 800-53 v5", "section": "PE-9 Power Equipment and Cabling"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Cabling security", "sectionID": "7.12"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}], "name": "Physical & environment protection"}, {"doctype": "CRE", "id": "820-878", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify documentation and justification of all the application's trust boundaries, components, and significant data flows.", "sectionID": "V1.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1059.html", "name": "CWE", "section": "", "sectionID": "1059"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Threat Modeling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Attack Surface Analysis Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "820-877", "name": "Technical system documentation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Document all trust boundaries and significant data flows", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "762-616", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering.", "sectionID": "V5.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/502.html", "name": "CWE", "section": "", "sectionID": "502"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Deserialization of untrusted data is inherently dangerous and should be avoided.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java", "name": "ZAP Rule", "section": "Java Serialization Object", "sectionID": "90002", "tags": ["90002", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/586.html", "name": "CAPEC", "section": "Object Injection", "sectionID": "586", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Is Part Of"}], "name": "Secure serialized objects (e.g. integrity checks)"}, {"doctype": "CRE", "id": "314-701", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required.", "sectionID": "V12.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/552.html", "name": "CWE", "section": "", "sectionID": "552"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-08"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/150.html", "name": "CAPEC", "section": "Collect Data from Common Resource Locations", "sectionID": "150", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/639.html", "name": "CAPEC", "section": "Probe System Files", "sectionID": "639", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "040-843", "name": "File download"}, "ltype": "Is Part Of"}], "name": "Whitelist file extensions served by web tier"}, {"doctype": "CRE", "id": "451-082", "links": [{"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "683-722", "name": "Block direct execution of file metadata from untrusted origin"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "737-086", "name": "Ignore/at least validate filename metadata from untrusted origin (local file context, eg LFI)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "742-056", "name": "Ignore/at least validate filename metadata from untrusted origin (remote file context, eg RFI)", "tags": ["SSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "421-513", "name": "Ignore/at least validate filenames from untrusted origin (against RFD)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "777-470", "name": "Ignore/block execution logic from untrusted sources"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "675-168", "name": "Sanitize filename metadata from untrusted origin if processing is required"}, "ltype": "Contains"}], "name": "File execution"}, {"doctype": "CRE", "id": "820-877", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-5", "name": "NIST 800-53 v5", "section": "SA-5 System Documentation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Track and maintain the software\u2019s security requirements, risks, and design decisions.", "sectionID": "PW.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-7", "name": "NIST 800-53 v5", "section": "PL-7 CONCEPT OF OPERATIONS"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "820-878", "name": "Document all trust boundaries and significant data flows", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "287-305", "name": "Document explicit key/secret management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "162-655", "name": "Documentation of all components' business or security function"}, "ltype": "Contains"}], "name": "Technical system documentation"}, {"doctype": "CRE", "id": "124-564", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Configuration management", "sectionID": "8.9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-1", "name": "NIST 800-53 v5", "section": "CM-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-10", "name": "NIST 800-53 v5", "section": "CM-10 Software Usage Restrictions"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-11", "name": "NIST 800-53 v5", "section": "CM-11 User-installed Software"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-12", "name": "NIST 800-53 v5", "section": "CM-12 Information Location"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-13", "name": "NIST 800-53 v5", "section": "CM-13 Data Action Mapping"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-14", "name": "NIST 800-53 v5", "section": "CM-14 Signed Components"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-3", "name": "NIST 800-53 v5", "section": "CM-3 Configuration Change Control"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-4", "name": "NIST 800-53 v5", "section": "CM-4 Impact Analyses"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-5", "name": "NIST 800-53 v5", "section": "CM-5 Access Restrictions for Change"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-7", "name": "NIST 800-53 v5", "section": "CM-7 Least Functionality"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-8", "name": "NIST 800-53 v5", "section": "CM-8 System Component Inventory"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-9", "name": "NIST 800-53 v5", "section": "CM-9 Configuration Management Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "080-466", "name": "Developer Configuration Management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "112-648", "name": "Change management"}, "ltype": "Related"}], "name": "Configuration Management", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "462-245", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that all unneeded features, documentation, sample applications and configurations are removed.", "sectionID": "V14.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1002.html", "name": "CWE", "section": "", "sectionID": "1002"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Remove unnecessary elements from external components (e.g. features, documentation, configuration)", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "176-154", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.", "sectionID": "V8.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/770.html", "name": "CWE", "section": "", "sectionID": "770"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/125.html", "name": "CAPEC", "section": "Flooding", "sectionID": "125", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/130.html", "name": "CAPEC", "section": "Excessive Allocation", "sectionID": "130", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/147.html", "name": "CAPEC", "section": "XML Ping of the Death", "sectionID": "147", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/197.html", "name": "CAPEC", "section": "Exponential Data Expansion", "sectionID": "197", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/229.html", "name": "CAPEC", "section": "Serialized Data Parameter Blowup", "sectionID": "229", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/469.html", "name": "CAPEC", "section": "HTTP DoS", "sectionID": "469", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/482.html", "name": "CAPEC", "section": "TCP Flood", "sectionID": "482", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/486.html", "name": "CAPEC", "section": "UDP Flood", "sectionID": "486", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/487.html", "name": "CAPEC", "section": "ICMP Flood", "sectionID": "487", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/488.html", "name": "CAPEC", "section": "HTTP Flood", "sectionID": "488", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/489.html", "name": "CAPEC", "section": "SSL Flood", "sectionID": "489", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/490.html", "name": "CAPEC", "section": "Amplification", "sectionID": "490", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/491.html", "name": "CAPEC", "section": "Quadratic Data Expansion", "sectionID": "491", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/493.html", "name": "CAPEC", "section": "SOAP Array Blowup", "sectionID": "493", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/494.html", "name": "CAPEC", "section": "TCP Fragmentation", "sectionID": "494", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/495.html", "name": "CAPEC", "section": "UDP Fragmentation", "sectionID": "495", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/496.html", "name": "CAPEC", "section": "ICMP Fragmentation", "sectionID": "496", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/528.html", "name": "CAPEC", "section": "XML Flood", "sectionID": "528", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "058-083", "name": "Monitoring"}, "ltype": "Related"}], "name": "Monitor expectation of usage intensity (e.g. number of requests)", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "581-525", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as time-based OTP (TOTP) or other soft token, mobile push, or another offline recovery mechanism.", "sectionID": "V2.5.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/640.html", "name": "CWE", "section": "", "sectionID": "640"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/50.html", "name": "CAPEC", "section": "Password Recovery Exploitation", "sectionID": "50", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Is Part Of"}], "name": "Use secure recovery mechanisms for forgotten passwords"}, {"doctype": "CRE", "id": "473-758", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.", "sectionID": "V8.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/525.html", "name": "CWE", "section": "", "sectionID": "525"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-06"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, ensure the cache-control HTTP header is set with 'no-cache, no-store, must-revalidate'. If an asset should be cached consider setting the directives 'public, max-age, immutable'.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java", "name": "ZAP Rule", "section": "Re-examine Cache-control Directives", "sectionID": "10015", "tags": ["Passive", "10015"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/37.html", "name": "CAPEC", "section": "Retrieve Embedded Sensitive Data", "sectionID": "37", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Related"}], "name": "Set sufficient anti-caching headers"}, {"doctype": "CRE", "id": "782-234", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance.", "sectionID": "V1.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1029.html", "name": "CWE", "section": "", "sectionID": "1029"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Legal, statutory, regulatory and contractual requirements", "sectionID": "5.31"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Related"}], "name": "Clear policy compliant I/O requirements"}, {"doctype": "CRE", "id": "380-540", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions.", "sectionID": "V1.11.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/367.html", "name": "CWE", "section": "", "sectionID": "367"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/27.html", "name": "CAPEC", "section": "Leveraging Race Conditions via Symbolic Links", "sectionID": "27", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/29.html", "name": "CAPEC", "section": "Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions", "sectionID": "29", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "601-182", "name": "Parallel execution robustness"}, "ltype": "Is Part Of"}], "name": "Ensure business flows' thread safety/resistance to race conditions"}, {"doctype": "CRE", "id": "402-706", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-2", "name": "NIST 800-53 v5", "section": "AU-2 Event Logging"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-3", "name": "NIST 800-53 v5", "section": "AU-3 Content of Audit Records"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/", "name": "OWASP Top 10 2021", "section": "Logging and Monitoring Failures", "sectionID": "A09"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "443-447", "name": "Log access control decisions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "015-063", "name": "Log access to sensitive data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "184-284", "name": "Log all security relevant events"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "841-710", "name": "Log authentication decisions without exposing sensitive data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "555-048", "name": "Log events sufficiently to recreate their order"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "113-133", "name": "Use centralized authentication mechanism", "tags": ["Architecture"]}, "ltype": "Related"}], "name": "Log relevant"}, {"doctype": "CRE", "id": "270-568", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-6", "name": "NIST 800-53 v5", "section": "IA-6 Authentication Feedback"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-7", "name": "NIST 800-53 v5", "section": "IA-7 Cryptographic Module Authentication"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-9", "name": "NIST 800-53 v5", "section": "IA-9 Service Identification and Authentication"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "633-428", "name": "Authentication"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "558-807", "name": "Mutually authenticate application and credential service provider"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "333-858", "name": "Resist stolen credentials", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "802-056", "name": "Restrict excessive authentication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "113-133", "name": "Use centralized authentication mechanism", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "146-556", "name": "Authenticate consistently"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "585-408", "name": "Challenge nonce cryptography", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "789-320", "name": "Login functionality"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "327-505", "name": "Change password with presence of old and new password"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "138-448", "name": "Inform users for authentication renewal"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "808-425", "name": "Notify users about anomalies in their usage patterns"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "751-176", "name": "Offer password changing functionality"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "551-054", "name": "Use ephemeral secrets rather than static secrets"}, "ltype": "Related"}], "name": "Authentication mechanism"}, {"doctype": "CRE", "id": "287-305", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.", "sectionID": "V1.6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "820-877", "name": "Technical system documentation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Related"}], "name": "Document explicit key/secret management"}, {"doctype": "CRE", "id": "464-513", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-1", "name": "NIST 800-53 v5", "section": "CA-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-2", "name": "NIST 800-53 v5", "section": "CA-2 Control Assessments"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-5", "name": "NIST 800-53 v5", "section": "CA-5 Plan of Action and Milestones"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-6", "name": "NIST 800-53 v5", "section": "CA-6 Authorization"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-7", "name": "NIST 800-53 v5", "section": "CA-7 Continuous Monitoring"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-8", "name": "NIST 800-53 v5", "section": "CA-8 Penetration Testing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-20", "name": "NIST 800-53 v5", "section": "SI-20 Tainting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.", "sectionID": "PO.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-5", "name": "NIST 800-53 v5", "section": "SI-5 Security Alerts, Advisories, and Directives"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Application Security Metrics", "sectionID": "AIS-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-6", "name": "NIST 800-53 v5", "section": "PM-6 Measures of Performance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-31", "name": "NIST 800-53 v5", "section": "PM-31 Continuous Monitoring Strategy"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "217-168", "name": "Audit & accountability"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "745-356", "name": "Development process audit trail"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "567-755", "name": "Governance processes for security"}, "ltype": "Is Part Of"}], "name": "Assurance processes"}, {"doctype": "CRE", "id": "540-566", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location.", "sectionID": "V10.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/272.html", "name": "CWE", "section": "", "sectionID": "272"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Use of privileged utility programs", "sectionID": "8.18"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/35.html", "name": "CAPEC", "section": "Leverage Executable Code in Non-Executable Files", "sectionID": "35", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}], "name": "Let application request minimal permissions"}, {"doctype": "CRE", "id": "515-021", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization.", "sectionID": "V1.14.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/265.html", "name": "CWE", "section": "", "sectionID": "265"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Segmentation and Segregation", "sectionID": "IVS-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Segregation of networks", "sectionID": "8.22"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Related"}], "name": "Sandbox, containerize and/or isolate applications at the network level", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "524-446", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify replay resistance through the mandated use of One-time Passwords (OTP) devices, cryptographic authenticators, or lookup codes.", "sectionID": "V2.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Mandate using multi factor authentication"}, {"doctype": "CRE", "id": "071-288", "links": [{"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "464-084", "name": "Add CSRF protection for cookie based REST services", "tags": ["CSRF protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "543-512", "name": "Verify content-type for REST services"}, "ltype": "Contains"}], "name": "RESTful"}, {"doctype": "CRE", "id": "542-488", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker.", "sectionID": "V6.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/338.html", "name": "CWE", "section": "", "sectionID": "338"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "542-270", "name": "Secure random values", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use cryptographically secure random number generators"}, {"doctype": "CRE", "id": "158-874", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied.", "sectionID": "V2.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Allow long passwords"}, {"doctype": "CRE", "id": "286-500", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "OS Hardening and Base Controls", "sectionID": "IVS-04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "148-227", "name": "Endpoint management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "330-281", "name": "Use least privilege OS accounts for system (components)"}, "ltype": "Related"}], "name": "OS security"}, {"doctype": "CRE", "id": "217-112", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values.", "sectionID": "V8.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/233.html", "name": "CWE", "section": "", "sectionID": "233"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "341-076", "name": "Minimize communication"}, "ltype": "Is Part Of"}], "name": "Minimize the number of parameters in a request"}, {"doctype": "CRE", "id": "743-237", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables).", "sectionID": "V5.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/235.html", "name": "CWE", "section": "", "sectionID": "235"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Mass Assignment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/460.html", "name": "CAPEC", "section": "HTTP Parameter Pollution (HPP)", "sectionID": "460", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Validatie/enforce HTTP inputs (against HTTP parameter pollution attacks)"}, {"doctype": "CRE", "id": "126-668", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A04_2021-Insecure_Design/", "name": "OWASP Top 10 2021", "section": "Insecure Design", "sectionID": "A04"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "538-770", "name": "Data access control"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "208-830", "name": "Manage temporary storage"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "542-270", "name": "Secure random values", "tags": ["Cryptography"]}, "ltype": "Contains"}], "name": "Secure data storage"}, {"doctype": "CRE", "id": "238-346", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that the application gives the option to terminate all other active sessions after a successful password change (including change via password reset/recovery), and that this is effective across the application, federated login (if present), and any relying parties.", "sectionID": "V3.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/613.html", "name": "CWE", "section": "", "sectionID": "613"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-06"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "470-731", "name": "Minimize session life"}, "ltype": "Is Part Of"}], "name": "Terminate all sessions when password is changed"}, {"doctype": "CRE", "id": "553-413", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that enrollment and use of user-provided authentication devices are supported, such as a U2F or FIDO tokens.", "sectionID": "V2.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "6.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Support subscriber-provided authentication devices"}, {"doctype": "CRE", "id": "552-588", "links": [{"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "725-682", "name": "Enable configurable alert against usage anomalies", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "534-605", "name": "Enforce natural sequence of business flows to avoid abuse"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "660-867", "name": "Implement business logic limits against identified business risks"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "456-535", "name": "Monitor for realistic \"human time\" business logic flows", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "418-853", "name": "Monitor unusual activities on system", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}], "name": "Detect and prevent unusual activity"}, {"doctype": "CRE", "id": "725-682", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application has configurable alerting when automated attacks or unusual activity is detected.", "sectionID": "V11.1.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/390.html", "name": "CWE", "section": "", "sectionID": "390"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Enable configurable alert against usage anomalies", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "161-451", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-15", "name": "NIST 800-53 v5", "section": "SI-15 Information Output Filtering"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-765", "name": "XSS protection", "tags": ["Injection protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "064-808", "name": "Encode output context-specifically"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "806-367", "name": "Encode output near the consuming interpreter"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "533-516", "name": "Encode output while preserving user input formatting"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "366-835", "name": "Escape output against XSS"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "620-101", "name": "Force output encoding for specific interpreter's context"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "732-873", "name": "Lock/precompile queries (parameterization) to avoid injection attacks"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "607-671", "name": "Protect against JS or JSON injection attacks"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "531-558", "name": "Protect against LDAP injection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "547-283", "name": "Protect against LFI / RFI"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "857-718", "name": "Protect against OS command injection attack"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "134-207", "name": "Protect against XML/XPath injection"}, "ltype": "Contains"}], "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, {"doctype": "CRE", "id": "888-770", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-10", "name": "NIST 800-53 v5", "section": "RA-10 Threat Hunting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Threat intelligence", "sectionID": "5.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-16", "name": "NIST 800-53 v5", "section": "PM-16 Threat Awareness Program"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "307-242", "name": "Security risk assessment"}, "ltype": "Is Part Of"}], "name": "Threat intelligence - stay up to date with new threats and consider them"}, {"doctype": "CRE", "id": "270-634", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that a system generated initial activation or recovery secret is not sent in clear text to the user.", "sectionID": "V2.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/640.html", "name": "CWE", "section": "", "sectionID": "640"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/50.html", "name": "CAPEC", "section": "Password Recovery Exploitation", "sectionID": "50", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Related"}], "name": "Send authentication secrets encrypted"}, {"doctype": "CRE", "id": "433-442", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-11", "name": "NIST 800-53 v5", "section": "SA-11 Developer Testing and Evaluation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Supply Chain Management, Transparency, and Accountability", "sectionID": "STA"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Security testing in development and acceptance", "sectionID": "8.29"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/security-testing/stream-a", "name": "SAMM", "section": "Scalable Baseline", "sectionID": "V-ST-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Define criteria for software security checks and track throughout the SDLC.", "sectionID": "PO.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Automated Application Security Testing", "sectionID": "AIS-05"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Test information", "sectionID": "8.33"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/security-testing/stream-b", "name": "SAMM", "section": "Deep understanding", "sectionID": "V-ST-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.", "sectionID": "PO.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Review, analyze, and/or test the software\u2019s code to identify or confirm the presence of previously undetected vulnerabilities.", "sectionID": "RV.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/requirements-driven-testing/stream-a", "name": "SAMM", "section": "Control verification", "sectionID": "V-RT-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/verification/requirements-driven-testing/stream-b", "name": "SAMM", "section": "Misuse/Abuse Testing", "sectionID": "V-RT-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "464-513", "name": "Assurance processes"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "732-148", "name": "Vulnerability management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "832-555", "name": "Automated static security analysis of code and configuration"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "626-250", "name": "Design review"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "207-435", "name": "Dynamic security testing"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "411-684", "name": "Manual code review"}, "ltype": "Contains"}], "name": "Verification"}, {"doctype": "CRE", "id": "308-515", "links": [{"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "208-805", "name": "Disable debug mode in production"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "743-110", "name": "Do not disclose technical information in HTTP header or response"}, "ltype": "Contains"}], "name": "Prevent security disclosure", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "713-683", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that security logs are protected from unauthorized access and modification.", "sectionID": "V7.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/200.html", "name": "CWE", "section": "", "sectionID": "200"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Debug%20Error%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages via WebSocket", "sectionID": "110003", "tags": ["110003", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-1", "tags": ["Passive", "3-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/TimestampDisclosureScanRule.java", "name": "ZAP Rule", "section": "Timestamp Disclosure", "sectionID": "10096", "tags": ["10096", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the ASP.NET ViewState does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "ASP.NET ViewState Disclosure", "sectionID": "10094-1", "tags": ["Passive", "10094-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "This is a risk if the session ID is sensitive and the hyperlink refers to an external or third party host. For secure content, put session ID in secured session cookie.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Referer Exposes Session ID", "sectionID": "3-3", "tags": ["3-3", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java", "name": "ZAP Rule", "section": "Proxy Disclosure", "sectionID": "40025", "tags": ["Active", "40025"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Before allowing images to be stored on the server and/or transmitted to the browser, strip out the embedded location information from image. This could mean removing all Exif data or just the GPS component. Other data, like serial numbers, should also be removed.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/imagelocationscanner/src/main/java/org/zaproxy/zap/extension/imagelocationscanner/ImageLocationScanRule.java", "name": "ZAP Rule", "section": "Image Exposes Location or Privacy Data", "sectionID": "10103", "tags": ["Passive", "10103"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove emails that are not public.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Email%20Disclosure.js", "name": "ZAP Rule", "section": "Email address found in WebSocket message", "sectionID": "110004", "tags": ["110004", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks its Webserver Application via 'Server' HTTP Response Header Field", "sectionID": "10036-1", "tags": ["Passive", "10036-1"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable debugging messages before pushing to production.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Debug Error Messages", "sectionID": "10023", "tags": ["Passive", "10023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java", "name": "ZAP Rule", "section": "Private IP Disclosure", "sectionID": "2", "tags": ["2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRule.java", "name": "ZAP Rule", "section": "In Page Banner Information Leak", "sectionID": "10009", "tags": ["10009", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in HTTP Referrer Header", "sectionID": "10025", "tags": ["10025", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java", "name": "ZAP Rule", "section": "X-Debug-Token Information Leak", "sectionID": "10056", "tags": ["Passive", "10056"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java", "name": "ZAP Rule", "section": "X-Backend-Server Header Information Leak", "sectionID": "10039", "tags": ["10039", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "TBA", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java", "name": "ZAP Rule", "section": "Insecure HTTP Method", "sectionID": "90028", "tags": ["Active", "90028"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/XML%20Comments%20Disclosure.js", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments in XML via WebSocket", "sectionID": "110008", "tags": ["110008", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable this functionality in Production when it might leak information that could be leveraged by an attacker. Alternatively ensure that use of the functionality is tied to a strong authorization check and only available to administrators or support personnel for troubleshooting purposes not general users.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java", "name": "ZAP Rule", "section": "X-ChromeLogger-Data (XCOLD) Header Information Leak", "sectionID": "10052", "tags": ["Passive", "10052"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress 'X-Powered-By' headers.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)", "sectionID": "10037", "tags": ["10037", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java", "name": "ZAP Rule", "section": "Session ID in URL Rewrite", "sectionID": "3-2", "tags": ["Passive", "3-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not pass sensitive information in URIs.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Sensitive Information in URL", "sectionID": "10024", "tags": ["10024", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java", "name": "ZAP Rule", "section": "Cookie Slack Detector", "sectionID": "90027", "tags": ["Active", "90027"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to suppress the 'Server' header or provide generic details.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ServerHeaderInfoLeakScanRule.java", "name": "ZAP Rule", "section": "Server Leaks Version Information via 'Server' HTTP Response Header Field", "sectionID": "10036-2", "tags": ["Passive", "10036-2"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java", "name": "ZAP Rule", "section": "Possible Username Enumeration", "sectionID": "40023", "tags": ["Active", "40023"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java", "name": "ZAP Rule", "section": "Information Disclosure - Suspicious Comments", "sectionID": "10027", "tags": ["10027", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/Base64Disclosure.java", "name": "ZAP Rule", "section": "Base64 Disclosure", "sectionID": "10094-3", "tags": ["Passive", "10094-3"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java", "name": "ZAP Rule", "section": "Application Error Disclosure", "sectionID": "90022", "tags": ["90022", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/116.html", "name": "CAPEC", "section": "Excavation", "sectionID": "116", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/169.html", "name": "CAPEC", "section": "Footprinting", "sectionID": "169", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/224.html", "name": "CAPEC", "section": "Fingerprinting", "sectionID": "224", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/285.html", "name": "CAPEC", "section": "ICMP Echo Request Ping", "sectionID": "285", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/287.html", "name": "CAPEC", "section": "TCP SYN Scan", "sectionID": "287", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/290.html", "name": "CAPEC", "section": "Enumerate Mail Exchange (MX) Records", "sectionID": "290", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/291.html", "name": "CAPEC", "section": "DNS Zone Transfers", "sectionID": "291", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/292.html", "name": "CAPEC", "section": "Host Discovery", "sectionID": "292", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/293.html", "name": "CAPEC", "section": "Traceroute Route Enumeration", "sectionID": "293", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/294.html", "name": "CAPEC", "section": "ICMP Address Mask Request", "sectionID": "294", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/295.html", "name": "CAPEC", "section": "Timestamp Request", "sectionID": "295", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/296.html", "name": "CAPEC", "section": "ICMP Information Request", "sectionID": "296", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/297.html", "name": "CAPEC", "section": "TCP ACK Ping", "sectionID": "297", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/298.html", "name": "CAPEC", "section": "UDP Ping", "sectionID": "298", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/299.html", "name": "CAPEC", "section": "TCP SYN Ping", "sectionID": "299", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/300.html", "name": "CAPEC", "section": "Port Scanning", "sectionID": "300", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/301.html", "name": "CAPEC", "section": "TCP Connect Scan", "sectionID": "301", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/302.html", "name": "CAPEC", "section": "TCP FIN Scan", "sectionID": "302", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/303.html", "name": "CAPEC", "section": "TCP Xmas Scan", "sectionID": "303", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/304.html", "name": "CAPEC", "section": "TCP Null Scan", "sectionID": "304", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/305.html", "name": "CAPEC", "section": "TCP ACK Scan", "sectionID": "305", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/306.html", "name": "CAPEC", "section": "TCP Window Scan", "sectionID": "306", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/307.html", "name": "CAPEC", "section": "TCP RPC Scan", "sectionID": "307", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/308.html", "name": "CAPEC", "section": "UDP Scan", "sectionID": "308", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/309.html", "name": "CAPEC", "section": "Network Topology Mapping", "sectionID": "309", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/310.html", "name": "CAPEC", "section": "Scanning for Vulnerable Software", "sectionID": "310", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/312.html", "name": "CAPEC", "section": "Active OS Fingerprinting", "sectionID": "312", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/313.html", "name": "CAPEC", "section": "Passive OS Fingerprinting", "sectionID": "313", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/317.html", "name": "CAPEC", "section": "IP ID Sequencing Probe", "sectionID": "317", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/318.html", "name": "CAPEC", "section": "IP 'ID' Echoed Byte-Order Probe", "sectionID": "318", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/319.html", "name": "CAPEC", "section": "IP (DF) 'Don't Fragment Bit' Echoing Probe", "sectionID": "319", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/320.html", "name": "CAPEC", "section": "TCP Timestamp Probe", "sectionID": "320", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/321.html", "name": "CAPEC", "section": "TCP Sequence Number Probe", "sectionID": "321", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/322.html", "name": "CAPEC", "section": "TCP (ISN) Greatest Common Divisor Probe", "sectionID": "322", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/323.html", "name": "CAPEC", "section": "TCP (ISN) Counter Rate Probe", "sectionID": "323", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/324.html", "name": "CAPEC", "section": "TCP (ISN) Sequence Predictability Probe", "sectionID": "324", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/325.html", "name": "CAPEC", "section": "TCP Congestion Control Flag (ECN) Probe", "sectionID": "325", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/326.html", "name": "CAPEC", "section": "TCP Initial Window Size Probe", "sectionID": "326", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/327.html", "name": "CAPEC", "section": "TCP Options Probe", "sectionID": "327", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/328.html", "name": "CAPEC", "section": "TCP 'RST' Flag Checksum Probe", "sectionID": "328", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/329.html", "name": "CAPEC", "section": "ICMP Error Message Quoting Probe", "sectionID": "329", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/330.html", "name": "CAPEC", "section": "ICMP Error Message Echoing Integrity Probe", "sectionID": "330", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/472.html", "name": "CAPEC", "section": "Browser Fingerprinting", "sectionID": "472", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/497.html", "name": "CAPEC", "section": "File Discovery", "sectionID": "497", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/508.html", "name": "CAPEC", "section": "Shoulder Surfing", "sectionID": "508", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/573.html", "name": "CAPEC", "section": "Process Footprinting", "sectionID": "573", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/574.html", "name": "CAPEC", "section": "Services Footprinting", "sectionID": "574", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/575.html", "name": "CAPEC", "section": "Account Footprinting", "sectionID": "575", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/576.html", "name": "CAPEC", "section": "Group Permission Footprinting", "sectionID": "576", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/577.html", "name": "CAPEC", "section": "Owner Footprinting", "sectionID": "577", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/616.html", "name": "CAPEC", "section": "Establish Rogue Location", "sectionID": "616", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/643.html", "name": "CAPEC", "section": "Identify Shared Files/Directories on System", "sectionID": "643", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/646.html", "name": "CAPEC", "section": "Peripheral Footprinting", "sectionID": "646", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/651.html", "name": "CAPEC", "section": "Eavesdropping", "sectionID": "651", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "713-684", "name": "Log access protection"}, "ltype": "Is Part Of"}], "name": "Protect logs against unauthorized access"}, {"doctype": "CRE", "id": "563-088", "links": [{"document": {"doctype": "CRE", "id": "567-755", "name": "Governance processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "560-224", "name": "Planning and resource management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "571-271", "name": "Program management"}, "ltype": "Contains"}], "name": "Security organizing processes"}, {"doctype": "CRE", "id": "534-605", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application will only process business logic flows for the same user in sequential step order and without skipping steps.", "sectionID": "V11.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/841.html", "name": "CWE", "section": "", "sectionID": "841"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-$$"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Is Part Of"}], "name": "Enforce natural sequence of business flows to avoid abuse"}, {"doctype": "CRE", "id": "082-327", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md", "name": "ASVS", "section": "Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way.", "sectionID": "V8.