8.1.3 seems like nonsense #1381
Comments
|
The sense for example - instead of keeping already submitted data on the service side, some app carries entire package in hidden fields / in some JSON object etc. It is problematic also with some restful stuff, where entire datasets are sent back and forward when only few items are needed. |
Server vs client-side data is a different issue covered elsewhere. I do not think the field number really matters. This, IMO, needs to be clarified or just removed. We have bigger issues to focus on. |
|
From the "data protection" category perspective this requirement is at least in wrong place. We can minimize unnecessary bandwidth from client to server with that, but it's not a data protection issue. |
|
And having many parameters vs JSON is actually SAFER since you do not need to utilize a server-side JSON parser. I again assert this requirement is nonsense. Many apps require lots of parameters for good reason. I do see EXTRA parameters the app does not need as a good intrusion detection point. But many parameters is just how some apps work, and that does not add a security risk in an of itself. |
elarlang
added
the
5) awaiting PR
|
I agree, this requirement is too vague to be useful. |
|
Do we have any idea what the original rationale was here? Can we see from blame or previous issues? |
|
Doesn't seem to exist in ASVS 1.0. |
|
It looks like ASVS 2.0 predates git repo usage. Anyone know where changes were discussed before git? |
elarlang
added
6) PR awaiting review
and removed
5) awaiting PR
8.1.3 makes absolutely no sense
From: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x16-V8-Data-Protection.md
The text was updated successfully, but these errors were encountered: