andrewmusselman commented on issue #535: URL: https://github.com/apache/tooling-trusted-releases/issues/535#issuecomment-3789020477
# OWASP ASVS 5.0 Rate Limiting Requirements Summary of rate limiting and anti-automation requirements from the OWASP Application Security Verification Standard (ASVS) version 5.0.0. ## V2.4 Anti-automation Controls to ensure human-like interactions and prevent excessive automated requests. | ID | Requirement | Level | |----|-------------|-------| | 2.4.1 | Verify that anti-automation controls are in place to protect against excessive calls to application functions that could lead to data exfiltration, garbage-data creation, quota exhaustion, rate-limit breaches, denial-of-service, or overuse of costly resources. | L2 | | 2.4.2 | Verify that business logic flows require realistic human timing, preventing excessively rapid transaction submissions. | L3 | ## V6.1 Authentication Documentation | ID | Requirement | Level | |----|-------------|-------| | 6.1.1 | Verify that application documentation defines how controls such as rate limiting, anti-automation, and adaptive response are used to defend against attacks such as credential stuffing and password brute force. The documentation must make clear how these controls are configured and prevent malicious account lockout. | L1 | ## V6.3 General Authentication Security | ID | Requirement | Level | |----|-------------|-------| | 6.3.1 | Verify that controls to prevent attacks such as credential stuffing and password brute force are implemented according to the application's security documentation. | L1 | ## V6.6 Out-of-Band Authentication Mechanisms | ID | Requirement | Level | |----|-------------|-------| | 6.6.3 | Verify that a code-based out-of-band authentication mechanism is protected against brute force attacks by using rate limiting. Consider also using a code with at least 64 bits of entropy. | L2 | | 6.6.4 | Verify that, where push notifications are used for multi-factor authentication, rate limiting is used to prevent push bombing attacks. Number matching may also mitigate this risk. | L3 | ## V15.3 HTTP Request Header Validation | ID | Requirement | Level | |----|-------------|-------| | 15.3.4 | Verify that all proxying and middleware components transfer the user's original IP address correctly using trusted data fields that cannot be manipulated by the end user, and the application and web server use this correct value for logging and security decisions such as rate limiting, taking into account that even the original IP address may not be reliable due to dynamic IPs, VPNs, or corporate firewalls. | L2 | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