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "447-083", "name": "Privacy-preserving personal data logic"}, "ltype": "Is Part Of"}], "name": "Inform users clearly about the collection and use of personal data, and use it only after opt-in consent."}, {"doctype": "CRE", "id": "508-702", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.", "sectionID": "V1.6.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use key vaults"}, {"doctype": "CRE", "id": "217-168", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Audit & Assurance", "sectionID": "A&A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Protection of information systems during audit testing", "sectionID": "8.34"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-13", "name": "NIST 800-53 v5", "section": "AU-13 Monitoring for Information Disclosure"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-14", "name": "NIST 800-53 v5", "section": "AU-14 Session Audit"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "464-513", "name": "Assurance processes"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "510-324", "name": "Compliance"}, "ltype": "Contains"}], "name": "Audit & accountability"}, {"doctype": "CRE", "id": "821-832", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.", "sectionID": "V1.6.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Ensure keys and passwords are replaceable"}, {"doctype": "CRE", "id": "807-565", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.", "sectionID": "V2.1.9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Do not limit character types for password composition"}, {"doctype": "CRE", "id": "307-111", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions.", "sectionID": "V12.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/552.html", "name": "CWE", "section": "", "sectionID": "552"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/150.html", "name": "CAPEC", "section": "Collect Data from Common Resource Locations", "sectionID": "150", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/639.html", "name": "CAPEC", "section": "Probe System Files", "sectionID": "639", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "758-262", "name": "File storage"}, "ltype": "Is Part Of"}], "name": "Securely store files with untrusted origin"}, {"doctype": "CRE", "id": "783-255", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a Trusted Platform Module (TPM) or Hardware Security Module (HSM), or an OS service that can use this secure storage.", "sectionID": "V2.9.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Store cryptographic keys securely"}, {"doctype": "CRE", "id": "260-200", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that a common logging format and approach is used across the system.", "sectionID": "V1.7.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1009.html", "name": "CWE", "section": "", "sectionID": "1009"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "148-420", "name": "Log integrity"}, "ltype": "Is Part Of"}], "name": "Log in consistent format across system"}, {"doctype": "CRE", "id": "816-631", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes.", "sectionID": "V2.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Ensure timely expiration of out of band authentication request, code, or tokens"}, {"doctype": "CRE", "id": "774-888", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware TPM, or an HSM (L3) is recommended for password storage.", "sectionID": "V2.10.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/798.html", "name": "CWE", "section": "", "sectionID": "798"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/191.html", "name": "CAPEC", "section": "Read Sensitive Constants Within an Executable", "sectionID": "191", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Do not store secrets in the code"}, {"doctype": "CRE", "id": "613-285", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-22", "name": "NIST 800-53 v5", "section": "SA-22 Unsupported System Components"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization\u2019s own software. [Formerly PW.3.1]", "sectionID": "PO.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-4", "name": "NIST 800-53 v5", "section": "SA-4 Acquisition Process"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, open- source, and other third-party developers for use by the organization\u2019s software.", "sectionID": "PW.4.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-1", "name": "NIST 800-53 v5", "section": "SR-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Outsourced development", "sectionID": "8.30"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles", "sectionID": "PW.4.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-10", "name": "NIST 800-53 v5", "section": "SR-10 Inspection of Systems or Components"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-11", "name": "NIST 800-53 v5", "section": "SR-11 Component Authenticity"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-12", "name": "NIST 800-53 v5", "section": "SR-12 Component Disposal"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-2", "name": "NIST 800-53 v5", "section": "SR-2 Supply Chain Risk Management Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-3", "name": "NIST 800-53 v5", "section": "SR-3 Supply Chain Controls and Processes"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security in supplier relationships", "sectionID": "5.19"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-4", "name": "NIST 800-53 v5", "section": "SR-4 Provenance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-5", "name": "NIST 800-53 v5", "section": "SR-5 Acquisition Strategies, Tools, and Methods"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-6", "name": "NIST 800-53 v5", "section": "SR-6 Supplier Assessments and Reviews"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Addressing information security within supplier agreements", "sectionID": "5.20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/design/security-requirements/stream-b", "name": "SAMM", "section": "Supplier security", "sectionID": "D-SR-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-7", "name": "NIST 800-53 v5", "section": "SR-7 Supply Chain Operations Security"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security for use of cloud services", "sectionID": "5.23"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-8", "name": "NIST 800-53 v5", "section": "SR-8 Notification Agreements"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-9", "name": "NIST 800-53 v5", "section": "SR-9 Tamper Resistance and Detection"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-30", "name": "NIST 800-53 v5", "section": "PM-30 Supply Chain Risk Management Strategy"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-1", "name": "NIST 800-53 v5", "section": "SA-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Managing information security in the information and communication technology (ICT) supply chain", "sectionID": "5.21"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-9", "name": "NIST 800-53 v5", "section": "SA-9 External System Services"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Monitoring, review and change management of supplier services", "sectionID": "5.22"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "616-305", "name": "Development processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "307-242", "name": "Security risk assessment"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "424-242", "name": "Decommissioning"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "673-475", "name": "Disallow unsupported/deprecated client-side technologies"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "154-031", "name": "Harden application by excluding unwanted functionality", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "462-245", "name": "Remove unnecessary elements from external components (e.g. features, documentation, configuration)", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "307-507", "name": "Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Related"}], "name": "Supply chain management"}, {"doctype": "CRE", "id": "570-487", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Determine whether executable code testing", "sectionID": "PW.8.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "207-435", "name": "Dynamic security testing"}, "ltype": "Is Part Of"}], "name": "Manual penetration testing"}, {"doctype": "CRE", "id": "031-447", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (allow lists).", "sectionID": "V5.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/20.html", "name": "CWE", "section": "", "sectionID": "20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-00"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Mass Assignment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java", "name": "ZAP Rule", "section": "Relative Path Confusion", "sectionID": "10051", "tags": ["Active", "10051"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "All forms must specify the action URL.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Override", "sectionID": "10026", "tags": ["Passive", "10026"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Properly sanitize the user input for parameter delimiters", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Pollution", "sectionID": "20014", "tags": ["Active", "20014"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - CVE-2012-1823", "sectionID": "20018", "tags": ["Active", "20018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Source Code Disclosure - CVE-2012-1823", "sectionID": "20017", "tags": ["Active", "20017"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java", "name": "ZAP Rule", "section": "Httpoxy - Proxy Header Misuse", "sectionID": "10107", "tags": ["Active", "10107"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/101.html", "name": "CAPEC", "section": "Server Side Include (SSI) Injection", "sectionID": "101", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/120.html", "name": "CAPEC", "section": "Double Encoding", "sectionID": "120", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/135.html", "name": "CAPEC", "section": "Format String Injection", "sectionID": "135", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/136.html", "name": "CAPEC", "section": "LDAP Injection", "sectionID": "136", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/153.html", "name": "CAPEC", "section": "Input Data Manipulation", "sectionID": "153", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/182.html", "name": "CAPEC", "section": "Flash Injection", "sectionID": "182", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/23.html", "name": "CAPEC", "section": "File Content Injection", "sectionID": "23", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/250.html", "name": "CAPEC", "section": "XML Injection", "sectionID": "250", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/261.html", "name": "CAPEC", "section": "Fuzzing for garnering other adjacent user/sensitive data", "sectionID": "261", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/28.html", "name": "CAPEC", "section": "Fuzzing", "sectionID": "28", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/3.html", "name": "CAPEC", "section": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters", "sectionID": "3", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/52.html", "name": "CAPEC", "section": "Embedding NULL Bytes", "sectionID": "52", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/53.html", "name": "CAPEC", "section": "Postfix, Null Terminate, and Backslash", "sectionID": "53", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/588.html", "name": "CAPEC", "section": "DOM-Based XSS", "sectionID": "588", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/63.html", "name": "CAPEC", "section": "Cross-Site Scripting (XSS)", "sectionID": "63", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/83.html", "name": "CAPEC", "section": "XPath Injection", "sectionID": "83", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Whitelist all external (HTTP) input"}, {"doctype": "CRE", "id": "542-270", "links": [{"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "027-210", "name": "Create random GUIDs with cryptographically secure random number generators"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "664-571", "name": "Ensure proper generation of secure random", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "542-488", "name": "Use cryptographically secure random number generators"}, "ltype": "Contains"}], "name": "Secure random values", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "342-055", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md", "name": "ASVS", "section": "Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks.", "sectionID": "V3.4.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "1275"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-SESS-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Session Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "are g"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java", "name": "ZAP Rule", "section": "Cookie without SameSite Attribute", "sectionID": "10054", "tags": ["Passive", "10054"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "110-531", "name": "Cookie-config"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "CSRF protection"}, "ltype": "Related"}], "name": "Set \"samesite\" attribute for cookie-based session tokens", "tags": ["CSRF protection"]}, {"doctype": "CRE", "id": "766-162", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-7", "name": "NIST 800-53 v5", "section": "PM-7 Enterprise Architecture"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Governance, Risk and Compliance", "sectionID": "GRC"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "567-755", "name": "Governance processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "287-823", "name": "Asset management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "240-464", "name": "Contingency planning"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "847-247", "name": "Interoperability and portability policy and procedures"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "135-200", "name": "Review of security policies"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "307-242", "name": "Security risk assessment"}, "ltype": "Contains"}], "name": "Security Analysis and documentation"}, {"doctype": "CRE", "id": "113-133", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.", "sectionID": "V1.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/306.html", "name": "CWE", "section": "", "sectionID": "306"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/12.html", "name": "CAPEC", "section": "Choosing Message Identifier", "sectionID": "12", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/166.html", "name": "CAPEC", "section": "Force the System to Reset Values", "sectionID": "166", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/216.html", "name": "CAPEC", "section": "Communication Channel Manipulation", "sectionID": "216", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/36.html", "name": "CAPEC", "section": "Using Unpublished Interfaces or Functionality", "sectionID": "36", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Related"}], "name": "Use centralized authentication mechanism", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "482-866", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.", "sectionID": "V6.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/311.html", "name": "CWE", "section": "", "sectionID": "311"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "User Privacy Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Configure your web or application server to use SSL (https).", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpOnlySiteScanRule.java", "name": "ZAP Rule", "section": "HTTP Only Site", "sectionID": "10106", "tags": ["Active", "10106"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java", "name": "ZAP Rule", "section": "Secure Pages Include Mixed Content", "sectionID": "10040", "tags": ["10040", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpsAsHttpScanRule.java", "name": "ZAP Rule", "section": "HTTPS Content Available via HTTP", "sectionID": "10047", "tags": ["Active", "10047"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/157.html", "name": "CAPEC", "section": "Sniffing Attacks", "sectionID": "157", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/158.html", "name": "CAPEC", "section": "Sniffing Network Traffic", "sectionID": "158", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/204.html", "name": "CAPEC", "section": "Lifting Sensitive Data Embedded in Cache", "sectionID": "204", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/37.html", "name": "CAPEC", "section": "Retrieve Embedded Sensitive Data", "sectionID": "37", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/477.html", "name": "CAPEC", "section": "Signature Spoofing by Mixing Signed and Unsigned Content", "sectionID": "477", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/609.html", "name": "CAPEC", "section": "Cellular Traffic Intercept", "sectionID": "609", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/65.html", "name": "CAPEC", "section": "Sniff Application Code", "sectionID": "65", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "275-483", "name": "Securely store regulated data"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "362-550", "name": "Personal data handling"}, "ltype": "Related"}], "name": "Encrypt personal data at rest"}, {"doctype": "CRE", "id": "002-801", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.", "sectionID": "V2.9.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/327.html", "name": "CWE", "section": "", "sectionID": "327"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.7.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/459.html", "name": "CAPEC", "section": "Creating a Rogue Certification Authority Certificate", "sectionID": "459", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/475.html", "name": "CAPEC", "section": "Signature Spoofing by Improper Validation", "sectionID": "475", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/608.html", "name": "CAPEC", "section": "Cryptanalysis of Cellular Encryption", "sectionID": "608", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/614.html", "name": "CAPEC", "section": "Rooting SIM Cards", "sectionID": "614", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/97.html", "name": "CAPEC", "section": "Cryptanalysis", "sectionID": "97", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "585-408", "name": "Challenge nonce cryptography", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use approved cryptographic algorithms for generation, seeding and verification"}, {"doctype": "CRE", "id": "125-010", "links": [{"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}], "name": "Password management systems"}, {"doctype": "CRE", "id": "278-413", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed.", "sectionID": "V1.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html", "name": "OWASP Proactive Controls", "section": "C3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/306.html", "name": "CWE", "section": "", "sectionID": "306"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/12.html", "name": "CAPEC", "section": "Choosing Message Identifier", "sectionID": "12", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/166.html", "name": "CAPEC", "section": "Force the System to Reset Values", "sectionID": "166", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/216.html", "name": "CAPEC", "section": "Communication Channel Manipulation", "sectionID": "216", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/36.html", "name": "CAPEC", "section": "Using Unpublished Interfaces or Functionality", "sectionID": "36", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "146-556", "name": "Authenticate consistently"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}], "name": "Mutually authenticate application components. Minimize privileges", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "138-448", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that renewal instructions are sent with sufficient time to renew time bound authenticators.", "sectionID": "V2.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "6.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}], "name": "Inform users for authentication renewal"}, {"doctype": "CRE", "id": "715-681", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space.", "sectionID": "V2.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c6-implement-digital-identity.html", "name": "OWASP Proactive Controls", "section": "C6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Avoid password truncation, with exception of consecutive spaces"}, {"doctype": "CRE", "id": "235-658", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if an authentication factor is changed or replaced, that the user is notified of this event.", "sectionID": "V2.5.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/304.html", "name": "CWE", "section": "", "sectionID": "304"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "6.1.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Related"}], "name": "Notify user about credential change"}, {"doctype": "CRE", "id": "620-101", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as \u201e\u00c5\u2260\u201e\u00c5\u00ec or O'Hara).", "sectionID": "V5.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/D-Encoded_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-APPE-D"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Force output encoding for specific interpreter's context"}, {"doctype": "CRE", "id": "427-113", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Human Resources", "sectionID": "HRS"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "567-755", "name": "Governance processes for security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "172-101", "name": "Personnel security"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "013-021", "name": "Roles and responsibilities"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "428-544", "name": "Security awareness training"}, "ltype": "Contains"}], "name": "Security governance regarding people"}, {"doctype": "CRE", "id": "532-878", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources.", "sectionID": "V13.