This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ASVS V18 API"

From OWASP
Jump to: navigation, search
(Created page with "# V18: API and Web Service Verification Requirements ## Control Objective Ensure that a verified application that uses RESTful or SOAP based web services has: * Adequate au...")
 
Line 1: Line 1:
# V18: API and Web Service Verification Requirements
+
V18: API and Web Service Verification Requirements
  
## Control Objective
+
Control Objective
  
 
Ensure that a verified application that uses RESTful or SOAP based web services has:
 
Ensure that a verified application that uses RESTful or SOAP based web services has:
Line 10: Line 10:
  
  
## Security Verification Requirements
+
Security Verification Requirements
  
| # | Description | L1 | L2 | L3 | Since |
+
{| class="wikitable"
| --- | --- | --- | --- | -- | -- |
+
! # !! Description !! L1 !! L2 !! L3 !! Since |
| **18.1** | Verify that the same encoding style is used between the client and the server. | ✓ | ✓ | ✓ | 3.0 |
+
|-
| **18.2** | Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. | ✓ | ✓ | ✓ | 3.0 |
+
| 18.1 || Verify that the same encoding style is used between the client and the server. || ✓ || ✓ || ✓ || 3.0
| **18.3** | Verify that XML or JSON schema is in place and verified before accepting input. | ✓ | ✓ | ✓ | 3.0 |
+
|-
| **18.4** | Verify that all input is limited to an appropriate size limit. | ✓ | ✓ | ✓ | 3.0 |
+
| 18.2 || Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. || ✓ || ✓ || ✓ || 3.0
| **18.5** | Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption.  | ✓ | ✓ | ✓ | 3.0.1 |
+
|-
| **18.7** | Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. | ✓ | ✓ | ✓ | 3.0.1 |
+
| 18.3 || Verify that XML or JSON schema is in place and verified before accepting input. || ✓ || ✓ || ✓ || 3.0
| **18.8** | Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. |  | ✓ | ✓ | 3.0 |
+
|-
| **18.9** | Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. |  | ✓ | ✓ | 3.0.1 |
+
| 18.4 || Verify that all input is limited to an appropriate size limit. || ✓ || ✓ || ✓ || 3.0
| **18.10** | Verify that alternative and less secure access paths do not exist. |  | ✓ | ✓ | 3.0 |
+
|-
 +
| 18.5 || Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption.  || ✓ || ✓ || ✓ || 3.0.1
 +
|-
 +
| 18.7 || Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. || ✓ || ✓ || ✓ || 3.0.1
 +
|-
 +
| 18.8 || Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. ||| ✓ || ✓ || 3.0
 +
|-
 +
| 18.9 || Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. ||| ✓ || ✓ || 3.0.1
 +
|-
 +
| 18.10 || Verify that alternative and less secure access paths do not exist. ||| ✓ || ✓ || 3.0
 +
|}
  
  
 
+
References
## References
 
  
 
For more information, see also:
 
For more information, see also:

Revision as of 00:03, 6 November 2018

V18: API and Web Service Verification Requirements

Control Objective

Ensure that a verified application that uses RESTful or SOAP based web services has:

  • Adequate authentication, session management and authorization of all web services
  • Input validation of all parameters that transit from a lower to higher trust level
  • Basic interoperability of SOAP web services layer to promote API use


Security Verification Requirements

# Description L1 L2 L3
18.1 Verify that the same encoding style is used between the client and the server. 3.0
18.2 Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. 3.0
18.3 Verify that XML or JSON schema is in place and verified before accepting input. 3.0
18.4 Verify that all input is limited to an appropriate size limit. 3.0
18.5 Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. 3.0.1
18.7 Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. 3.0.1
18.8 Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. 3.0
18.9 Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. 3.0.1
18.10 Verify that alternative and less secure access paths do not exist. 3.0


References

For more information, see also: