issues
search
spyd3r
/
merlin
0
stars
0
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.
#285
spyd3r
opened
5 years ago
0
Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the "null" origin.
#284
spyd3r
opened
5 years ago
0
Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker.
#283
spyd3r
opened
5 years ago
1
Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS.
#282
spyd3r
opened
5 years ago
0
Verify that a suitable X-Frame-Options or Content-Security-Policy: frame-ancestors header is in use for sites where content should not be embedded in a third-party site.
#281
spyd3r
opened
5 years ago
0
Verify that a suitable "Referrer-Policy" header is included, such as "no-referrer" or "same-origin".
#280
spyd3r
opened
5 years ago
0
Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.
#279
spyd3r
opened
5 years ago
0
Verify that all responses contain X-Content-Type-Options: nosniff.
#278
spyd3r
opened
5 years ago
0
Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities.
#277
spyd3r
opened
5 years ago
0
Verify that all API responses contain Content-Disposition: attachment; filename="api.json" (or other appropriate filename for the content type).
#276
spyd3r
opened
5 years ago
0
Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).
#275
spyd3r
opened
5 years ago
0
Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.
#274
spyd3r
opened
5 years ago
0
Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures.
#273
spyd3r
opened
5 years ago
0
Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures.
#272
spyd3r
opened
5 years ago
0
Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
#271
spyd3r
opened
5 years ago
0
Verify that an inventory catalog is maintained of all third party libraries in use. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
#270
spyd3r
opened
5 years ago
0
Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
#269
spyd3r
opened
5 years ago
0
Verify that if application assets, such as JavaScript libraries, CSS stylesheets or web fonts, are hosted externally on a content delivery network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset.
#268
spyd3r
opened
5 years ago
0
Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users.
#267
spyd3r
opened
5 years ago
0
Verify that all components are up to date, preferably using a dependency checker during build or compile time. ([C2](https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Formal_Numbering))
#266
spyd3r
opened
5 years ago
0
Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering.
#265
spyd3r
opened
5 years ago
0
Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion.
#264
spyd3r
opened
5 years ago
0
Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use.
#263
spyd3r
opened
5 years ago
0
Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found.
#262
spyd3r
opened
5 years ago
0
Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts.
#261
spyd3r
opened
5 years ago
0
Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.
#260
spyd3r
opened
5 years ago
0
Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used.
#259
spyd3r
opened
5 years ago
0
Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service.
#258
spyd3r
opened
5 years ago
0
Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place.
#257
spyd3r
opened
5 years ago
0
Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as it provides both confidentiality and integrity protection. Per-message digital signatures can provide additional assurance on top of the transport protections for high-security applications but bring with them additional complexity and risks to weigh against the benefits.
#256
spyd3r
opened
5 years ago
0
Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/JSON.
#255
spyd3r
opened
5 years ago
0
Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated.
#254
spyd3r
opened
5 years ago
0
Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see [references](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)), CSRF nonces, or ORIGIN request header checks.
#253
spyd3r
opened
5 years ago
0
Verify that JSON schema validation is in place and verified before accepting input.
#252
spyd3r
opened
5 years ago
0
Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources.
#251
spyd3r
opened
5 years ago
0
Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).
#250
spyd3r
opened
5 years ago
0
Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions.
#249
spyd3r
opened
5 years ago
0
Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
#248
spyd3r
opened
5 years ago
0
Verify that access to administration and management functions is limited to authorized administrators.
#247
spyd3r
opened
5 years ago
0
Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.
#246
spyd3r
opened
5 years ago
0
Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from.
#245
spyd3r
opened
5 years ago
0
Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.
#244
spyd3r
opened
5 years ago
0
Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required.
#243
spyd3r
opened
5 years ago
0
Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
#242
spyd3r
opened
5 years ago
0
Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation.
#241
spyd3r
opened
5 years ago
0
Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs.
#240
spyd3r
opened
5 years ago
0
Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.
#239
spyd3r
opened
5 years ago
0
Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.
#238
spyd3r
opened
5 years ago
0
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF.
#237
spyd3r
opened
5 years ago
0
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI).
#236
spyd3r
opened
5 years ago
0
Next