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/650.html", "name": "CWE", "section": "", "sectionID": "650"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Is Part Of"}], "name": "Limit REST HTTP methods"}, {"doctype": "CRE", "id": "841-757", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that approved cryptographic algorithms are used in the generation, seeding, and verification of OTPs.", "sectionID": "V2.8.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Use approved cryptographic algorithms in generation, seeding and verification of OTPs", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "607-671", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation.", "sectionID": "V5.3.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c4-encode-escape-data.html", "name": "OWASP Proactive Controls", "section": "C4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/830.html", "name": "CWE", "section": "", "sectionID": "830"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTML5 Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_in_Java_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Injection Prevention in Java Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "LDAP Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "OS Command Injection Defense Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Query Parameterization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "SQL Injection Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Bean_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Bean Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML External Entity Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "XML Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against JS or JSON injection attacks"}, {"doctype": "CRE", "id": "007-274", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/environment-management/stream-b/", "name": "SAMM", "section": "Patching and Updating", "sectionID": "O-EM-B"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "148-227", "name": "Endpoint management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Related"}], "name": "Patching and updating system components"}, {"doctype": "CRE", "id": "168-186", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request.", "sectionID": "V2.7.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/287.html", "name": "CWE", "section": "", "sectionID": "287"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/114.html", "name": "CAPEC", "section": "Authentication Abuse", "sectionID": "114", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/115.html", "name": "CAPEC", "section": "Authentication Bypass", "sectionID": "115", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/151.html", "name": "CAPEC", "section": "Identity Spoofing", "sectionID": "151", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/194.html", "name": "CAPEC", "section": "Fake the Source of Data", "sectionID": "194", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/57.html", "name": "CAPEC", "section": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", "sectionID": "57", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/593.html", "name": "CAPEC", "section": "Session Hijacking", "sectionID": "593", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/633.html", "name": "CAPEC", "section": "Token Impersonation", "sectionID": "633", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/650.html", "name": "CAPEC", "section": "Upload a Web Shell to a Web Server", "sectionID": "650", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/94.html", "name": "CAPEC", "section": "Adversary in the Middle (AiTM)", "sectionID": "94", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use out of band authentication requests, codes or tokens only once"}, {"doctype": "CRE", "id": "166-151", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that access controls fail securely including when an exception occurs.", "sectionID": "V4.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html", "name": "OWASP Proactive Controls", "section": "C10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/285.html", "name": "CWE", "section": "", "sectionID": "285"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ERRH-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Access Control Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/17.html", "name": "CAPEC", "section": "Using Malicious Files", "sectionID": "17", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/39.html", "name": "CAPEC", "section": "Manipulating Opaque Client-based Data Tokens", "sectionID": "39", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/402.html", "name": "CAPEC", "section": "Bypassing ATA Password Security", "sectionID": "402", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/51.html", "name": "CAPEC", "section": "Poison Web Service Registry", "sectionID": "51", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/60.html", "name": "CAPEC", "section": "Reusing Session IDs (aka Session Replay)", "sectionID": "60", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/647.html", "name": "CAPEC", "section": "Collect Data from Registries", "sectionID": "647", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/668.html", "name": "CAPEC", "section": "Key Negotiation of Bluetooth Attack (KNOB)", "sectionID": "668", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/76.html", "name": "CAPEC", "section": "Manipulating Web Input to File System Calls", "sectionID": "76", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/77.html", "name": "CAPEC", "section": "Manipulating User-Controlled Variables", "sectionID": "77", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/87.html", "name": "CAPEC", "section": "Forceful Browsing", "sectionID": "87", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Admin%20Section", "name": "OWASP Juice Shop", "section": "Admin Section", "sectionID": "adminSectionChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Easter%20Egg", "name": "OWASP Juice Shop", "section": "Easter Egg", "sectionID": "easterEggLevelOneChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Five-Star%20Feedback", "name": "OWASP Juice Shop", "section": "Five-Star Feedback", "sectionID": "feedbackChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forged%20Feedback", "name": "OWASP Juice Shop", "section": "Forged Feedback", "sectionID": "forgedFeedbackChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forged%20Review", "name": "OWASP Juice Shop", "section": "Forged Review", "sectionID": "forgedReviewChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Manipulate%20Basket", "name": "OWASP Juice Shop", "section": "Manipulate Basket", "sectionID": "basketManipulateChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Product%20Tampering", "name": "OWASP Juice Shop", "section": "Product Tampering", "sectionID": "changeProductChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=SSRF", "name": "OWASP Juice Shop", "section": "SSRF", "sectionID": "ssrfChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=View%20Basket", "name": "OWASP Juice Shop", "section": "View Basket", "sectionID": "basketAccessChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=CSRF", "name": "OWASP Juice Shop", "section": "CSRF", "sectionID": "csrfChallenge", "tags": ["Broken Access Control"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "141-555", "name": "Fail securely"}, "ltype": "Related"}], "name": "Ensure that secure fail-safe is in place for access control"}, {"doctype": "CRE", "id": "848-711", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that input validation is enforced on a trusted service layer. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))", "sectionID": "V1.5.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/602.html", "name": "CWE", "section": "", "sectionID": "602"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Deserialization Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/162.html", "name": "CAPEC", "section": "Manipulating Hidden Fields", "sectionID": "162", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/202.html", "name": "CAPEC", "section": "Create Malicious Client", "sectionID": "202", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/207.html", "name": "CAPEC", "section": "Removing Important Client Functionality", "sectionID": "207", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/208.html", "name": "CAPEC", "section": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", "sectionID": "208", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/21.html", "name": "CAPEC", "section": "Exploitation of Trusted Identifiers", "sectionID": "21", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/383.html", "name": "CAPEC", "section": "Harvesting Information via API Event Monitoring", "sectionID": "383", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "155-155", "name": "Architecture"}, "ltype": "Related"}], "name": "Enforce input validation on a trusted service layer", "tags": ["Architecture"]}, {"doctype": "CRE", "id": "207-435", "links": [{"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "088-377", "name": "Automated dynamic security testing"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "570-487", "name": "Manual penetration testing"}, "ltype": "Contains"}], "name": "Dynamic security testing"}, {"doctype": "CRE", "id": "503-455", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-10", "name": "NIST 800-53 v5", "section": "SI-10 INFORMATION INPUT VALIDATION"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "118-110", "name": "API/web services"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "836-068", "name": "Deserialization Prevention"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "866-553", "name": "Memory, String, and Unmanaged Code", "tags": ["Injection protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "308-515", "name": "Prevent security disclosure", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "764-507", "name": "Restrict XML parsing (against XXE)", "tags": ["Configuration", "Injection protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "782-234", "name": "Clear policy compliant I/O requirements"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}], "name": "Input and output protection"}, {"doctype": "CRE", "id": "716-526", "links": [{"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "704-530", "name": "Enforce high entropy session tokens", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "727-043", "name": "Ensure secure algorithms for generating session tokens", "tags": ["Cryptography"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "002-630", "name": "Generate a new session token after authentication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "455-358", "name": "When storing session tokens in browser, use secure methods only"}, "ltype": "Contains"}], "name": "Session token generation"}, {"doctype": "CRE", "id": "122-287", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))", "sectionID": "V6.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c8-protect-data-everywhere.html", "name": "OWASP Proactive Controls", "section": "C8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Ensure cryptographic elements can be upgraded or replaced"}, {"doctype": "CRE", "id": "668-364", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that backend TLS connection failures are logged.", "sectionID": "V9.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/544.html", "name": "CWE", "section": "", "sectionID": "544"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-28", "name": "NIST 800-53 v5", "section": "SC-28 PROTECTION OF INFORMATION AT REST"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Related"}], "name": "Log TLS connection failures"}, {"doctype": "CRE", "id": "510-324", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Independent review of information security", "sectionID": "5.35"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Compliance with policies, rules and standards for information security", "sectionID": "5.36"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/policy-and-compliance/stream-b/", "name": "SAMM", "section": "Compliance Management", "sectionID": "G-PC-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Contact with authorities", "sectionID": "5.5"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "004-517", "name": "Security requirements"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "217-168", "name": "Audit & accountability"}, "ltype": "Is Part Of"}], "name": "Compliance"}, {"doctype": "CRE", "id": "267-031", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-6", "name": "NIST 800-53 v5", "section": "SC-6 Resource Availability"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "601-182", "name": "Parallel execution robustness"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Protect the availability of resources by providing more to higher-priority processes", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "327-505", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that password change functionality requires the user's current and new password.", "sectionID": "V2.1.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/620.html", "name": "CWE", "section": "", "sectionID": "620"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}], "name": "Change password with presence of old and new password"}, {"doctype": "CRE", "id": "240-274", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy.", "sectionID": "V7.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/532.html", "name": "CWE", "section": "", "sectionID": "532"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/215.html", "name": "CAPEC", "section": "Fuzzing for application mapping", "sectionID": "215", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "843-841", "name": "Log discretely"}, "ltype": "Is Part Of"}], "name": "Log only non-sensitive data"}, {"doctype": "CRE", "id": "601-182", "links": [{"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "670-660", "name": "Do not share unsynchronized state on high-value logic flows"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "380-540", "name": "Ensure business flows' thread safety/resistance to race conditions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "134-412", "name": "Protect sensitive functionalities against race conditions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "267-031", "name": "Protect the availability of resources by providing more to higher-priority processes", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}], "name": "Parallel execution robustness"}, {"doctype": "CRE", "id": "543-428", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system based key storage.", "sectionID": "V2.8.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Use security module to store one-time password verification keys", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "522-616", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-1", "name": "NIST 800-53 v5", "section": "MP-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-2", "name": "NIST 800-53 v5", "section": "MP-2 Media Access"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-3", "name": "NIST 800-53 v5", "section": "MP-3 Media Marking"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-4", "name": "NIST 800-53 v5", "section": "MP-4 Media Storage"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Storage media", "sectionID": "7.10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-5", "name": "NIST 800-53 v5", "section": "MP-5 Media Transport"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-6", "name": "NIST 800-53 v5", "section": "MP-6 Media Sanitization"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-7", "name": "NIST 800-53 v5", "section": "MP-7 Media Use"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=MP-8", "name": "NIST 800-53 v5", "section": "MP-8 Media Downgrading"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "287-823", "name": "Asset management"}, "ltype": "Related"}], "name": "Media protection"}, {"doctype": "CRE", "id": "834-645", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md", "name": "ASVS", "section": "Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate before collecting any data.", "sectionID": "V10.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/359.html", "name": "CWE", "section": "", "sectionID": "359"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/PII%20Disclosure.js", "name": "ZAP Rule", "section": "Personally Identifiable Information via WebSocket", "sectionID": "110005", "tags": ["110005", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java", "name": "ZAP Rule", "section": "PII Disclosure", "sectionID": "10062", "tags": ["10062", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/464.html", "name": "CAPEC", "section": "Evercookie", "sectionID": "464", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/467.html", "name": "CAPEC", "section": "Cross Site Identification", "sectionID": "467", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/498.html", "name": "CAPEC", "section": "Probe iOS Screenshots", "sectionID": "498", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/508.html", "name": "CAPEC", "section": "Shoulder Surfing", "sectionID": "508", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Avoid unauthorized client data collection"}, {"doctype": "CRE", "id": "802-056", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.", "sectionID": "V2.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/307.html", "name": "CWE", "section": "", "sectionID": "307"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.4.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}], "name": "Restrict excessive authentication"}, {"doctype": "CRE", "id": "036-147", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.", "sectionID": "V14.4.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/523.html", "name": "CWE", "section": "", "sectionID": "523"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/102.html", "name": "CAPEC", "section": "Session Sidejacking", "sectionID": "102", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Deprecated%20Interface", "name": "OWASP Juice Shop", "section": "Deprecated Interface", "sectionID": "deprecatedInterfaceChallenge", "tags": ["Security Misconfiguration"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Error%20Handling", "name": "OWASP Juice Shop", "section": "Error Handling", "sectionID": "errorHandlingChallenge", "tags": ["Security Misconfiguration"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Support%20Team", "name": "OWASP Juice Shop", "section": "Login Support Team", "sectionID": "loginSupportChallenge", "tags": ["Security Misconfiguration"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Cross-Site%20Imaging", "name": "OWASP Juice Shop", "section": "Cross-Site Imaging", "sectionID": "svgInjectionChallenge", "tags": ["Security Misconfiguration"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Related"}], "name": "Configure HSTS configuration properly"}, {"doctype": "CRE", "id": "613-287", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/", "name": "OWASP Top 10 2021", "section": "Software and Data Integrity Failures", "sectionID": "A08"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-285", "name": "Supply chain management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "834-645", "name": "Avoid unauthorized client data collection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "838-636", "name": "Check source code and third party libraries to not contain backdoors"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "265-800", "name": "Check source code and third party libraries to not contain malicious code"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "418-525", "name": "Check source code and third party libraries to not contain timebombs"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "577-260", "name": "Enforce integrity check for externally hosted assets (eg SRI)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "715-223", "name": "Ensure trusted origin of third party resources"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "860-084", "name": "Sandbox third party libraries"}, "ltype": "Contains"}], "name": "Dependency integrity"}, {"doctype": "CRE", "id": "604-025", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that a password strength meter is provided to help users set a stronger password.", "sectionID": "V2.1.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Is Part Of"}], "name": "Provide a password strength meter"}, {"doctype": "CRE", "id": "248-646", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md", "name": "ASVS", "section": "Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol should be the preferred option.", "sectionID": "V9.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "HTTP Strict Transport Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "228-551", "name": "TLS", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Disable insecure SSL/TLS versions", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "463-577", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Security Incident Management, E-Discovery, & Cloud Forensics", "sectionID": "SEF"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Assessment and decision on information security events", "sectionID": "5.25"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-1", "name": "NIST 800-53 v5", "section": "IR-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security incident management planning and preparation", "sectionID": "5.24"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/operations/incident-management/stream-b", "name": "SAMM", "section": "Incident Response", "sectionID": "O-IM-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.", "sectionID": "RV.