Add verify that to various reqs to resolve #2469 (#2471)

* Add verify that to various reqs to resolve #2469

* modification labels

* modification labels

---------

Co-authored-by: Elar Lang <[email protected]>

5.0/en/0x11-V2-Authentication.md

@@ -47,7 +47,7 @@ The requirements in this section mostly relate to section [5.1.1.2](https://page
 | **2.1.2** | [MODIFIED] Verify that passwords of at least 64 characters are permitted. | ✓ | ✓ | ✓ | 521 |
 | **2.1.3** | [MODIFIED] Verify that the application verifies the user's password exactly as received from the user, without any modifications such as truncation or case transformation. | ✓ | ✓ | ✓ | |
 | **2.1.4** | [DELETED, INSUFFICIENT IMPACT] | | | | |
-| **2.1.5** | Verify users can change their password. | ✓ | ✓ | ✓ | 620 |
+| **2.1.5** | [GRAMMAR] Verify that users can change their password. | ✓ | ✓ | ✓ | 620 |
 | **2.1.6** | Verify that password change functionality requires the user's current and new password. | ✓ | ✓ | ✓ | 620 |
 | **2.1.7** | [MODIFIED, SPLIT TO 2.1.13] Verify that passwords submitted during account registration or password change are checked against an available set of, at least, the top 3000 passwords. | ✓ | ✓ | ✓ | 521 |
 | **2.1.8** | [DELETED, INSUFFICIENT IMPACT] | | | | |
@@ -123,7 +123,7 @@ The requirements in this section mostly relate to section [5.1.1.2](https://page
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **2.5.1** | [DELETED, INCORRECT] | | | | |
-| **2.5.2** | Verify password hints or knowledge-based authentication (so-called "secret questions") are not present. | ✓ | ✓ | ✓ | 640 |
+| **2.5.2** | [GRAMMAR] Verify that password hints or knowledge-based authentication (so-called "secret questions") are not present. | ✓ | ✓ | ✓ | 640 |
 | **2.5.3** | [DELETED, DUPLICATE OF 2.4.1] | | | | |
 | **2.5.4** | [MOVED TO 14.1.10] | | | | |
 | **2.5.5** | [DELETED, DUPLICATE OF 2.2.3] | | | | |

5.0/en/0x12-V3-Session-management.md

@@ -37,7 +37,7 @@ Some of the requirements in this section relate to section [7.1](https://pages.n
 | **3.1.2** | [ADDED] Verify that the application performs all session token verification using a trusted, back-end service. | ✓ | ✓ | ✓ | 603 |
 | **3.1.3** | [MODIFIED, MOVED FROM 3.5.2, LEVEL L2 > L1] Verify that the application uses either self-contained or reference tokens for session management. Static API secrets and keys should be avoided. | ✓ | ✓ | ✓ | 798 |
 | **3.1.4** | [MODIFIED, MOVED FROM 3.2.2, MERGED FROM 3.2.4] Verify that if reference tokens are used to represent user sessions, they are unique and generated using a cryptographically secure pseudo-random number generator (CSPRNG) and possess at least 128 bits of entropy. | ✓ | ✓ | ✓ | |
-| **3.1.5** | [MODIFIED, MOVED FROM 3.2.1] Verify the application generates a new session token on user authentication, including re-authentication, and terminates the current session token. | ✓ | ✓ | ✓ | |
+| **3.1.5** | [MODIFIED, MOVED FROM 3.2.1] Verify that the application generates a new session token on user authentication, including re-authentication, and terminates the current session token. | ✓ | ✓ | ✓ | |
 
 ## V3.2 Session Binding
 

5.0/en/0x16-V8-Data-Protection.md

@@ -22,7 +22,7 @@ This chapter includes requirements related to defining what data needs to be pro
 | **8.1.1** | [MODIFIED, MERGED FROM 8.1.2] Verify that the application prevents sensitive data from being cached in server components such as load balancers and application caches or ensures that the data is securely purged after use. | | ✓ | ✓ | 524 |
 | **8.1.2** | [DELETED, MERGED TO 8.1.1] | | | | |
 | **8.1.3** | [DELETED, INSUFFICIENT IMPACT] | | | | |
-| **8.1.4** | Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application. | | ✓ | ✓ | 770 |
+| **8.1.4** | [GRAMMAR] Verify that the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application. | | ✓ | ✓ | 770 |
 | **8.1.5** | [DELETED, NOT IN SCOPE] | | | | |
 | **8.1.6** | [DELETED, NOT IN SCOPE] | | | | |
 | **8.1.7** | [ADDED] Verify that caching mechanisms are configured to only cache responses which have the correct content type and do not contain sensitive, dynamic content. The web server should return a 404 or 302 response when an non-existent file is accessed rather than returning a different, valid file. This should prevent Web Cache Deception attacks. | | ✓ | ✓ | 444 |

5.0/en/0x50-V50-Web-Frontend-Security.md

@@ -94,7 +94,7 @@ it may need other separate section for "end-user protection via UI"
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **50.8.1** | [ADDED, SPLIT FROM 5.1.5] Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation. | | | ✓ | |
-| **50.8.2** | [MODIFIED, MOVED FROM 1.14.6] Verify the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. | | ✓ | ✓ | 477 |
+| **50.8.2** | [MODIFIED, MOVED FROM 1.14.6] Verify that the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. | | ✓ | ✓ | 477 |
 | **50.8.3** | [ADDED] Verify that the application behaves as documented (such as warning the user or blocking access) if the browser used to access the application does not support the expected security features. | | | ✓ | |
 
 ## References