This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit


Revision as of 00:03, 6 November 2018 by Tonimir Kisasondi (talk | contribs) (Fixed table, made the content readable.)

Jump to: navigation, search

V18: API and Web Service Verification Requirements

Control Objective

Ensure that a verified application that uses RESTful or SOAP based web services has:

  • Adequate authentication, session management and authorization of all web services
  • Input validation of all parameters that transit from a lower to higher trust level
  • Basic interoperability of SOAP web services layer to promote API use

Security Verification Requirements:

# Description L1 L2 L3
18.1 Verify that the same encoding style is used between the client and the server. 3.0
18.2 Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. 3.0
18.3 Verify that XML or JSON schema is in place and verified before accepting input. 3.0
18.4 Verify that all input is limited to an appropriate size limit. 3.0
18.5 Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. 3.0.1
18.7 Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. 3.0.1
18.8 Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. 3.0
18.9 Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. 3.0.1
18.10 Verify that alternative and less secure access paths do not exist. 3.0


For more information, see also: