V3 - Move and update 3.2.5

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.76k stars 671 forks source link

V3 - Move and update 3.2.5 #2368

Closed ryarmst closed 1 week ago

ryarmst commented 2 weeks ago

At present, 3.2.5 is intended to prevent the forced creation of application sessions as could occur through an unintended interaction with an SSO system. As such, it is probably more appropriate in V3.6. I also think the wording could use an update. Ping @elarlang

Original (V3.2 Session Binding)

#	Description	L1	L2	L3	CWE	NIST §
3.2.5	[ADDED] Verify that creating a session for the application requires the user's consent and that the application is protected against a CSRF-style attack where a new application session for the user is created via SSO without user interaction.		✓	✓

Proposed (V3.6 Federated Re-authentication)

#	Description	L1	L2	L3	CWE	NIST §
3.6.3	[ADDED] Verify that creation of a session requires either the user's consent or an explicit action, preventing the creation of new application sessions without user interaction.		✓	✓

Related discussion in #2120.

elarlang commented 2 weeks ago

Moving requirement was proposed and agreed during the summit.

Requirement text rises some questions - why to use "or"? I think it is not "consent" or "action"? How you can achieve a consent without an action?

I would use "and" or "by".

ryarmst commented 2 weeks ago

Consent may have specific meaning in certain contexts whereas an "action" may not satisfy consent, but nevertheless conveys the user's intent (and presence). I would also be happy reformulating it to remove "consent" as in the following:

Verify that creation of a session requires the user's presence and intent, preventing the creation of new application sessions without user interaction.

elarlang commented 1 week ago

user presence

This is debatable - is user presence achieved if user's browser is visiting some URL? But without user noticing it.

I would also be happy reformulating it to remove "consent"

I would keep it in. Consent here is the abstract goal to achieve - the user knows that the application creates a new session for the user.

I'm not happy about the wording from initial proposal, but I also don't know how to improve it, so I propose to go with this one:

Verify that creation of a session requires either the user's consent or an explicit action, preventing the creation of new application sessions without user interaction.

ryarmst commented 1 week ago

This is debatable - is user presence achieved if user's browser is visiting some URL? But without user noticing it.

I would say that presence is achieved in that scenario and that the logical and with intent indicates that presence alone is not sufficient, but I think either wording probably sufficiently conveys the intended outcome of the requirement.

elarlang commented 1 week ago

User browser visiting the application != user presence.

User intent is something we can not verify from the application.

So it is user-interaction needed to verify the user consent.

ryarmst commented 1 week ago

Alright, so the initial proposal is fine for now then?

Verify that creation of a session requires either the user's consent or an explicit action, preventing the creation of new application sessions without user interaction.

I can make a PR.

elarlang commented 1 week ago

I can make a PR.

I included it into #2373