|
|
| (2 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| − | # V18: API and Web Service Verification Requirements
| + | {{taggedDocument |
| − | | + | | type=delete |
| − | ## Control Objective
| + | | comment=Tagged via fixme/delete. |
| − | | + | }} |
| − | Ensure that a verified application that uses RESTful or SOAP based web services has:
| |
| − | | |
| − | * Adequate authentication, session management and authorization of all web services
| |
| − | * Input validation of all parameters that transit from a lower to higher trust level
| |
| − | * Basic interoperability of SOAP web services layer to promote API use
| |
| − | | |
| − | | |
| − | ## Security Verification Requirements
| |
| − | | |
| − | | # | Description | L1 | L2 | L3 | Since |
| |
| − | | --- | --- | --- | --- | -- | -- |
| |
| − | | **18.1** | Verify that the same encoding style is used between the client and the server. | ✓ | ✓ | ✓ | 3.0 |
| |
| − | | **18.2** | Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. | ✓ | ✓ | ✓ | 3.0 |
| |
| − | | **18.3** | Verify that XML or JSON schema is in place and verified before accepting input. | ✓ | ✓ | ✓ | 3.0 |
| |
| − | | **18.4** | Verify that all input is limited to an appropriate size limit. | ✓ | ✓ | ✓ | 3.0 | | |
| − | | **18.5** | Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. | ✓ | ✓ | ✓ | 3.0.1 |
| |
| − | | **18.7** | Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. | ✓ | ✓ | ✓ | 3.0.1 |
| |
| − | | **18.8** | Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. | | ✓ | ✓ | 3.0 |
| |
| − | | **18.9** | Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. | | ✓ | ✓ | 3.0.1 |
| |
| − | | **18.10** | Verify that alternative and less secure access paths do not exist. | | ✓ | ✓ | 3.0 |
| |
| − | | |
| − | | |
| − | | |
| − | ## References
| |
| − | | |
| − | For more information, see also:
| |
| − | | |
| − | * [OWASP Testing Guide 4.0: Configuration and Deployment Management Testing](https://www.owasp.org/index.php/Testing_for_configuration_management)
| |
| − | * [OWASP Cross-Site Request Forgery cheat sheet](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
| |
| − | * [JSON Web Tokens (and Signing)](https://jwt.io/)
| |
