652 lines (375 loc) · 24.9 KB

ASVS Index

Table of Contents

Objective
V1: Encoding and Sanitization
V2: Validation and Business Logic
V3: Web Frontend Security
V4: API and Web Service
V5: File Handling
V6: Authentication
V7: Session Management
V8: Authorization
V9: Self-contained Tokens
- V9.1 Token source and integrity
- V9.2 Token content
V10: OAuth and OIDC
V11: Cryptography
V12: Secure Communication
V13: Configuration
V14: Data Protection
V15: Secure Coding and Architecture
V16: Security Logging and Error Handling
V17: WebRTC

Objective

The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.

This index is based on the version 5.0.x of the ASVS.

V1: Encoding and Sanitization

V1.1 Encoding and Sanitization Architecture

Cross Site Scripting Prevention Cheat Sheet

V1.2 Injection Prevention

Bean Validation Cheat Sheet

Cross Site Scripting Prevention Cheat Sheet

DOM based XSS Prevention Cheat Sheet

File Upload Cheat Sheet

Injection Prevention Cheat Sheet

Input Validation Cheat Sheet

Java Security Cheat Sheet

LDAP Injection Prevention

OS Command Injection Defense

Query Parameterization Cheat Sheet

SQL Injection Prevention

XML Security Cheat Sheet

XSS Filter Evasion Cheat Sheet

XML External Entity Prevention Cheat Sheet

V1.3 Sanitization

Cross-Site Request Forgery Prevention Cheat Sheet

Cross Site Scripting Prevention Cheat Sheet

DOM based XSS Prevention Cheat Sheet

Injection Prevention Cheat Sheet

Injection Prevention Cheat Sheet in Java

Input Validation Cheat Sheet

LDAP Injection Prevention

Server Side Request Forgery Prevention Cheat Sheet

XML External Entity Prevention Cheat Sheet

V1.4 Memory, String, and Unmanaged Code

None.

