[OWASP ASVS] Why is XSS not called out in ASVS version 2?

Christian Heinrich christian.heinrich at cmlh.id.au
Wed Sep 3 08:47:30 UTC 2014


Ari,

After the release of the Top Ten 2010 I explored this in depth and
concluded that this mapping did not exist.

However, the Top Ten 2010 encouraged the reader to consider ASVS as
the preferred alternative.

This was also the intent of
https://www.owasp.org/index.php/OWASP_Common_Numbering_Project which
is inactive.

On Wed, Sep 3, 2014 at 4:05 PM, Ari Kesäniemi <Ari.Kesaniemi at nixu.com> wrote:
> Hi,
>
> btw is there an official mapping between ASVS and Top Ten somewhere? I’m in belief that ASVS covers all of Top Ten, but haven’t looked up what are the exact verification requirements for each of the Top Ten item. This brings us back to the discussion where XSS is considered in ASVS.
>
> Anyway mapping Top Ten to ASVS would help organisations that already use Top Ten make it more concrete and provide nice path for adopting ASVS as well.
>
>
>         + Ari
>
>
> On 03 Sep 2014, at 02:22, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
>
>> Stephan,
>>
>> A slight tangent.
>>
>> XSS has been a candidate within the OWASP Top Ten since its inception
>> in 2003 and its latest release in 2013 as documented within
>> https://raw.githubusercontent.com/cmlh/OWASP-Top-Ten-2013/master/2013_Release-FINAL/OWASP_Top_Ten_-_Comparison_of_2003,_2004,_2007,_2010_and_2013_Releases-FINAL_Release.jpg
>>
>> It would drive acceptance of the recent release of ASVS if an
>> additional level of vigour was defined as "OWASP Top Ten" and is
>> further supported by OWASP with their endorsement of
>> https://www.owasp.org/index.php/Quote-Veracode_Provides_Visibility_into_Their_Verification_Process_for_the_OWASP_Top_10
>>
>> I support the inclusion of XSS in addition to the existing input
>> validation vulnerabilities referenced in the latest release [of ASVS].
>>
>>
>>
>> On Tue, Sep 2, 2014 at 11:11 PM, Hookings, Stephen
>> <stephen.hookings at sap.com> wrote:
>>> Thanks for the reply.
>>>
>>>
>>>
>>> I still think XSS should be explicitly called out (as LDAP/SQL/Command
>>> injection are) – one of my internal SAP debates is that OWASP is easier to
>>> search than our own – XSS makes me out to be mistaken in ASVS version 2 (but
>>> arguably correct in beta 2013).
>>>
>>>
>>>
>>> Regards
>>> Steve Hookings
>>>
>>>
>>>
>>> From: Elar Lang [mailto:elarlang at gmail.com]
>>> Sent: 02 September 2014 13:12
>>> To: Hookings, Stephen
>>> Cc: owasp-application-security-verification-standard at lists.owasp.org
>>> Subject: Re: [OWASP ASVS] Why is XSS not called out in ASVS version 2?
>>>
>>>
>>>
>>> Hi,
>>>
>>> I think it was duplicate for 5.16 "Verify that all untrusted data that are
>>> output to HTML (including HTML elements, HTML attributes, JavaScript data
>>> values, CSS blocks, and
>>> URI attributes) are properly escaped for the applicable context.".
>>>
>>> br,
>>> Elar Lang
>>>
>>>
>>>
>>> On Tue, Sep 2, 2014 at 2:32 PM, Hookings, Stephen <stephen.hookings at sap.com>
>>> wrote:
>>>
>>> Hi all
>>>
>>>
>>>
>>> I am comparing our SAP standards with OWASP ASVS and I notice the 2013 beta
>>> pdf explicitly calls out XSS as
>>>
>>>
>>>
>>> V4.3 Verify that the runtime environment is not susceptible to Cross Site
>>> Scripting
>>>
>>> (XSS), or that security controls prevent XSS.
>>>
>>> And yet XSS disappears in latest version 2.
>>>
>>>
>>>
>>> Is this intentional? That is, XSS is now considered just another form of
>>> input validation?
>>>
>>> Or was there a copy/paste error when renumbering Input Validation from 4 to
>>> 5?
>>>
>>>
>>>
>>> Regards
>>> Steve Hookings
>>>
>>>
>>> _______________________________________________
>>> Owasp-application-security-verification-standard mailing list
>>> Owasp-application-security-verification-standard at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-application-security-verification-standard mailing list
>>> Owasp-application-security-verification-standard at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>>>
>>
>>
>>
>> --
>> Regards,
>> Christian Heinrich
>>
>> http://cmlh.id.au/contact
>> _______________________________________________
>> Owasp-application-security-verification-standard mailing list
>> Owasp-application-security-verification-standard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>
>
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>



-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-application-security-verification-standard mailing list