This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ASVS V18 API"
From OWASP
(Created page with "# V18: API and Web Service Verification Requirements ## Control Objective Ensure that a verified application that uses RESTful or SOAP based web services has: * Adequate au...") |
|||
Line 1: | Line 1: | ||
− | + | V18: API and Web Service Verification Requirements | |
− | + | Control Objective | |
Ensure that a verified application that uses RESTful or SOAP based web services has: | Ensure that a verified application that uses RESTful or SOAP based web services has: | ||
Line 10: | Line 10: | ||
− | + | Security Verification Requirements | |
− | | # | + | {| class="wikitable" |
− | | - | + | ! # !! Description !! L1 !! L2 !! L3 !! Since | |
− | | | + | |- |
− | | | + | | 18.1 || Verify that the same encoding style is used between the client and the server. || ✓ || ✓ || ✓ || 3.0 |
− | | | + | |- |
− | | | + | | 18.2 || Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. || ✓ || ✓ || ✓ || 3.0 |
− | | | + | |- |
− | | | + | | 18.3 || Verify that XML or JSON schema is in place and verified before accepting input. || ✓ || ✓ || ✓ || 3.0 |
− | | | + | |- |
− | | | + | | 18.4 || Verify that all input is limited to an appropriate size limit. || ✓ || ✓ || ✓ || 3.0 |
− | | | + | |- |
+ | | 18.5 || Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. || ✓ || ✓ || ✓ || 3.0.1 | ||
+ | |- | ||
+ | | 18.7 || Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. || ✓ || ✓ || ✓ || 3.0.1 | ||
+ | |- | ||
+ | | 18.8 || Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. || || ✓ || ✓ || 3.0 | ||
+ | |- | ||
+ | | 18.9 || Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. || || ✓ || ✓ || 3.0.1 | ||
+ | |- | ||
+ | | 18.10 || Verify that alternative and less secure access paths do not exist. || || ✓ || ✓ || 3.0 | ||
+ | |} | ||
− | + | References | |
− | |||
For more information, see also: | For more information, see also: |
Revision as of 00:03, 6 November 2018
V18: API and Web Service Verification Requirements
Control Objective
Ensure that a verified application that uses RESTful or SOAP based web services has:
- Adequate authentication, session management and authorization of all web services
- Input validation of all parameters that transit from a lower to higher trust level
- Basic interoperability of SOAP web services layer to promote API use
Security Verification Requirements
# | Description | L1 | L2 | L3 | |
---|---|---|---|---|---|
18.1 | Verify that the same encoding style is used between the client and the server. | ✓ | ✓ | ✓ | 3.0 |
18.2 | Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. | ✓ | ✓ | ✓ | 3.0 |
18.3 | Verify that XML or JSON schema is in place and verified before accepting input. | ✓ | ✓ | ✓ | 3.0 |
18.4 | Verify that all input is limited to an appropriate size limit. | ✓ | ✓ | ✓ | 3.0 |
18.5 | Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. | ✓ | ✓ | ✓ | 3.0.1 |
18.7 | Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. | ✓ | ✓ | ✓ | 3.0.1 |
18.8 | Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. | ✓ | ✓ | 3.0 | |
18.9 | Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. | ✓ | ✓ | 3.0.1 | |
18.10 | Verify that alternative and less secure access paths do not exist. | ✓ | ✓ | 3.0 |
References
For more information, see also:
- [OWASP Testing Guide 4.0: Configuration and Deployment Management Testing](https://www.owasp.org/index.php/Testing_for_configuration_management)
- [OWASP Cross-Site Request Forgery cheat sheet](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
- [JSON Web Tokens (and Signing)](https://jwt.io/)