V1.5 Safe Deserialization

Deserialization Cheat Sheet

Server Side Request Forgery Prevention Cheat Sheet

XML Security Cheat Sheet

XML External Entity Prevention Cheat Sheet

V2: Validation and Business Logic

V2.1 Validation and Business Logic Documentation

Abuse Case Cheat Sheet

V2.2 Input Validation

Input Validation Cheat Sheet

Microservices Security Cheat Sheet

Web Service Security Cheat Sheet

V2.3 Business Logic Security

Abuse Case Cheat Sheet

V2.4 Anti-automation

Denial of Service Cheat Sheet

V3: Web Frontend Security

V3.1 Web Frontend Security Documentation

Content Security Policy Cheat Sheet

Cross-Site Request Forgery Prevention Cheat Sheet

HTTP Strict Transport Security Cheat Sheet

V3.2 Unintended Content Interpretation

Cross-Site Request Forgery Prevention Cheat Sheet

DOM Clobbering Prevention Cheat Sheet

HTML5 Security Cheat Sheet

Third Party Javascript Management Cheat Sheet

V3.3 Cookie Setup

Cross-Site Request Forgery Prevention Cheat Sheet

Session Management Cheat Sheet

Transport Layer Security Cheat Sheet

V3.4 Browser Security Mechanism Headers

Cross-Site Request Forgery Prevention Cheat Sheet

HTML5 Security Cheat Sheet

HTTP Strict Transport Security Cheat Sheet

V3.5 Browser Origin Separation

Cross-Site Request Forgery Prevention Cheat Sheet

HTML5 Security Cheat Sheet

V3.6 External Resource Integrity

Third Party Javascript Management Cheat Sheet

V3.7 Other Browser Security Considerations

Cross-Site Request Forgery Prevention Cheat Sheet

HTTP Strict Transport Security Cheat Sheet

Third Party Javascript Management Cheat Sheet

Unvalidated Redirects and Forwards Cheat Sheet

V4: API and Web Service

V4.1 Generic Web Service Security

Cross-Site Request Forgery Prevention Cheat Sheet

REST Assessment Cheat Sheet

REST Security Cheat Sheet

Transport Layer Security Cheat Sheet

Web Service Security Cheat Sheet

V4.2 HTTP Message Structure Validation

REST Security Cheat Sheet

Web Service Security Cheat Sheet

V4.3 GraphQL

REST Security Cheat Sheet

V4.4 WebSocket

REST Security Cheat Sheet

Transport Layer Security Cheat Sheet

V5: File Handling

V5.1 File Handling Documentation

Input Validation Cheat Sheet

File Upload Cheat Sheet

V5.2 File Upload and Content

Input Validation Cheat Sheet

File Upload Cheat Sheet

V5.3 File Storage

Input Validation Cheat Sheet

Server Side Request Forgery Prevention Cheat Sheet

V5.4 File Download

File Upload Cheat Sheet

V6: Authentication

V6.1 Authentication Documentation

Credential Stuffing Prevention Cheat Sheet

V6.2 Password Security

Authentication Cheat Sheet

V6.3 General Authentication Security

Authentication Cheat Sheet

Credential Stuffing Prevention Cheat Sheet

Forgot Password Cheat Sheet

V6.4 Authentication Factor Lifecycle and Recovery

Choosing and Using Security Questions Cheat Sheet

Forgot Password Cheat Sheet

Multifactor Authentication Cheat Sheet

V6.5 General Multi-factor authentication requirements

Authentication Cheat Sheet

Multifactor Authentication Cheat Sheet

Password Storage Cheat Sheet

Transaction Authorization Cheat Sheet

V6.6 Out-of-Band authentication mechanisms

Forgot Password Cheat Sheet

Multifactor Authentication Cheat Sheet

V6.7 Cryptographic authentication mechanism

Authentication Cheat Sheet

Multifactor Authentication Cheat Sheet

V6.8 Authentication with an Identity Provider

Authentication Cheat Sheet

V7: Session Management

Session Management Cheat Sheet

V7.1 Session Management Documentation

Session Management Cheat Sheet

V7.2 Fundamental Session Management Security

Session Management Cheat Sheet

V7.3 Session Timeout

Session Management Cheat Sheet

V7.4 Session Termination

Session Management Cheat Sheet

V7.5 Defenses Against Session Abuse

Session Management Cheat Sheet

V7.6 Federated Re-authentication

Session Management Cheat Sheet

V8: Authorization

V8.1 Authorization Documentation

Authorization Cheat Sheet

Authorization Testing Automation

V8.2 General Authorization Design

Authorization Cheat Sheet

Insecure Direct Object Reference Prevention Cheat Sheet

Session Management Cheat Sheet

V8.3 Operation Level Authorization

Transaction Authorization Cheat Sheet

V8.4 Other Authorization Considerations

Authorization Cheat Sheet

Multi-Tenant Application Security Cheat Sheet

V9: Self-contained Tokens

V9.1 Token source and integrity

JSON Web Token Cheat Sheet for Java

SAML Security Cheat Sheet

V9.2 Token content

REST Security Cheat Sheet

V10: OAuth and OIDC

V10.1 Generic OAuth and OIDC Security

OAuth 2.0 Protocol Cheatsheet

V10.2 OAuth Client

OAuth 2.0 Protocol Cheatsheet

V10.3 OAuth Resource Server

OAuth 2.0 Protocol Cheatsheet

Transport Layer Security Cheat Sheet

V10.4 OAuth Authorization Server

OAuth 2.0 Protocol Cheatsheet

Transport Layer Security Cheat Sheet

Unvalidated Redirects and Forwards Cheat Sheet

V10.5 OIDC Client

OAuth 2.0 Protocol Cheatsheet

V10.6 OpenID Provider

OAuth 2.0 Protocol Cheatsheet

V10.7 Consent Management

Browser Extension Security Vulnerabilities

Logging Cheat Sheet

V11: Cryptography

V11.1 Cryptographic Inventory and Documentation

Cryptographic Storage Cheat Sheet

Key Management Cheat Sheet

V11.2 Secure Cryptography Implementation

Cryptographic Storage Cheat Sheet

V11.3 Encryption Algorithms

Cryptographic Storage Cheat Sheet

Key Management Cheat Sheet

V11.4 Hashing and Hash-based Functions

Password Storage Cheat Sheet

V11.5 Random Values

Cryptographic Storage Cheat Sheet

V11.6 Public Key Cryptography

Transport Layer Security Cheat Sheet

V11.7 In-Use Data Cryptography

Key Management Cheat Sheet

Microservices Security Cheat Sheet

Secrets Management Cheat Sheet

V12: Secure Communication

V12.1 General TLS Security Guidance

Transport Layer Security Cheat Sheet

V12.2 HTTPS Communication with External Facing Services

Transport Layer Security Cheat Sheet

V12.3 General Service to Service Communication Security

Transport Layer Security Cheat Sheet

V13: Configuration

V13.1 Configuration Documentation

Server Side Request Forgery Prevention Cheat Sheet

V13.2 Backend Communication Configuration

Docker Security Cheat Sheet

Server Side Request Forgery Prevention Cheat Sheet

V13.3 Secret Management

Cryptographic Storage Cheat Sheet

Key Management Cheat Sheet

V13.4 Unintended Information Leakage

Django Cheat Sheet

GraphQL Cheat Sheet

Laravel Cheat Sheet

NPM Security best practices

Symfony Cheat Sheet

V14: Data Protection

V14.1 Data Protection Documentation

Abuse Case Cheat Sheet

Cryptographic Storage Cheat Sheet

User Privacy Protection Cheat Sheet

V14.2 General Data Protection

HTML5 Security Cheat Sheet

User Privacy Protection Cheat Sheet

V14.3 Client-side Data Protection

HTML5 Security Cheat Sheet

V15: Secure Coding and Architecture

V15.1: Secure Coding and Architecture Documentation

Abuse Case Cheat Sheet

Attack Surface Analysis Cheat Sheet

Dependency Graph & SBOM Best Practices Cheat Sheet

Software Supply Chain Security

Third Party Javascript Management Cheat Sheet

Threat Modeling Cheat Sheet

V15.2: Security Architecture and Dependencies

Software Supply Chain Security

Third Party Javascript Management Cheat Sheet

Virtual Patching Cheat Sheet

Vulnerable Dependency Management Cheat Sheet

V15.3: Defensive Coding

Mass Assignment Cheat Sheet

Prototype Pollution Prevention Cheat Sheet

Unvalidated Redirects and Forwards Cheat Sheet

V15.4: Safe Concurrency

Secure Code Review Cheat Sheet

Transaction Authorization Cheat Sheet

V16: Security Logging and Error Handling

V16.1: Security Logging Documentation

Logging Cheat Sheet

Logging Vocabulary Cheat Sheet

V16.2: General Logging

Logging Cheat Sheet

Session Management Cheat Sheet

V16.3: Security Events

Authorization Cheat Sheet

Logging Cheat Sheet

Logging Vocabulary Cheat Sheet

V16.4: Log Protection

Logging Cheat Sheet

V16.5: Error Handling

Error Handling Cheat Sheet

V17: WebRTC

V17.1 TURN Server

None.

V17.2 Media

Transport Layer Security Cheat Sheet

V17.3 Signaling

None.