Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V14.5.4 seems like it doesn't add much #1529

Closed
tghosth opened this issue Jan 24, 2023 · 2 comments · Fixed by #1625
Closed

V14.5.4 seems like it doesn't add much #1529

tghosth opened this issue Jan 24, 2023 · 2 comments · Fixed by #1625
Assignees
@jmanico @danielcuthbert @tghosth @elarlang
Labels
6) PR awaiting review _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Jan 24, 2023

# Description L1 L2 L3 CWE
V14.5.4 Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application. 306

Looks like this is basically a copy/paste of 11.3 from ASVS 2.0.

If I am honest, I am not sure what exactly this is for and if it really adds anything to existing requirements. I am open to suggestions but I am inclined to delete this :)
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 Community wanted We would like feedback from the community to guide our decision otherwise we will progress labels Jan 24, 2023
@elarlang
Copy link
Collaborator

If "authenticated by" means verify JWT token signature, then it's covered by current 3.5.3.

If it's not, then I'm not sure what it actually requires. One problem where I/we have used it for pen-test reports: when client sends some X-Whatever-Header and this header is used by the application as input from proxy, waf or other participant in HTTP communication. But from described situation perspective, I think we need actually separate requirement.

@tghosth tghosth mentioned this issue May 23, 2023
Merged
@tghosth tghosth linked a pull request May 23, 2023 that will close this issue
Remove v14.5.4 as not really being relevant anymore #1625
Merged
@tghosth tghosth added 6) PR awaiting review and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet Community wanted We would like feedback from the community to guide our decision otherwise we will progress labels May 23, 2023
@tghosth
Copy link
Collaborator Author

tghosth commented May 23, 2023

I opened a PR to delete it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

@danielcuthbert danielcuthbert

@tghosth tghosth

@elarlang elarlang

Labels
6) PR awaiting review _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove v14.5.4 as not really being relevant anymore OWASP/ASVS
4 participants
@jmanico @danielcuthbert @tghosth @elarlang