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-2", "name": "NIST 800-53 v5", "section": "IR-2 Incident Response Training"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-3", "name": "NIST 800-53 v5", "section": "IR-3 Incident Response Testing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-4", "name": "NIST 800-53 v5", "section": "IR-4 Incident Handling"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Learning from information security incidents", "sectionID": "5.27"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-5", "name": "NIST 800-53 v5", "section": "IR-5 Incident Monitoring"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Collection of evidence", "sectionID": "5.28"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-6", "name": "NIST 800-53 v5", "section": "IR-6 Incident Reporting"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Information security event reporting", "sectionID": "6.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-7", "name": "NIST 800-53 v5", "section": "IR-7 Incident Response Assistance"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-8", "name": "NIST 800-53 v5", "section": "IR-8 Incident Response Plan"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Response to information security incidents", "sectionID": "5.26"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-9", "name": "NIST 800-53 v5", "section": "IR-9 Information Spillage Response"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "732-148", "name": "Vulnerability management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "887-750", "name": "Detect and respond"}, "ltype": "Is Part Of"}], "name": "Incident response"}, {"doctype": "CRE", "id": "346-640", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that lookup secrets have sufficient randomness (112 bits of entropy), or if less than 112 bits of entropy, salted with a unique and random 32-bit salt and hashed with an approved one-way hash.", "sectionID": "V2.6.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/330.html", "name": "CWE", "section": "", "sectionID": "330"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/485.html", "name": "CAPEC", "section": "Signature Spoofing by Key Recreation", "sectionID": "485", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/59.html", "name": "CAPEC", "section": "Session Credential Falsification through Prediction", "sectionID": "59", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Generate multi-factor lookup secrets with sufficient entropy"}, {"doctype": "CRE", "id": "555-048", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.", "sectionID": "V7.1.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/778.html", "name": "CWE", "section": "", "sectionID": "778"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "402-706", "name": "Log relevant"}, "ltype": "Is Part Of"}], "name": "Log events sufficiently to recreate their order"}, {"doctype": "CRE", "id": "633-428", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-7", "name": "NIST 800-53 v5", "section": "AC-7 UNSUCCESSFUL LOGON ATTEMPTS"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-8", "name": "NIST 800-53 v5", "section": "AC-8 SYSTEM USE NOTIFICATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-9", "name": "NIST 800-53 v5", "section": "AC-9 PREVIOUS LOGON NOTIFICATION"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-1", "name": "NIST 800-53 v5", "section": "IA-1 Policy and Procedures"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-10", "name": "NIST 800-53 v5", "section": "IA-10 Adaptive Authentication"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-12", "name": "NIST 800-53 v5", "section": "IA-12 Identity Proofing"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2", "name": "NIST 800-53 v5", "section": "IA-2 Identification and Authentication (organizational Users)"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-3", "name": "NIST 800-53 v5", "section": "IA-3 Device Identification and Authentication"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-4", "name": "NIST 800-53 v5", "section": "IA-4 Identifier Management"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-5", "name": "NIST 800-53 v5", "section": "IA-5 AUTHENTICATOR MANAGEMENT"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Authentication information", "sectionID": "5.17"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-8", "name": "NIST 800-53 v5", "section": "IA-8 Identification and Authentication (non-organizational Users)"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Secure authentication", "sectionID": "8.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/", "name": "OWASP Top 10 2021", "section": "Identification and Authentication Failures", "sectionID": "A07"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Bjoern%27s%20Favorite%20Pet", "name": "OWASP Juice Shop", "section": "Bjoern's Favorite Pet", "sectionID": "resetPasswordBjoernOwaspChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Change%20Bender%27s%20Password", "name": "OWASP Juice Shop", "section": "Change Bender's Password", "sectionID": "changePasswordBenderChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=GDPR%20Data%20Erasure", "name": "OWASP Juice Shop", "section": "GDPR Data Erasure", "sectionID": "ghostLoginChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Bjoern", "name": "OWASP Juice Shop", "section": "Login Bjoern", "sectionID": "oauthUserPasswordChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Password%20Strength", "name": "OWASP Juice Shop", "section": "Password Strength", "sectionID": "weakPasswordChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reset%20Bender%27s%20Password", "name": "OWASP Juice Shop", "section": "Reset Bender's Password", "sectionID": "resetPasswordBenderChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reset%20Bjoern%27s%20Password", "name": "OWASP Juice Shop", "section": "Reset Bjoern's Password", "sectionID": "resetPasswordBjoernChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reset%20Jim%27s%20Password", "name": "OWASP Juice Shop", "section": "Reset Jim's Password", "sectionID": "resetPasswordJimChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Two%20Factor%20Authentication", "name": "OWASP Juice Shop", "section": "Two Factor Authentication", "sectionID": "twoFactorAuthUnsafeSecretStorageChallenge", "tags": ["Broken Authentication"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "223-780", "name": "Secret storage", "tags": ["Cryptography"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "636-660", "name": "Technical application security controls"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "455-885", "name": "Credentials directives"}, "ltype": "Contains"}], "name": "Authentication"}, {"doctype": "CRE", "id": "157-587", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-41", "name": "NIST 800-53 v5", "section": "SC-41 Port and I/O Device Access"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Security of assets off-premises", "sectionID": "7.9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-15", "name": "NIST 800-53 v5", "section": "SC-15 Collaborative Computing Devices and Applications"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Equipment siting and protection", "sectionID": "7.8"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "850-376", "name": "Facilities management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "287-823", "name": "Asset management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "114-853", "name": "Maintenance"}, "ltype": "Contains"}], "name": "Equipment management"}, {"doctype": "CRE", "id": "635-851", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/strategy-and-metrics/stream-a", "name": "SAMM", "section": "Create and Promote", "sectionID": "G-SM-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/governance/strategy-and-metrics/stream-b/", "name": "SAMM", "section": "Measure and Improve", "sectionID": "G-SM-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.", "sectionID": "RV.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "261-010", "name": "Program management for secure software development"}, "ltype": "Is Part Of"}], "name": "Steer the secure software development program"}, {"doctype": "CRE", "id": "623-347", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify shared or default accounts are not present (e.g. \"root\", \"admin\", or \"sa\").", "sectionID": "V2.5.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/16.html", "name": "CWE", "section": "", "sectionID": "16"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "A.3"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that only POST is accepted where POST is expected.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java", "name": "ZAP Rule", "section": "GET for POST", "sectionID": "10058", "tags": ["Active", "10058"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/PermissionsPolicyScanRule.java", "name": "ZAP Rule", "section": "Deprecated Feature Policy Header Set", "sectionID": "10063-2", "tags": ["10063-2", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "247-250", "name": "Access control processes"}, "ltype": "Is Part Of"}], "name": "Disallow shared high privileged accounts"}, {"doctype": "CRE", "id": "760-765", "links": [{"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=API-only%20XSS", "name": "OWASP Juice Shop", "section": "API-only XSS", "sectionID": "restfulXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=CSP%20Bypass", "name": "OWASP Juice Shop", "section": "CSP Bypass", "sectionID": "usernameXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Client-side%20XSS%20Protection", "name": "OWASP Juice Shop", "section": "Client-side XSS Protection", "sectionID": "persistedXssUserChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=DOM%20XSS", "name": "OWASP Juice Shop", "section": "DOM XSS", "sectionID": "localXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=HTTP-Header%20XSS", "name": "OWASP Juice Shop", "section": "HTTP-Header XSS", "sectionID": "httpHeaderXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reflected%20XSS", "name": "OWASP Juice Shop", "section": "Reflected XSS", "sectionID": "reflectedXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Server-side%20XSS%20Protection", "name": "OWASP Juice Shop", "section": "Server-side XSS Protection", "sectionID": "persistedXssFeedbackChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Video%20XSS", "name": "OWASP Juice Shop", "section": "Video XSS", "sectionID": "videoXssChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=XXE%20Data%20Access", "name": "OWASP Juice Shop", "section": "XXE Data Access", "sectionID": "xxeFileDisclosureChallenge", "tags": ["XXE"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=XXE%20DoS", "name": "OWASP Juice Shop", "section": "XXE DoS", "sectionID": "xxeDosChallenge", "tags": ["XXE"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Bonus%20Payload", "name": "OWASP Juice Shop", "section": "Bonus Payload", "sectionID": "xssBonusChallenge", "tags": ["XSS"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "546-564", "name": "Cross-cutting concerns"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "760-764", "name": "Injection protection", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "257-668", "name": "Configure CSP configuration properly", "tags": ["XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "384-344", "name": "Store and serve user-uploaded files such that they cannot execute/damage server or client", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "161-451", "name": "Output encoding and injection prevention", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "804-220", "name": "Set httponly attribute for cookie-based session tokens", "tags": ["XSS protection"]}, "ltype": "Related"}], "name": "XSS protection", "tags": ["Injection protection"]}, {"doctype": "CRE", "id": "273-600", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms.", "sectionID": "V1.14.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/923.html", "name": "CWE", "section": "", "sectionID": "923"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Network Architecture Documentation", "sectionID": "IVS-08"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/161.html", "name": "CAPEC", "section": "Infrastructure Manipulation", "sectionID": "161", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/481.html", "name": "CAPEC", "section": "Contradictory Destinations in Traffic Routing Schemes", "sectionID": "481", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/501.html", "name": "CAPEC", "section": "Android Activity Hijack", "sectionID": "501", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/697.html", "name": "CAPEC", "section": "DHCP Spoofing", "sectionID": "697", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Arbitrary%20File%20Write", "name": "OWASP Juice Shop", "section": "Arbitrary File Write", "sectionID": "fileWriteChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forged%20Signed%20JWT", "name": "OWASP Juice Shop", "section": "Forged Signed JWT", "sectionID": "jwtForgedChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Frontend%20Typosquatting", "name": "OWASP Juice Shop", "section": "Frontend Typosquatting", "sectionID": "typosquattingAngularChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Legacy%20Typosquatting", "name": "OWASP Juice Shop", "section": "Legacy Typosquatting", "sectionID": "typosquattingNpmChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Supply%20Chain%20Attack", "name": "OWASP Juice Shop", "section": "Supply Chain Attack", "sectionID": "supplyChainAttackChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Unsigned%20JWT", "name": "OWASP Juice Shop", "section": "Unsigned JWT", "sectionID": "jwtUnsignedChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Vulnerable%20Library", "name": "OWASP Juice Shop", "section": "Vulnerable Library", "sectionID": "knownVulnerableComponentChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Kill%20Chatbot", "name": "OWASP Juice Shop", "section": "Kill Chatbot", "sectionID": "killChatbotChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Local%20File%20Read", "name": "OWASP Juice Shop", "section": "Local File Read", "sectionID": "lfrChallenge", "tags": ["Vulnerable Components"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "467-784", "name": "Network security"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Related"}], "name": "Segregate components of differing trust levels"}, {"doctype": "CRE", "id": "206-254", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient).", "sectionID": "V2.7.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/310.html", "name": "CWE", "section": "", "sectionID": "310"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "062-850", "name": "MFA/OTP", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Use secure random to generate initial authentication codes", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "433-122", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used.", "sectionID": "V6.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use nonces and initialization vectors only once"}, {"doctype": "CRE", "id": "146-706", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that JSON schema validation is in place and verified before accepting input.", "sectionID": "V13.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/20.html", "name": "CWE", "section": "", "sectionID": "20"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java", "name": "ZAP Rule", "section": "Relative Path Confusion", "sectionID": "10051", "tags": ["Active", "10051"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "All forms must specify the action URL.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Override", "sectionID": "10026", "tags": ["Passive", "10026"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Properly sanitize the user input for parameter delimiters", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java", "name": "ZAP Rule", "section": "HTTP Parameter Pollution", "sectionID": "20014", "tags": ["Active", "20014"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/RemoteCodeExecutionCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - CVE-2012-1823", "sectionID": "20018", "tags": ["Active", "20018"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureCve20121823ScanRule.java", "name": "ZAP Rule", "section": "Source Code Disclosure - CVE-2012-1823", "sectionID": "20017", "tags": ["Active", "20017"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java", "name": "ZAP Rule", "section": "Httpoxy - Proxy Header Misuse", "sectionID": "10107", "tags": ["Active", "10107"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/101.html", "name": "CAPEC", "section": "Server Side Include (SSI) Injection", "sectionID": "101", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/109.html", "name": "CAPEC", "section": "Object Relational Mapping Injection", "sectionID": "109", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/110.html", "name": "CAPEC", "section": "SQL Injection through SOAP Parameter Tampering", "sectionID": "110", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/120.html", "name": "CAPEC", "section": "Double Encoding", "sectionID": "120", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/13.html", "name": "CAPEC", "section": "Subverting Environment Variable Values", "sectionID": "13", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/135.html", "name": "CAPEC", "section": "Format String Injection", "sectionID": "135", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/136.html", "name": "CAPEC", "section": "LDAP Injection", "sectionID": "136", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/153.html", "name": "CAPEC", "section": "Input Data Manipulation", "sectionID": "153", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/182.html", "name": "CAPEC", "section": "Flash Injection", "sectionID": "182", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/209.html", "name": "CAPEC", "section": "XSS Using MIME Type Mismatch", "sectionID": "209", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/22.html", "name": "CAPEC", "section": "Exploiting Trust in Client", "sectionID": "22", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/23.html", "name": "CAPEC", "section": "File Content Injection", "sectionID": "23", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/230.html", "name": "CAPEC", "section": "Serialized Data with Nested Payloads", "sectionID": "230", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/231.html", "name": "CAPEC", "section": "Oversized Serialized Data Payloads", "sectionID": "231", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/250.html", "name": "CAPEC", "section": "XML Injection", "sectionID": "250", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/261.html", "name": "CAPEC", "section": "Fuzzing for garnering other adjacent user/sensitive data", "sectionID": "261", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/267.html", "name": "CAPEC", "section": "Leverage Alternate Encoding", "sectionID": "267", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/28.html", "name": "CAPEC", "section": "Fuzzing", "sectionID": "28", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/3.html", "name": "CAPEC", "section": "Using Leading 'Ghost' Character Sequences to Bypass Input Filters", "sectionID": "3", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/31.html", "name": "CAPEC", "section": "Accessing/Intercepting/Modifying HTTP Cookies", "sectionID": "31", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/473.html", "name": "CAPEC", "section": "Signature Spoof", "sectionID": "473", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/52.html", "name": "CAPEC", "section": "Embedding NULL Bytes", "sectionID": "52", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/53.html", "name": "CAPEC", "section": "Postfix, Null Terminate, and Backslash", "sectionID": "53", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/588.html", "name": "CAPEC", "section": "DOM-Based XSS", "sectionID": "588", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/63.html", "name": "CAPEC", "section": "Cross-Site Scripting (XSS)", "sectionID": "63", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/64.html", "name": "CAPEC", "section": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", "sectionID": "64", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/7.html", "name": "CAPEC", "section": "Blind SQL Injection", "sectionID": "7", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/71.html", "name": "CAPEC", "section": "Using Unicode Encoding to Bypass Validation Logic", "sectionID": "71", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/72.html", "name": "CAPEC", "section": "URL Encoding", "sectionID": "72", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/78.html", "name": "CAPEC", "section": "Using Escaped Slashes in Alternate Encoding", "sectionID": "78", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/79.html", "name": "CAPEC", "section": "Using Slashes in Alternate Encoding", "sectionID": "79", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/80.html", "name": "CAPEC", "section": "Using UTF-8 Encoding to Bypass Validation Logic", "sectionID": "80", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/83.html", "name": "CAPEC", "section": "XPath Injection", "sectionID": "83", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Enforce JSON schema before processing"}, {"doctype": "CRE", "id": "456-535", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md", "name": "ASVS", "section": "Verify that the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly.", "sectionID": "V11.