From 3b4890e0dde748ebdfcdc11aef13d45b970f0b93 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Sun, 24 Oct 2021 11:33:54 +0300 Subject: [PATCH] label corrections, #1084, #1010 --- 4.0/en/0x10-V1-Architecture.md | 2 +- 4.0/en/0x13-V5-Validation-Sanitization-Encoding.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/4.0/en/0x10-V1-Architecture.md b/4.0/en/0x10-V1-Architecture.md index 4b829ba61a..c3fad14ad1 100644 --- a/4.0/en/0x10-V1-Architecture.md +++ b/4.0/en/0x10-V1-Architecture.md @@ -58,7 +58,7 @@ The "untrusted client" term here refers to client-side technologies that render | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---:| :---: | :---: | | **1.5.1** | Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. | | ✓ | ✓ | 1029 | -| **1.5.2** | [DELETED, DUPLICATE OF 5.5.3] | | | | | +| **1.5.2** | [DELETED, MERGED TO 5.5.3] | | | | | | **1.5.3** | [MOVED TO 5.1.6] | | | | | | **1.5.4** | Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 116 | diff --git a/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md b/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md index d06ff34ead..9d1753122e 100644 --- a/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md +++ b/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -69,7 +69,7 @@ Output encoding close or adjacent to the interpreter in use is critical to the s | **5.3.3** | Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 79 | | **5.3.4** | Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 89 | | **5.3.5** | Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 89 | -| **5.3.6** | Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 830 | +| **5.3.6** | [MODIFIED] Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 830 | | **5.3.7** | Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 90 | | **5.3.8** | Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 78 | | **5.3.9** | Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks. | ✓ | ✓ | ✓ | 829 | @@ -95,7 +95,7 @@ The following requirements will only apply when the application uses a systems l | :---: | :--- | :---: | :---:| :---: | :---: | | **5.5.1** | [DELETED] | | | | | | **5.5.2** | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. | ✓ | ✓ | ✓ | 611 | -| **5.5.3** | [MODIFIED] Verify that deserialization is not used when communicating with untrusted clients. If this is not possible, ensure that deserialization is performed safely, for example, by only allowing a white-list of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks. | ✓ | ✓ | ✓ | 502 | +| **5.5.3** | [MODIFIED, MERGED FROM 1.5.2] Verify that deserialization is not used when communicating with untrusted clients. If this is not possible, ensure that deserialization is performed safely, for example, by only allowing a white-list of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks. | ✓ | ✓ | ✓ | 502 | | **5.5.4** | Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON. | ✓ | ✓ | ✓ | 95 | ## References