OWASP#1230, OWASP#1652 - request origin validation related requiremen…

…ts to brower-related category

5.0/en/0x12-V4-Access-Control.md

@@ -23,8 +23,8 @@ Authorization is the concept of allowing access to resources only to those permi
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **4.2.1** | Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records. | ✓ | ✓ | ✓ | 639 |
-| **4.2.2** | [MODIFIED, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality using the development framework's built-in anti-CSRF functionality or CSRF tokens plus additional defense in depth measures. | ✓ | ✓ | ✓ | 352 |
-| **4.2.3** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 |
+| **4.2.2** | [MOVED TO 50.3.1] | | | | |
+
 
 ## V4.3 Other Access Control Considerations
 
@@ -40,5 +40,3 @@ For more information, see also:
 
 * [OWASP Testing Guide 4.0: Authorization](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/README.html)
 * [OWASP Cheat Sheet: Access Control](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
-* [OWASP CSRF Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
-* [OWASP REST Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html)

5.0/en/0x21-V13-API.md

@@ -35,7 +35,7 @@ Once the JSON schema validation standard is formalized, ASVS will update its adv
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **13.2.1** | [MOVED TO 14.5.5] | | | | |
 | **13.2.2** | Verify that JSON schema validation is in place and verified before accepting input. | ✓ | ✓ | ✓ | 20 |
-| **13.2.3** | [DELETED, MERGED TO 4.2.2] | | | | |
+| **13.2.3** | [DELETED, MERGED TO 50.3.1] | | | | |
 | **13.2.4** | [DELETED, DUPLICATE OF 11.1.4] | | | | |
 | **13.2.5** | Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. | | ✓ | ✓ | 436 |
 | **13.2.6** | [MOVED TO 13.1.6] | | | | |
@@ -78,7 +78,7 @@ For more information, see also:
 * [OWASP Cross-Site Request Forgery cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
 * [OWASP XML External Entity Prevention Cheat Sheet - General Guidance](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#general-guidance)
 * [JSON Web Tokens (and Signing)](https://jwt.io/)
-* [REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html)
+* [OWASP REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html)
 * [JSON Schema](https://json-schema.org/specification.html)
 * [XML DTD Entity Attacks](https://portswigger.net/web-security/xxe)
 * [Orange Tsai - A new era of SSRF Exploiting URL Parser In Trending Programming Languages](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)

5.0/en/0x22-V14-Config.md

@@ -82,7 +82,7 @@ Configurations for production should be hardened to protect against common attac
 | :---: | :--- | :---: | :---: | :---: | :---: |
 | **14.5.1** | [MODIFIED] Verify that the application only responds to HTTP methods in use by the application or by the API (including OPTIONS during preflight requests) and unused methods (e.g. TRACE) are blocked. | ✓ | ✓ | ✓ | 749 |
 | **14.5.2** | [DELETED, DUPLICATE OF 4.1.1] | | | | |
-| **14.5.3** | [MODIFIED, SPLIT TO 50.2.6] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 |
+| **14.5.3** | [SPLIT TO 50.2.6, 50.3.3] | | | | |
 | **14.5.4** | [DELETED, INCORRECT] | | | | |
 | **14.5.5** | [MODIFIED, MOVED FROM 13.2.1] Verify that HTTP requests using the HEAD, OPTIONS, TRACE or GET verb do not modify any backend data structure or perform any state-changing actions. These requests are safe methods and should therefore not have any side effects. | ✓ | ✓ | ✓ | 650 |
 | **14.5.6** | [ADDED] Verify that the infrastructure follows RFC 2616 and ignores the Content-Length header field if a Transfer-Encoding header field is also present. | | ✓ | ✓ | 444 |

5.0/en/0x50-V50-Web-Frontend-Security.md

@@ -24,7 +24,20 @@ The category focuses on requirements which protect against attacks that are exec
 
 ## V50.3 Browser Origin Separation
 
-TBD
+When accepting a request on the server side, we need to be sure it is initiated by the application itself or by a trusted party.
+
+The keywords here are browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies.
+
+The category should contain requirements with ideas:
+
+* Verify that the request was initiated by a trusted party (CSRF, CORS misconfiguration)
+* Verify that the response is readable only for trusted parties (CORS misconfiguration)
+
+| # | Description | L1 | L2 | L3 | CWE |
+| :---: | :--- | :---: | :---: | :---: | :---: |
+| **50.3.1** | [MODIFIED, MOVED FROM 4.2.2, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality using the development framework's built-in anti-CSRF functionality or CSRF tokens plus additional defense in depth measures. | ✓ | ✓ | ✓ | 352 |
+| **50.3.2** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 |
+| **50.3.3** | [ADDED, SPLIT FROM 14.5.3] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 |
 
 
 ## V50.4 Cross-Site Script Inclusion
@@ -44,3 +57,10 @@ TBD
 ## V50.7 Other Browser Security Considerations
 
 TBD
+
+
+## References
+
+For more information, see also:
+
+* [OWASP Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)