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/799.html", "name": "CWE", "section": "", "sectionID": "799"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-$$"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "552-588", "name": "Detect and prevent unusual activity"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "623-550", "name": "Denial Of Service protection"}, "ltype": "Related"}], "name": "Monitor for realistic \"human time\" business logic flows", "tags": ["Denial Of Service protection"]}, {"doctype": "CRE", "id": "128-128", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-3", "name": "NIST 800-53 v5", "section": "AC-3 ACCESS ENFORCEMENT"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "822-100", "name": "Constrain functional features based on user stories"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "201-246", "name": "Use multifactor authentication on administrative interfaces"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "640-364", "name": "Enforce access control on trusted parts/serverside", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "650-560", "name": "Enforce access control on trusted service layer", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "284-521", "name": "Enforce additional authorization and segregation of duties"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "664-080", "name": "Enforce model-based authorization both at URI and final resource"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "166-151", "name": "Ensure that secure fail-safe is in place for access control"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "746-705", "name": "Limit/authorize user's access to functionality"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "615-744", "name": "Protect against directory browsing/discovery attacks", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "304-667", "name": "Protect API against unauthorized access/modification (IDOR)"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "801-310", "name": "Use ABAC/FBAC on data/feature level, even when using RBAC for permissions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "060-472", "name": "Use CSRF protection against authenticated functionality, add anti-automation controls for unauthenticated functionality", "tags": ["CSRF protection"]}, "ltype": "Contains"}], "name": "Strong authorization checking"}, {"doctype": "CRE", "id": "268-100", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties.", "sectionID": "V14.4.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Content Security Policy Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "636-347", "name": "HTTP security headers"}, "ltype": "Is Part Of"}], "name": "Configure Referrer-Policy properly"}, {"doctype": "CRE", "id": "872-574", "links": [{"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Protection against malware", "sectionID": "8.7"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "148-227", "name": "Endpoint management"}, "ltype": "Is Part Of"}], "name": "Virus/malware protection"}, {"doctype": "CRE", "id": "615-744", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.", "sectionID": "V4.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/548.html", "name": "CWE", "section": "", "sectionID": "548"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CONF-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Configure the web server to disable directory browsing.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java", "name": "ZAP Rule", "section": "Directory Browsing", "sectionID": "10033", "tags": ["10033", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Disable directory browsing. If this is required, make sure the listed files does not induce risks.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java", "name": "ZAP Rule", "section": "Directory Browsing", "sectionID": "0", "tags": ["Active", "0"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "486-813", "name": "Configuration"}, "ltype": "Related"}], "name": "Protect against directory browsing/discovery attacks", "tags": ["Configuration"]}, {"doctype": "CRE", "id": "513-183", "links": [{"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "612-435", "name": "Show generic message for security exceptions or unanticipated exceptions"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "118-602", "name": "Use a standard last-resort error handler for unhandled errors"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "863-636", "name": "Use exception handling uniformly"}, "ltype": "Contains"}], "name": "Error handling"}, {"doctype": "CRE", "id": "732-148", "links": [{"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Application Vulnerability Remediation", "sectionID": "AIS-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Management of technical vulnerabilities", "sectionID": "8.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/defect-management/stream-a", "name": "SAMM", "section": "Defect Tracking", "sectionID": "I-DM-A"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.", "sectionID": "RV.1.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-2", "name": "NIST 800-53 v5", "section": "SI-2 Flaw Remediation"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "Cloud Controls Matrix", "section": "Threat & Vulnerability Management", "sectionID": "TVM"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owaspsamm.org/model/implementation/defect-management/stream-b", "name": "SAMM", "section": "Metrics and Feedback", "sectionID": "I-DM-B"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response.", "sectionID": "RV.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Plan and implement risk responses for vulnerabilities.", "sectionID": "RV.2.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Analyze identified vulnerabilities to determine their root causes.", "sectionID": "RV.3.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently.", "sectionID": "RV.3.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports.", "sectionID": "RV.3.3"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "463-577", "name": "Incident response"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "613-286", "name": "Dependency management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "433-442", "name": "Verification"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "010-678", "name": "Improvement management"}, "ltype": "Is Part Of"}], "name": "Vulnerability management"}, {"doctype": "CRE", "id": "683-722", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.", "sectionID": "V12.3.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/78.html", "name": "CWE", "section": "", "sectionID": "78"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-INPV-12"}, "ltype": "Linked To"}, {"document": {"description": "Update Bash on the server to the latest version", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ShellShockScanRule.java", "name": "ZAP Rule", "section": "Remote Code Execution - Shell Shock", "sectionID": "10048", "tags": ["Active", "10048"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Upgrade Spring Framework to versions 5.3.18, 5.2.20, or newer.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java", "name": "ZAP Rule", "section": "Spring4Shell", "sectionID": "40045", "tags": ["Active", "40045"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java", "name": "ZAP Rule", "section": "Remote OS Command Injection", "sectionID": "90020", "tags": ["Active", "90020"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/108.html", "name": "CAPEC", "section": "Command Line Execution through SQL Injection", "sectionID": "108", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/15.html", "name": "CAPEC", "section": "Command Delimiters", "sectionID": "15", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/43.html", "name": "CAPEC", "section": "Exploiting Multiple Input Interpretation Layers", "sectionID": "43", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/6.html", "name": "CAPEC", "section": "Argument Injection", "sectionID": "6", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/88.html", "name": "CAPEC", "section": "OS Command Injection", "sectionID": "88", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "451-082", "name": "File execution"}, "ltype": "Is Part Of"}], "name": "Block direct execution of file metadata from untrusted origin"}, {"doctype": "CRE", "id": "757-271", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that a source code control system is in use, with procedures to ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes.", "sectionID": "V1.10.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/284.html", "name": "CWE", "section": "", "sectionID": "284"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Third Party Javascript Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Virtual_Patching_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Virtual Patching Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/websocket/src/main/zapHomeFiles/scripts/templates/websocketpassive/Username%20Idor%20Scanner.js", "name": "ZAP Rule", "section": "Username Hash Found in WebSocket message", "sectionID": "110007", "tags": ["110007", "WebSocket Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. ", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java", "name": "ZAP Rule", "section": "Username Hash Found", "sectionID": "10057", "tags": ["10057", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/19.html", "name": "CAPEC", "section": "Embedding Scripts within Scripts", "sectionID": "19", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/441.html", "name": "CAPEC", "section": "Malicious Logic Insertion", "sectionID": "441", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/478.html", "name": "CAPEC", "section": "Modification of Windows Service Configuration", "sectionID": "478", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/479.html", "name": "CAPEC", "section": "Malicious Root Certificate", "sectionID": "479", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/502.html", "name": "CAPEC", "section": "Intent Spoof", "sectionID": "502", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/503.html", "name": "CAPEC", "section": "WebView Exposure", "sectionID": "503", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/536.html", "name": "CAPEC", "section": "Data Injected During Configuration", "sectionID": "536", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/546.html", "name": "CAPEC", "section": "Incomplete Data Deletion in a Multi-Tenant Environment", "sectionID": "546", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/550.html", "name": "CAPEC", "section": "Install New Service", "sectionID": "550", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/551.html", "name": "CAPEC", "section": "Modify Existing Service", "sectionID": "551", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/552.html", "name": "CAPEC", "section": "Install Rootkit ", "sectionID": "552", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/556.html", "name": "CAPEC", "section": "Replace File Extension Handlers", "sectionID": "556", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/558.html", "name": "CAPEC", "section": "Replace Trusted Executable", "sectionID": "558", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/562.html", "name": "CAPEC", "section": "Modify Shared File", "sectionID": "562", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/563.html", "name": "CAPEC", "section": "Add Malicious File to Shared Webroot", "sectionID": "563", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/564.html", "name": "CAPEC", "section": "Run Software at Logon", "sectionID": "564", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/578.html", "name": "CAPEC", "section": "Disable Security Software", "sectionID": "578", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "080-466", "name": "Developer Configuration Management"}, "ltype": "Is Part Of"}], "name": "Use source code control system with change traceability and access control"}, {"doctype": "CRE", "id": "545-243", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.", "sectionID": "V12.5.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/434.html", "name": "CWE", "section": "", "sectionID": "434"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}], "name": "Block execution/output of uploaded files"}, {"doctype": "CRE", "id": "542-445", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))", "sectionID": "V5.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/116.html", "name": "CWE", "section": "", "sectionID": "116"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-03"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/73.html", "name": "CAPEC", "section": "User-Controlled Filename", "sectionID": "73", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/85.html", "name": "CAPEC", "section": "AJAX Footprinting", "sectionID": "85", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Sanitize untrusted HTML input"}, {"doctype": "CRE", "id": "175-235", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that files obtained from untrusted sources are validated to be of expected type based on the file's content.", "sectionID": "V12.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/434.html", "name": "CWE", "section": "", "sectionID": "434"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "File Upload Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Third Party Javascript Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}], "name": "Validate file type of data from untrusted sources"}, {"doctype": "CRE", "id": "636-660", "links": [{"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization\u2019s requirements", "sectionID": "PW.5.1"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "633-428", "name": "Authentication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "503-455", "name": "Input and output protection"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "842-876", "name": "Logging and error handling"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "278-646", "name": "Secure communication"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "126-668", "name": "Secure data storage"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "708-355", "name": "Secure implemented architecture", "tags": ["Architecture"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "177-260", "name": "Session management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "724-770", "name": "Technical application access control"}, "ltype": "Contains"}], "name": "Technical application security controls"}, {"doctype": "CRE", "id": "118-602", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that a \"last resort\" error handler is defined which will catch all unhandled exceptions.", "sectionID": "V7.4.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c10-handle-errors-exceptions.html", "name": "OWASP Proactive Controls", "section": "C10"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/431.html", "name": "CWE", "section": "", "sectionID": "431"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ERRH-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Error Handling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "513-183", "name": "Error handling"}, "ltype": "Is Part Of"}], "name": "Use a standard last-resort error handler for unhandled errors"}, {"doctype": "CRE", "id": "232-325", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data.", "sectionID": "V1.6.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/320.html", "name": "CWE", "section": "", "sectionID": "320"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Treat client-secrets as insecure"}, {"doctype": "CRE", "id": "287-823", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-5", "name": "NIST 800-53 v5", "section": "PM-5 System Inventory"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "ISO 27001", "section": "Inventory of information and other associated assets", "sectionID": "5.9"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "766-162", "name": "Security Analysis and documentation"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "074-873", "name": "Data classification and handling"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "571-640", "name": "Personal data handling management"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "157-587", "name": "Equipment management"}, "ltype": "Related"}, {"document": {"doctype": "CRE", "id": "522-616", "name": "Media protection"}, "ltype": "Related"}], "name": "Asset management"}, {"doctype": "CRE", "id": "040-843", "links": [{"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "314-701", "name": "Whitelist file extensions served by web tier"}, "ltype": "Contains"}], "name": "File download"}, {"doctype": "CRE", "id": "356-282", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-21", "name": "NIST 800-53 v5", "section": "SI-21 Information Refresh"}, "ltype": "Linked To"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Access%20Log", "name": "OWASP Juice Shop", "section": "Access Log", "sectionID": "accessLogDisclosureChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Confidential%20Document", "name": "OWASP Juice Shop", "section": "Confidential Document", "sectionID": "directoryListingChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Email%20Leak", "name": "OWASP Juice Shop", "section": "Email Leak", "sectionID": "emailLeakChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forgotten%20Developer%20Backup", "name": "OWASP Juice Shop", "section": "Forgotten Developer Backup", "sectionID": "forgottenDevBackupChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Forgotten%20Sales%20Backup", "name": "OWASP Juice Shop", "section": "Forgotten Sales Backup", "sectionID": "forgottenBackupChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=GDPR%20Data%20Theft", "name": "OWASP Juice Shop", "section": "GDPR Data Theft", "sectionID": "dataExportChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Leaked%20Access%20Logs", "name": "OWASP Juice Shop", "section": "Leaked Access Logs", "sectionID": "dlpPasswordSprayingChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Leaked%20Unsafe%20Product", "name": "OWASP Juice Shop", "section": "Leaked Unsafe Product", "sectionID": "dlpPastebinDataLeakChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20Amy", "name": "OWASP Juice Shop", "section": "Login Amy", "sectionID": "loginAmyChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Login%20MC%20SafeSearch", "name": "OWASP Juice Shop", "section": "Login MC SafeSearch", "sectionID": "loginRapperChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Misplaced%20Signature%20File", "name": "OWASP Juice Shop", "section": "Misplaced Signature File", "sectionID": "misplacedSignatureFileChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Retrieve%20Blueprint", "name": "OWASP Juice Shop", "section": "Retrieve Blueprint", "sectionID": "retrieveBlueprintChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Exposed%20Metrics", "name": "OWASP Juice Shop", "section": "Exposed Metrics", "sectionID": "exposedMetricsChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Reset%20Uvogin%27s%20Password", "name": "OWASP Juice Shop", "section": "Reset Uvogin's Password", "sectionID": "resetPasswordUvoginChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Meta%20Geo%20Stalking", "name": "OWASP Juice Shop", "section": "Meta Geo Stalking", "sectionID": "geoStalkingMetaChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "Tool", "hyperlink": "https://demo.owasp-juice.shop//#/score-board?challenge=Visual%20Geo%20Stalking", "name": "OWASP Juice Shop", "section": "Visual Geo Stalking", "sectionID": "geoStalkingVisualChallenge", "tags": ["Sensitive Data Exposure"], "tooltype": "Training"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "854-643", "name": "Robust business logic", "tags": ["Denial Of Service protection"]}, "ltype": "Is Part Of"}], "name": "Minimize sensitive data scattering and retention"}, {"doctype": "CRE", "id": "621-287", "links": [{"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "163-518", "name": "Check uploaded archives for decompression attacks (eg zip bombs)", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "463-820", "name": "Limit size and number of uploaded files", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "112-273", "name": "Scan untrusted files for malware"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "384-344", "name": "Store and serve user-uploaded files such that they cannot execute/damage server or client", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "660-052", "name": "Validate max input/file sizes", "tags": ["Denial Of Service protection"]}, "ltype": "Contains"}], "name": "File upload"}, {"doctype": "CRE", "id": "358-860", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment.", "sectionID": "V2.5.7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "6.1.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "520-617", "name": "Credential recovery"}, "ltype": "Is Part Of"}], "name": "Require proof of identity of the same level as during enrollment when recovering OTP or MFA"}, {"doctype": "CRE", "id": "878-880", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in comparisons, calculations, or returns, to avoid leaking information.", "sectionID": "V6.2.8"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/385.html", "name": "CWE", "section": "", "sectionID": "385"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/462.html", "name": "CAPEC", "section": "Cross-Domain Search Timing", "sectionID": "462", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Perform cryptographic operations in constant time"}, {"doctype": "CRE", "id": "314-131", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found.", "sectionID": "V14.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/120.html", "name": "CWE", "section": "", "sectionID": "120"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Use compiler, interpreter, and build tools that offer features to improve executable security.", "sectionID": "PW.6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST SSDF", "section": "Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.", "sectionID": "PW.6.2"}, "ltype": "Linked To"}, {"document": {"description": "Rewrite the background program using proper return length checking. This will require a recompile of the background executable.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java", "name": "ZAP Rule", "section": "Buffer Overflow", "sectionID": "30001", "tags": ["Active", "30001"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/10.html", "name": "CAPEC", "section": "Buffer Overflow via Environment Variables", "sectionID": "10", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/100.html", "name": "CAPEC", "section": "Overflow Buffers", "sectionID": "100", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/14.html", "name": "CAPEC", "section": "Client-side Injection-induced Buffer Overflow", "sectionID": "14", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/24.html", "name": "CAPEC", "section": "Filter Failure through Buffer Overflow", "sectionID": "24", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/42.html", "name": "CAPEC", "section": "MIME Conversion", "sectionID": "42", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/44.html", "name": "CAPEC", "section": "Overflow Binary Resource File", "sectionID": "44", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/45.html", "name": "CAPEC", "section": "Buffer Overflow via Symbolic Links", "sectionID": "45", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/46.html", "name": "CAPEC", "section": "Overflow Variables and Tags", "sectionID": "46", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/47.html", "name": "CAPEC", "section": "Buffer Overflow via Parameter Expansion", "sectionID": "47", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/67.html", "name": "CAPEC", "section": "String Format Overflow in syslog()", "sectionID": "67", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/8.html", "name": "CAPEC", "section": "Buffer Overflow in an API Call", "sectionID": "8", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/9.html", "name": "CAPEC", "section": "Buffer Overflow in Local Command-Line Utilities", "sectionID": "9", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/92.html", "name": "CAPEC", "section": "Forced Integer Overflow", "sectionID": "92", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "473-177", "name": "Deploy/build"}, "ltype": "Is Part Of"}], "name": "Use features in compile and build tools for executable security"}, {"doctype": "CRE", "id": "543-512", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.", "sectionID": "V13.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/436.html", "name": "CWE", "section": "", "sectionID": "436"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java", "name": "ZAP Rule", "section": "Charset Mismatch", "sectionID": "90011", "tags": ["Passive", "90011"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/105.html", "name": "CAPEC", "section": "HTTP Request Splitting", "sectionID": "105", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/273.html", "name": "CAPEC", "section": "HTTP Response Smuggling", "sectionID": "273", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/34.html", "name": "CAPEC", "section": "HTTP Response Splitting", "sectionID": "34", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "071-288", "name": "RESTful"}, "ltype": "Is Part Of"}], "name": "Verify content-type for REST services"}, {"doctype": "CRE", "id": "630-577", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that \"paste\" functionality, browser password helpers, and external password managers are permitted.", "sectionID": "V2.1.11"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "789-320", "name": "Login functionality"}, "ltype": "Is Part Of"}], "name": "Allow password helpers, including paste functionality"}, {"doctype": "CRE", "id": "822-100", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify that all user stories and features contain functional security constraints, such as \"As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile\"", "sectionID": "V1.1.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/1110.html", "name": "CWE", "section": "", "sectionID": "1110"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Threat Modeling Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Abuse Case Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Attack Surface Analysis Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "128-128", "name": "Strong authorization checking"}, "ltype": "Is Part Of"}], "name": "Constrain functional features based on user stories"}, {"doctype": "CRE", "id": "860-084", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application.", "sectionID": "V14.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c2-leverage-security-frameworks-libraries.html", "name": "OWASP Proactive Controls", "section": "C2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/265.html", "name": "CWE", "section": "", "sectionID": "265"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Docker Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Vulnerable Dependency Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "613-287", "name": "Dependency integrity"}, "ltype": "Is Part Of"}], "name": "Sandbox third party libraries"}, {"doctype": "CRE", "id": "758-262", "links": [{"document": {"doctype": "CRE", "id": "130-550", "name": "File handling"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "307-111", "name": "Securely store files with untrusted origin"}, "ltype": "Contains"}], "name": "File storage"}, {"doctype": "CRE", "id": "814-322", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md", "name": "ASVS", "section": "Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.", "sectionID": "V12.6.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/918.html", "name": "CWE", "section": "", "sectionID": "918"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-BUSL-09"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Do not accept remote addresses as request parameters, and if you must, ensure that they are validated against an allow-list of expected values.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SsrfScanRule.java", "name": "ZAP Rule", "section": "Server Side Request Forgery", "sectionID": "40046", "tags": ["Active", "40046"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/664.html", "name": "CAPEC", "section": "Server Side Request Forgery", "sectionID": "664", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "233-748", "name": "Configuration hardening", "tags": ["Configuration"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "028-727", "name": "SSRF protection"}, "ltype": "Related"}], "name": "Whitelist data sources and sinks", "tags": ["SSRF protection"]}, {"doctype": "CRE", "id": "820-421", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md", "name": "ASVS", "section": "Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.", "sectionID": "V14.5.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/306.html", "name": "CWE", "section": "", "sectionID": "306"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/12.html", "name": "CAPEC", "section": "Choosing Message Identifier", "sectionID": "12", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/166.html", "name": "CAPEC", "section": "Force the System to Reset Values", "sectionID": "166", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/216.html", "name": "CAPEC", "section": "Communication Channel Manipulation", "sectionID": "216", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/36.html", "name": "CAPEC", "section": "Using Unpublished Interfaces or Functionality", "sectionID": "36", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/62.html", "name": "CAPEC", "section": "Cross Site Request Forgery", "sectionID": "62", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "541-441", "name": "Validate HTTP request headers", "tags": ["Injection protection"]}, "ltype": "Is Part Of"}], "name": "Authenticate HTTP headers added by a trusted proxy or SSO device"}, {"doctype": "CRE", "id": "426-842", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md", "name": "ASVS", "section": "Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits.", "sectionID": "V13.2.6"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/345.html", "name": "CWE", "section": "", "sectionID": "345"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Assessment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "REST Security Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross-Site Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Provide a valid integrity attribute to the tag.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java", "name": "ZAP Rule", "section": "Sub Resource Integrity Attribute Missing", "sectionID": "90003", "tags": ["90003", "Passive"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"description": "Ensure each page is setting the specific and appropriate content-type value for the content being delivered.", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRule.java", "name": "ZAP Rule", "section": "Content-Type Header Missing", "sectionID": "10019", "tags": ["Passive", "10019"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/111.html", "name": "CAPEC", "section": "JSON Hijacking (aka JavaScript Hijacking)", "sectionID": "111", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/141.html", "name": "CAPEC", "section": "Cache Poisoning", "sectionID": "141", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/142.html", "name": "CAPEC", "section": "DNS Cache Poisoning", "sectionID": "142", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/148.html", "name": "CAPEC", "section": "Content Spoofing", "sectionID": "148", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/218.html", "name": "CAPEC", "section": "Spoofing of UDDI/ebXML Messages", "sectionID": "218", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/384.html", "name": "CAPEC", "section": "Application API Message Manipulation via Man-in-the-Middle", "sectionID": "384", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/385.html", "name": "CAPEC", "section": "Transaction or Event Tampering via Application API Manipulation", "sectionID": "385", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/386.html", "name": "CAPEC", "section": "Application API Navigation Remapping", "sectionID": "386", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/387.html", "name": "CAPEC", "section": "Navigation Remapping To Propagate Malicious Content", "sectionID": "387", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/388.html", "name": "CAPEC", "section": "Application API Button Hijacking", "sectionID": "388", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/665.html", "name": "CAPEC", "section": "Exploitation of Thunderbolt Protection Flaws", "sectionID": "665", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/701.html", "name": "CAPEC", "section": "Browser in the Middle (BiTM)", "sectionID": "701", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "435-702", "name": "Communication encryption", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Verify the authenticity of both headers and payload", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "524-603", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md", "name": "ASVS", "section": "Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.", "sectionID": "V4.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/639.html", "name": "CWE", "section": "", "sectionID": "639"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHZ-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Access Control Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}], "name": "Limit modification of access controls to specifically authorized actors/users"}, {"doctype": "CRE", "id": "817-808", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html", "name": "OWASP Proactive Controls", "section": "C7"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/276.html", "name": "CWE", "section": "", "sectionID": "276"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-IDNT-01"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Access Control Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authorization Testing Automation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/1.html", "name": "CAPEC", "section": "Accessing Functionality Not Properly Constrained by ACLs", "sectionID": "1", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/127.html", "name": "CAPEC", "section": "Directory Indexing", "sectionID": "127", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/81.html", "name": "CAPEC", "section": "Web Server Logs Tampering", "sectionID": "81", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}], "name": "Deny new users by default"}, {"doctype": "CRE", "id": "770-361", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md", "name": "ASVS", "section": "Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis.", "sectionID": "V7.3.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c9-implement-security-logging-monitoring.html", "name": "OWASP Proactive Controls", "section": "C9"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Logging Cheat Sheet.htmlhttps://cheatsheetseries.owasp.org/cheatsheets/Logging Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "770-362", "name": "Log time synchronization"}, "ltype": "Is Part Of"}], "name": "Synchronize time zones for logs"}, {"doctype": "CRE", "id": "487-305", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as built-in functionality.", "sectionID": "V2.1.12"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/521.html", "name": "CWE", "section": "", "sectionID": "521"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "789-320", "name": "Login functionality"}, "ltype": "Is Part Of"}], "name": "Provide options to view entire password or last typed character"}, {"doctype": "CRE", "id": "742-432", "links": [{"document": {"doctype": "CRE", "id": "400-007", "name": "Encrypt data at rest", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "786-224", "name": "Authenticate encrypted data"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "122-287", "name": "Ensure cryptographic elements can be upgraded or replaced"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "036-810", "name": "Let cryptographic modules fail securely"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "878-880", "name": "Perform cryptographic operations in constant time"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "742-431", "name": "Use approved cryptographic algorithms"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "433-122", "name": "Use nonces and initialization vectors only once"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "674-425", "name": "Use state of the art cryptographic configuration"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "441-132", "name": "Use weak crypto only for backwards compatibility"}, "ltype": "Contains"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Encryption algorithms", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "751-176", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify users can change their password.", "sectionID": "V2.1.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/620.html", "name": "CWE", "section": "", "sectionID": "620"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-ATHN-07"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Choosing and Using Security Questions Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Forgot Password Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Credential Stuffing Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.1.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "586-842", "name": "Secure user management"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Related"}], "name": "Offer password changing functionality"}, {"doctype": "CRE", "id": "330-281", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md", "name": "ASVS", "section": "Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers.", "sectionID": "V1.2.1"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c3-secure-database-access.html", "name": "OWASP Proactive Controls", "section": "C3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/250.html", "name": "CWE", "section": "", "sectionID": "250"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/104.html", "name": "CAPEC", "section": "Cross Zone Scripting", "sectionID": "104", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/470.html", "name": "CAPEC", "section": "Expanding Control over the Operating System from the Database", "sectionID": "470", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/69.html", "name": "CAPEC", "section": "Target Programs with Elevated Privileges", "sectionID": "69", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "123-124", "name": "Minimize permissions"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "286-500", "name": "OS security"}, "ltype": "Related"}], "name": "Use least privilege OS accounts for system (components)"}, {"doctype": "CRE", "id": "317-743", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.", "sectionID": "V5.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/95.html", "name": "CWE", "section": "", "sectionID": "95"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CLNT-02"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Server Side Request Forgery Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cross Site Scripting Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "DOM based XSS Prevention Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Unvalidated Redirects and Forwards Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/35.html", "name": "CAPEC", "section": "Leverage Executable Code in Non-Executable Files", "sectionID": "35", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "764-765", "name": "Sanitization and sandboxing", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Do not use eval or dynamic code execution functions"}, {"doctype": "CRE", "id": "674-425", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md", "name": "ASVS", "section": "Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice.", "sectionID": "V6.2.3"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/326.html", "name": "CWE", "section": "", "sectionID": "326"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html", "name": "OWASP Web Security Testing Guide (WSTG)", "section": "WSTG-CRYP-04"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Cryptographic Storage Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Key Management Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"description": "Protect the connection using HTTPS or use a stronger authentication mechanism", "doctype": "Tool", "hyperlink": "https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java", "name": "ZAP Rule", "section": "Weak Authentication Method", "sectionID": "10105", "tags": ["Passive", "10105"], "tooltype": "Offensive"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/112.html", "name": "CAPEC", "section": "Brute Force", "sectionID": "112", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/192.html", "name": "CAPEC", "section": "Protocol Analysis", "sectionID": "192", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/20.html", "name": "CAPEC", "section": "Encryption Brute Forcing", "sectionID": "20", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "742-432", "name": "Encryption algorithms", "tags": ["Cryptography"]}, "ltype": "Is Part Of"}], "name": "Use state of the art cryptographic configuration"}, {"doctype": "CRE", "id": "333-858", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md", "name": "ASVS", "section": "Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates.", "sectionID": "V2.2.4"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/308.html", "name": "CWE", "section": "", "sectionID": "308"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Authentication Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Transport Layer Protection Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "TLS Cipher String Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "name": "NIST 800-63", "section": "5.2.5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/16.html", "name": "CAPEC", "section": "Dictionary-based Password Attack", "sectionID": "16", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/49.html", "name": "CAPEC", "section": "Password Brute Forcing", "sectionID": "49", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/509.html", "name": "CAPEC", "section": "Kerberoasting", "sectionID": "509", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/55.html", "name": "CAPEC", "section": "Rainbow Table Password Cracking", "sectionID": "55", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/555.html", "name": "CAPEC", "section": "Remote Services with Stolen Credentials", "sectionID": "555", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/560.html", "name": "CAPEC", "section": "Use of Known Domain Credentials", "sectionID": "560", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/561.html", "name": "CAPEC", "section": "Windows Admin Shares with Stolen Credentials", "sectionID": "561", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/565.html", "name": "CAPEC", "section": "Password Spraying", "sectionID": "565", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/600.html", "name": "CAPEC", "section": "Credential Stuffing", "sectionID": "600", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/644.html", "name": "CAPEC", "section": "Use of Captured Hashes (Pass The Hash)", "sectionID": "644", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/645.html", "name": "CAPEC", "section": "Use of Captured Tickets (Pass The Ticket)", "sectionID": "645", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/652.html", "name": "CAPEC", "section": "Use of Known Kerberos Credentials", "sectionID": "652", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/653.html", "name": "CAPEC", "section": "Use of Known Operating System Credentials", "sectionID": "653", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "Standard", "hyperlink": "https://capec.mitre.org/data/definitions/70.html", "name": "CAPEC", "section": "Try Common or Default Usernames and Passwords", "sectionID": "70", "version": "3.9"}, "ltype": "SAME"}, {"document": {"doctype": "CRE", "id": "270-568", "name": "Authentication mechanism"}, "ltype": "Is Part Of"}, {"document": {"doctype": "CRE", "id": "170-772", "name": "Cryptography"}, "ltype": "Related"}], "name": "Resist stolen credentials", "tags": ["Cryptography"]}, {"doctype": "CRE", "id": "042-550", "links": [{"document": {"doctype": "Standard", "hyperlink": "https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md", "name": "ASVS", "section": "Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar.", "sectionID": "V5.1.2"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c5-validate-all-inputs.html", "name": "OWASP Proactive Controls", "section": "C5"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cwe.mitre.org/data/definitions/915.html", "name": "CWE", "section": "", "sectionID": "915"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Mass Assignment Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "Standard", "hyperlink": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", "name": "OWASP Cheat Sheets", "section": "Input Validation Cheat Sheet"}, "ltype": "Linked To"}, {"document": {"doctype": "CRE", "id": "010-308", "name": "Input validation", "tags": ["Injection protection", "XSS protection"]}, "ltype": "Is Part Of"}], "name": "Protect against mass parameter assignment attack"}]; links.forEach(link => { link.children = []; diff --git a/application/frontend/src/pages/circles/circles.scss b/application/frontend/src/pages/circles/circles.scss new file mode 100644 index 000000000..f6013d70a --- /dev/null +++ b/application/frontend/src/pages/circles/circles.scss @@ -0,0 +1,25 @@ + +.node { + cursor: pointer; +} + +.node:hover { + stroke: #000; + stroke-width: 1.5px; +} + +.node--leaf { + fill: white; +} + +.label { + font: 11px "Helvetica Neue", Helvetica, Arial, sans-serif; + text-anchor: middle; + text-shadow: 0 1px 0 #fff, 1px 0 0 #fff, -1px 0 0 #fff, 0 -1px 0 #fff; +} + +.label, +.node--root, +.node--leaf { + pointer-events: none; +} \ No newline at end of file diff --git a/application/frontend/src/pages/circles/circles.tsx b/application/frontend/src/pages/circles/circles.tsx new file mode 100644 index 000000000..5ae5aac3a --- /dev/null +++ b/application/frontend/src/pages/circles/circles.tsx @@ -0,0 +1,212 @@ +import { useQuery } from 'react-query'; +import './circles.scss'; +import {select,scaleLinear,interpolateHcl,pack,hierarchy,event,transition,interpolateZoom} from 'd3' +import { useEnvironment } from '../../hooks'; +import React, { useContext, useEffect, useMemo, useState } from 'react'; +import { Document, LinkedDocument } from '../../types'; +import { TYPE_CONTAINS } from '../../const'; + +const RenderCircle = () => { + const { apiUrl } = useEnvironment(); + const [rootCREs, setRootCREs] = useState() + const [data, setData] = useState() + + useQuery<{ data: Document }, string>( + 'root_cres', + () => + fetch(`${apiUrl}/root_cres`) + .then((res) => res.json()) + .then((resjson) => { + setRootCREs(resjson.data); + return resjson; + }), + { + retry: false, + enabled: false, + onSettled: () => { + }, + } + ); + const docs = localStorage.getItem("documents") + useEffect(() => { + if (docs != null) { + setData(JSON.parse(docs).sort((a, b) => (a.id + '').localeCompare(b.id + ''))); + } + }, [docs]) + + const query = useQuery( + 'everything', + () => { + if (docs == null) { + fetch(`${apiUrl}/everything`) + .then((res) => { return res.json() }) + .then((resjson) => { + return resjson.data + }).then((data) => { + if (data) { + localStorage.setItem("documents", JSON.stringify(data)); + setData(data) + } + }), + { + retry: false, + enabled: false, + onSettled: () => { + }, + } + } + + } + ); + + var svg = select("svg"), + margin = 20, + diameter = +svg.attr("width"), + g = svg.append("g").attr("transform", "translate(" + diameter / 2 + "," + diameter / 2 + ")"); + + var color = scaleLinear() + .domain([-1, 5]) + .range(["hsl(152,80%,80%)", "hsl(228,30%,40%)"]) + .interpolate(interpolateHcl); + + var pack = pack() + .size([diameter - margin, diameter - margin]) + .padding(2); + + + // data?.forEach(dat => { + // dat.links = []; + // }) + interface circleDoc extends Document { + size: number + } + function getById(id) { + let x = data?.filter(i => i.id === id)[0] + if (x) { + let y: Partial = x + y.size = 0 + return y + } + } + + function populateChildren(id) { + const cre = getById(id); + if (cre) + cre.links?.filter(link => link.ltype === TYPE_CONTAINS).forEach(link => { + let child: any = getById(link.document.id); + if (child) { cre.links?.push({ document: child, ltype: TYPE_CONTAINS }) } + populateChildren(link.document.id); + if (child?.links?.length === 0) { + child.size = 1; + } + }); + } + + rootCREs?.forEach(node => populateChildren(node?.id)); + + let root: any = { + "name": "cluster", + "children": rootCREs + } + + root = hierarchy(root) + .sum(function (d) { + return d.size; + }) + .sort(function (a, b) { + return b.value - a.value; + }); + + var focus = root, + nodes = pack(root).descendants(), + view; + + var circle = g.selectAll("circle") + .data(nodes) + .enter().append("circle") + .attr("class", function (d) { + return d.parent ? d.children ? "node" : "node node--leaf" : "node node--root"; + }) + .style("fill", function (d) { + return d.children ? color(d.depth) : (d.data.color ? d.data.color : null); + }) + .on("click", function (d) { + if (focus !== d) zoom(d), event.stopPropagation(); + }); + + var text = g.selectAll("text") + .data(nodes) + .enter().append("text") + .attr("class", "label") + .style("fill-opacity", function (d) { + return d.parent === root ? 1 : 0; + }) + .style("display", function (d) { + return d.parent === root ? "inline" : "none"; + }) + .text(function (d) { + let name = d.data.name.length > 33 ? (d.data.name.substr(0, 14) + "..." + d.data.name.substr(d.data.name.length - 14)) : d.data.name; + if (d.data.children && d.data.children.length > 0) name += ' (' + d.data.children.length + ')' + return name; + }); + + var node = g.selectAll("circle,text"); + + svg + .style("background", color(-1)) + .on("click", function () { + zoom(root); + }); + + zoomTo([root.x, root.y, root.r * 2 + margin]); + + function zoom(d) { + var focus0 = focus; + focus = d; + + var transition = transition() + .duration(event.altKey ? 7500 : 750) + .tween("zoom", function (d) { + var i = interpolateZoom(view, [focus.x, focus.y, focus.r * 2 + margin]); + return function (t) { + zoomTo(i(t)); + }; + }); + + transition.selectAll("text") + .filter(function (d) { + return d && d.parent === focus || this.style.display === "inline"; + }) + .style("fill-opacity", function (d) { + return d && d.parent === focus ? 1 : 0; + }) + .on("start", function (d) { + if (d && d.parent === focus) this.style.display = "inline"; + }) + .on("end", function (d) { + if (d && d.parent !== focus) this.style.display = "none"; + }); + } + + function zoomTo(v) { + var k = diameter / v[2]; + view = v; + node.attr("transform", function (d) { + return "translate(" + (d.x - v[0]) * k + "," + (d.y - v[1]) * k + ")"; + }); + circle.attr("r", function (d) { + return d.r * k; + }); + } + return svg +} +export const Circles = () => { + return ( + <> + + + + + + ) +} \ No newline at end of file diff --git a/application/frontend/src/routes.tsx b/application/frontend/src/routes.tsx index 4d657a53f..d0a4bdd76 100644 --- a/application/frontend/src/routes.tsx +++ b/application/frontend/src/routes.tsx @@ -12,6 +12,7 @@ import { SECTION_ID, STANDARD, EXPLORER, +CIRCLES, } from './const'; import { CommonRequirementEnumeration, Graph, Search, Standard } from './pages'; import { BrowseRootCres } from './pages/BrowseRootCres/browseRootCres'; @@ -22,6 +23,7 @@ import { MembershipRequired } from './pages/MembershipRequired/MembershipRequire import { SearchName } from './pages/Search/SearchName'; import { StandardSection } from './pages/Standard/StandardSection'; import { Explorer } from './pages/Explorer/explorer'; +import { Circles } from './pages/circles/circles'; export interface IRoute { path: string; @@ -133,4 +135,10 @@ export const ROUTES: IRoute[] = [ showHeader: true, showFilter: false, }, + { + path: `${CIRCLES}`, + component: Circles, + showHeader: true, + showFilter: false, + }, ]; diff --git a/package.json b/package.json index 18438f74b..ffc88ca03 100755 --- a/package.json +++ b/package.json @@ -45,6 +45,7 @@ "@wojtekmaj/enzyme-adapter-react-17": "^0.6.1", "awesome-typescript-loader": "5.2.1", "axios": "^0.21.4", + "d3": "^7.8.5", "d3-dag": "^0.6.3", "date-fns": "^2.16.1", "del-cli": "^3.0.1", diff --git a/yarn.lock b/yarn.lock index 2d21f25e9..3177879e6 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5283,6 +5283,11 @@ comma-separated-tokens@^1.0.0: resolved "https://registry.yarnpkg.com/comma-separated-tokens/-/comma-separated-tokens-1.0.8.tgz#632b80b6117867a158f1080ad498b2fbe7e3f5ea" integrity sha512-GHuDRO12Sypu2cV70d1dkA2EUmXHgntrzbpvOB+Qy+49ypNfGgFQIC2fhhXbnyrJRynDCAARsT7Ou0M6hirpfw== +commander@7, commander@^7.0.0, commander@^7.2.0: + version "7.2.0" + resolved "https://registry.yarnpkg.com/commander/-/commander-7.2.0.tgz#a36cb57d0b501ce108e4d20559a150a391d97ab7" + integrity sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw== + commander@^2.19.0, commander@^2.20.0: version "2.20.3" resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33" @@ -5293,11 +5298,6 @@ commander@^5.1.0: resolved "https://registry.yarnpkg.com/commander/-/commander-5.1.0.tgz#46abbd1652f8e059bddaef99bbdcb2ad9cf179ae" integrity sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg== -commander@^7.0.0, commander@^7.2.0: - version "7.2.0" - resolved "https://registry.yarnpkg.com/commander/-/commander-7.2.0.tgz#a36cb57d0b501ce108e4d20559a150a391d97ab7" - integrity sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw== - commander@^8.3.0: version "8.3.0" resolved "https://registry.yarnpkg.com/commander/-/commander-8.3.0.tgz#4837ea1b2da67b9c616a67afbb0fafee567bca66" @@ -5775,6 +5775,13 @@ cwd@^0.10.0: dependencies: internmap "1 - 2" +"d3-array@2.5.0 - 3", d3-array@3, d3-array@^3.2.0: + version "3.2.4" + resolved "https://registry.yarnpkg.com/d3-array/-/d3-array-3.2.4.tgz#15fec33b237f97ac5d7c986dc77da273a8ed0bb5" + integrity sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg== + dependencies: + internmap "1 - 2" + d3-array@^2.11.0: version "2.12.1" resolved "https://registry.yarnpkg.com/d3-array/-/d3-array-2.12.1.tgz#e20b41aafcdffdf5d50928004ececf815a465e81" @@ -5782,16 +5789,46 @@ d3-array@^2.11.0: dependencies: internmap "^1.0.0" +d3-axis@3: + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-axis/-/d3-axis-3.0.0.tgz#c42a4a13e8131d637b745fc2973824cfeaf93322" + integrity sha512-IH5tgjV4jE/GhHkRV0HiVYPDtvfjHQlQfJHs0usq7M30XcSBvOotpmH1IgkcXsO/5gEQZD43B//fc7SRT5S+xw== + d3-binarytree@^0.2.0: version "0.2.2" resolved "https://registry.yarnpkg.com/d3-binarytree/-/d3-binarytree-0.2.2.tgz#2b3421a4ac41ddaf3ebd2584f96f8e68ecb7c444" integrity sha512-TmgSEKWO4lSjX26Rk77hbTdiF3TQ1v5LqL+cmSz6/5RiSxmq6+e6qHE6X/KwrsIESekhEReH63X5yM8dvXaT7A== -"d3-color@1 - 3": +d3-brush@3: + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-brush/-/d3-brush-3.0.0.tgz#6f767c4ed8dcb79de7ede3e1c0f89e63ef64d31c" + integrity sha512-ALnjWlVYkXsVIGlOsuWH1+3udkYFI48Ljihfnh8FZPF2QS9o+PzGLBslO0PjzVoHLZ2KCVgAM8NVkXPJB2aNnQ== + dependencies: + d3-dispatch "1 - 3" + d3-drag "2 - 3" + d3-interpolate "1 - 3" + d3-selection "3" + d3-transition "3" + +d3-chord@3: + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-chord/-/d3-chord-3.0.1.tgz#d156d61f485fce8327e6abf339cb41d8cbba6966" + integrity sha512-VE5S6TNa+j8msksl7HwjxMHDM2yNK3XCkusIlpX5kwauBfXuyLAtNg9jCp/iHH61tgI4sb6R/EIMWCqEIdjT/g== + dependencies: + d3-path "1 - 3" + +"d3-color@1 - 3", d3-color@3: version "3.1.0" resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-3.1.0.tgz#395b2833dfac71507f12ac2f7af23bf819de24e2" integrity sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA== +d3-contour@4: + version "4.0.2" + resolved "https://registry.yarnpkg.com/d3-contour/-/d3-contour-4.0.2.tgz#bb92063bc8c5663acb2422f99c73cbb6c6ae3bcc" + integrity sha512-4EzFTRIikzs47RGmdxbeUvLWtGedDUNkTcmzoeyg4sP/dvCexO47AaQL7VKy/gul85TOxw+IBgA8US2xwbToNA== + dependencies: + d3-array "^3.2.0" + d3-dag@^0.6.3: version "0.6.3" resolved "https://registry.yarnpkg.com/d3-dag/-/d3-dag-0.6.3.tgz#8fc297d6ff0b35fd8c5f250ff8b09c8371b16dee" @@ -5802,12 +5839,19 @@ d3-dag@^0.6.3: javascript-lp-solver "0.4.24" quadprog "^1.6.1" -"d3-dispatch@1 - 3": +d3-delaunay@6: + version "6.0.4" + resolved "https://registry.yarnpkg.com/d3-delaunay/-/d3-delaunay-6.0.4.tgz#98169038733a0a5babbeda55054f795bb9e4a58b" + integrity sha512-mdjtIZ1XLAM8bm/hx3WwjfHt6Sggek7qH043O8KEjDXN40xi3vx/6pYSVTwLjEgiXQTbvaouWKynLBiUZ6SK6A== + dependencies: + delaunator "5" + +"d3-dispatch@1 - 3", d3-dispatch@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-dispatch/-/d3-dispatch-3.0.1.tgz#5fc75284e9c2375c36c839411a0cf550cbfc4d5e" integrity sha512-rzUyPU/S7rwUflMyLc1ETDeBj0NRuHKKAcvukozwhshr6g6c5d8zh4c2gQjY2bZ0dXeGLWc1PF174P2tVvKhfg== -"d3-drag@2 - 3": +"d3-drag@2 - 3", d3-drag@3: version "3.0.0" resolved "https://registry.yarnpkg.com/d3-drag/-/d3-drag-3.0.0.tgz#994aae9cd23c719f53b5e10e3a0a6108c69607ba" integrity sha512-pWbUJLdETVA8lQNJecMxoXfH6x+mO2UQo8rSmZ+QqxcbyA3hfeprFgIT//HW2nlHChWeIIMwS2Fq+gEARkhTkg== @@ -5815,11 +5859,27 @@ d3-dag@^0.6.3: d3-dispatch "1 - 3" d3-selection "3" -"d3-ease@1 - 3": +"d3-dsv@1 - 3", d3-dsv@3: + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-dsv/-/d3-dsv-3.0.1.tgz#c63af978f4d6a0d084a52a673922be2160789b73" + integrity sha512-UG6OvdI5afDIFP9w4G0mNq50dSOsXHJaRE8arAS5o9ApWnIElp8GZw1Dun8vP8OyHOZ/QJUKUJwxiiCCnUwm+Q== + dependencies: + commander "7" + iconv-lite "0.6" + rw "1" + +"d3-ease@1 - 3", d3-ease@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-ease/-/d3-ease-3.0.1.tgz#9658ac38a2140d59d346160f1f6c30fda0bd12f4" integrity sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w== +d3-fetch@3: + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-fetch/-/d3-fetch-3.0.1.tgz#83141bff9856a0edb5e38de89cdcfe63d0a60a22" + integrity sha512-kpkQIM20n3oLVBKGg6oHrUchHM3xODkTzjMoj7aWQFq5QEM+R6E4WkzT5+tojDY7yjez8KgCBRoj4aEr99Fdqw== + dependencies: + d3-dsv "1 - 3" + "d3-force-3d@2 - 3": version "3.0.3" resolved "https://registry.yarnpkg.com/d3-force-3d/-/d3-force-3d-3.0.3.tgz#ddd0b9120837ef3cd6ffdad668d99d1992483af2" @@ -5831,12 +5891,33 @@ d3-dag@^0.6.3: d3-quadtree "1 - 3" d3-timer "1 - 3" -"d3-format@1 - 3": +d3-force@3: + version "3.0.0" + resolved "https://registry.yarnpkg.com/d3-force/-/d3-force-3.0.0.tgz#3e2ba1a61e70888fe3d9194e30d6d14eece155c4" + integrity sha512-zxV/SsA+U4yte8051P4ECydjD/S+qeYtnaIyAs9tgHCqfguma/aAQDjo85A9Z6EKhBirHRJHXIgJUlffT4wdLg== + dependencies: + d3-dispatch "1 - 3" + d3-quadtree "1 - 3" + d3-timer "1 - 3" + +"d3-format@1 - 3", d3-format@3: version "3.1.0" resolved "https://registry.yarnpkg.com/d3-format/-/d3-format-3.1.0.tgz#9260e23a28ea5cb109e93b21a06e24e2ebd55641" integrity sha512-YyUI6AEuY/Wpt8KWLgZHsIU86atmikuoOmCfommt0LYHiQSPjvX2AcFc38PX0CBpr2RCyZhjex+NS/LPOv6YqA== -"d3-interpolate@1 - 3", "d3-interpolate@1.2.0 - 3": +d3-geo@3: + version "3.1.0" + resolved "https://registry.yarnpkg.com/d3-geo/-/d3-geo-3.1.0.tgz#74fd54e1f4cebd5185ac2039217a98d39b0a4c0e" + integrity sha512-JEo5HxXDdDYXCaWdwLRt79y7giK8SbhZJbFWXqbRTolCHFI5jRqteLzCsq51NKbUoX0PjBVSohxrx+NoOUujYA== + dependencies: + d3-array "2.5.0 - 3" + +d3-hierarchy@3: + version "3.1.2" + resolved "https://registry.yarnpkg.com/d3-hierarchy/-/d3-hierarchy-3.1.2.tgz#b01cd42c1eed3d46db77a5966cf726f8c09160c6" + integrity sha512-FX/9frcub54beBdugHjDCdikxThEqjnR93Qt7PvQTOHxyiNCAlvMrHhclk3cD5VeAaq9fxmfRp+CnWw9rEMBuA== + +"d3-interpolate@1 - 3", "d3-interpolate@1.2.0 - 3", d3-interpolate@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-interpolate/-/d3-interpolate-3.0.1.tgz#3c47aa5b32c5b3dfb56ef3fd4342078a632b400d" integrity sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g== @@ -5848,12 +5929,27 @@ d3-octree@^0.2.0: resolved "https://registry.yarnpkg.com/d3-octree/-/d3-octree-0.2.2.tgz#24c513d809252d14fd3b0bf7eb5af321c30bd69b" integrity sha512-ysk9uSPAhZVb0Gq4GXzghl/Yqxu80dHrq55I53qaIMdGB65+0UfO84sr4Fci2JHumcgh6H4WE0r8LwxPagkE+g== -"d3-quadtree@1 - 3": +"d3-path@1 - 3", d3-path@3, d3-path@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/d3-path/-/d3-path-3.1.0.tgz#22df939032fb5a71ae8b1800d61ddb7851c42526" + integrity sha512-p3KP5HCf/bvjBSSKuXid6Zqijx7wIfNW+J/maPs+iwR35at5JCbLUT0LzF1cnjbCHWhqzQTIN2Jpe8pRebIEFQ== + +d3-polygon@3: + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-polygon/-/d3-polygon-3.0.1.tgz#0b45d3dd1c48a29c8e057e6135693ec80bf16398" + integrity sha512-3vbA7vXYwfe1SYhED++fPUQlWSYTTGmFmQiany/gdbiWgU/iEyQzyymwL9SkJjFFuCS4902BSzewVGsHHmHtXg== + +"d3-quadtree@1 - 3", d3-quadtree@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-quadtree/-/d3-quadtree-3.0.1.tgz#6dca3e8be2b393c9a9d514dabbd80a92deef1a4f" integrity sha512-04xDrxQTDTCFwP5H6hRhsRcb9xxv2RzkcsygFzmkSIOJy3PeRJP7sNk3VRIbKXcog561P9oU0/rVH6vDROAgUw== -"d3-scale-chromatic@1 - 3": +d3-random@3: + version "3.0.1" + resolved "https://registry.yarnpkg.com/d3-random/-/d3-random-3.0.1.tgz#d4926378d333d9c0bfd1e6fa0194d30aebaa20f4" + integrity sha512-FXMe9GfxTxqd5D6jFsQ+DJ8BJS4E/fT5mqqdjovykEB2oFbTMDVdg1MGFxfQW+FBOGoB++k8swBrgwSHT1cUXQ== + +"d3-scale-chromatic@1 - 3", d3-scale-chromatic@3: version "3.0.0" resolved "https://registry.yarnpkg.com/d3-scale-chromatic/-/d3-scale-chromatic-3.0.0.tgz#15b4ceb8ca2bb0dcb6d1a641ee03d59c3b62376a" integrity sha512-Lx9thtxAKrO2Pq6OO2Ua474opeziKr279P/TKZsMAhYyNDD3EnCffdbgeSYN5O7m2ByQsxtuP2CSDczNUIZ22g== @@ -5861,7 +5957,7 @@ d3-octree@^0.2.0: d3-color "1 - 3" d3-interpolate "1 - 3" -"d3-scale@1 - 4": +"d3-scale@1 - 4", d3-scale@4: version "4.0.2" resolved "https://registry.yarnpkg.com/d3-scale/-/d3-scale-4.0.2.tgz#82b38e8e8ff7080764f8dcec77bd4be393689396" integrity sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ== @@ -5877,7 +5973,14 @@ d3-octree@^0.2.0: resolved "https://registry.yarnpkg.com/d3-selection/-/d3-selection-3.0.0.tgz#c25338207efa72cc5b9bd1458a1a41901f1e1b31" integrity sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ== -"d3-time-format@2 - 4": +d3-shape@3: + version "3.2.0" + resolved "https://registry.yarnpkg.com/d3-shape/-/d3-shape-3.2.0.tgz#a1a839cbd9ba45f28674c69d7f855bcf91dfc6a5" + integrity sha512-SaLBuwGm3MOViRq2ABk3eLoxwZELpH6zhl3FbAoJ7Vm1gofKx6El1Ib5z23NUEhF9AsGl7y+dzLe5Cw2AArGTA== + dependencies: + d3-path "^3.1.0" + +"d3-time-format@2 - 4", d3-time-format@4: version "4.1.0" resolved "https://registry.yarnpkg.com/d3-time-format/-/d3-time-format-4.1.0.tgz#7ab5257a5041d11ecb4fe70a5c7d16a195bb408a" integrity sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg== @@ -5891,12 +5994,19 @@ d3-octree@^0.2.0: dependencies: d3-array "2 - 3" -"d3-timer@1 - 3": +d3-time@3: + version "3.1.0" + resolved "https://registry.yarnpkg.com/d3-time/-/d3-time-3.1.0.tgz#9310db56e992e3c0175e1ef385e545e48a9bb5c7" + integrity sha512-VqKjzBLejbSMT4IgbmVgDjpkYrNWUYJnbCGo874u7MMKIWsILRX+OpX/gTk8MqjpT1A/c6HY2dCA77ZN0lkQ2Q== + dependencies: + d3-array "2 - 3" + +"d3-timer@1 - 3", d3-timer@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-timer/-/d3-timer-3.0.1.tgz#6284d2a2708285b1abb7e201eda4380af35e63b0" integrity sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA== -"d3-transition@2 - 3": +"d3-transition@2 - 3", d3-transition@3: version "3.0.1" resolved "https://registry.yarnpkg.com/d3-transition/-/d3-transition-3.0.1.tgz#6869fdde1448868077fdd5989200cb61b2a1645f" integrity sha512-ApKvfjsSR6tg06xrL434C0WydLr7JewBB3V+/39RMHsaXTOG0zmt/OAXeng5M5LBm0ojmxJrpomQVZ1aPvBL4w== @@ -5907,7 +6017,7 @@ d3-octree@^0.2.0: d3-interpolate "1 - 3" d3-timer "1 - 3" -"d3-zoom@2 - 3", d3-zoom@^3.0.0: +"d3-zoom@2 - 3", d3-zoom@3, d3-zoom@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/d3-zoom/-/d3-zoom-3.0.0.tgz#d13f4165c73217ffeaa54295cd6969b3e7aee8f3" integrity sha512-b8AmV3kfQaqWAuacbPuNbL6vahnOJflOhexLzMMNLga62+/nh0JzvJ0aO/5a5MVgUFGS7Hu1P9P03o3fJkDCyw== @@ -5923,6 +6033,42 @@ d3@^3.5.17: resolved "https://registry.yarnpkg.com/d3/-/d3-3.5.17.tgz#bc46748004378b21a360c9fc7cf5231790762fb8" integrity sha512-yFk/2idb8OHPKkbAL8QaOaqENNoMhIaSHZerk3oQsECwkObkCpJyjYwCe+OHiq6UEdhe1m8ZGARRRO3ljFjlKg== +d3@^7.8.5: + version "7.8.5" + resolved "https://registry.yarnpkg.com/d3/-/d3-7.8.5.tgz#fde4b760d4486cdb6f0cc8e2cbff318af844635c" + integrity sha512-JgoahDG51ncUfJu6wX/1vWQEqOflgXyl4MaHqlcSruTez7yhaRKR9i8VjjcQGeS2en/jnFivXuaIMnseMMt0XA== + dependencies: + d3-array "3" + d3-axis "3" + d3-brush "3" + d3-chord "3" + d3-color "3" + d3-contour "4" + d3-delaunay "6" + d3-dispatch "3" + d3-drag "3" + d3-dsv "3" + d3-ease "3" + d3-fetch "3" + d3-force "3" + d3-format "3" + d3-geo "3" + d3-hierarchy "3" + d3-interpolate "3" + d3-path "3" + d3-polygon "3" + d3-quadtree "3" + d3-random "3" + d3-scale "4" + d3-scale-chromatic "3" + d3-selection "3" + d3-shape "3" + d3-time "3" + d3-time-format "4" + d3-timer "3" + d3-transition "3" + d3-zoom "3" + d@1, d@^1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/d/-/d-1.0.1.tgz#8698095372d58dbee346ffd0c7093f99f8f9eb5a" @@ -6143,6 +6289,13 @@ del@^5.1.0: rimraf "^3.0.0" slash "^3.0.0" +delaunator@5: + version "5.0.0" + resolved "https://registry.yarnpkg.com/delaunator/-/delaunator-5.0.0.tgz#60f052b28bd91c9b4566850ebf7756efe821d81b" + integrity sha512-AyLvtyJdbv/U1GkiS6gUUzclRoAY4Gs75qkMygJJhU75LW4DNuSF2RMzpxs9jw9Oz1BobHjTdkG3zdP55VxAqw== + dependencies: + robust-predicates "^3.0.0" + delayed-stream@~1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/delayed-stream/-/delayed-stream-1.0.0.tgz#df3ae199acadfb7d440aaae0b29e2272b24ec619" @@ -8599,7 +8752,7 @@ iconv-lite@0.4.24: dependencies: safer-buffer ">= 2.1.2 < 3" -iconv-lite@^0.6.2, iconv-lite@^0.6.3: +iconv-lite@0.6, iconv-lite@^0.6.2, iconv-lite@^0.6.3: version "0.6.3" resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.6.3.tgz#a52f80bf38da1952eb5c681790719871a1a72501" integrity sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw== @@ -14366,6 +14519,11 @@ ripemd160@0.2.0: resolved "https://registry.yarnpkg.com/ripemd160/-/ripemd160-0.2.0.tgz#2bf198bde167cacfa51c0a928e84b68bbe171fce" integrity sha512-JJsJ74Mw4sUDDisXGDnNNyN9xWmt5HcH6Kwvb/0m/IvTKjnLAtZfzeoLdpxk44AxQZki54oCCd+Kt0nPQ2AF2g== +robust-predicates@^3.0.0: + version "3.0.2" + resolved "https://registry.yarnpkg.com/robust-predicates/-/robust-predicates-3.0.2.tgz#d5b28528c4824d20fc48df1928d41d9efa1ad771" + integrity sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg== + rollup-plugin-terser@^7.0.0: version "7.0.2" resolved "https://registry.yarnpkg.com/rollup-plugin-terser/-/rollup-plugin-terser-7.0.2.tgz#e8fbba4869981b2dc35ae7e8a502d5c6c04d324d" @@ -14403,6 +14561,11 @@ run-parallel@^1.1.9: dependencies: queue-microtask "^1.2.2" +rw@1: + version "1.3.3" + resolved "https://registry.yarnpkg.com/rw/-/rw-1.3.3.tgz#3f862dfa91ab766b14885ef4d01124bfda074fb4" + integrity sha512-PdhdWy89SiZogBLaw42zdeqtRJ//zFd2PgQavcICDUgJT5oW10QCRKbJ6bg4r0/UY2M6BWd5tkxuGFRvCkgfHQ== + rxjs@^7.5.4: version "7.5.7" resolved "https://registry.yarnpkg.com/rxjs/-/rxjs-7.5.7.tgz#2ec0d57fdc89ece220d2e702730ae8f1e49def39"