ASVS 5.0 Requirements

Structured access to OWASP Application Security Verification Standard (ASVS) 5.0 requirements for security auditing.

When to Use This Skill

• Planning security audits - To understand which chapters apply to the project
• Scoping audit depth - To select appropriate verification level (L1/L2/L3)
• Building auditor agents - To define specific checks for each domain
• Mapping findings - To reference ASVS requirements in audit reports

When NOT to Use This Skill

• Quick vulnerability checks - Use vulnerability-patterns skill instead
• Remediation guidance - Use remediation-library skill instead
• Non-ASVS audits - Use industry compliance auditors directly

ASVS Verification Levels

Level	Name	Applicability	Depth
L1	Opportunistic	All applications	Minimum baseline
L2	Standard	Most applications	Recommended
L3	Advanced	High-value/critical apps	Maximum rigor

Mapping to Audit Modes:

• Quick Scan → L1 requirements only
• Standard Audit → L1 + L2 requirements
• Comprehensive Audit → L1 + L2 + L3 requirements

---

Chapter Overview

Chapter	Name	Requirements	Primary Focus
V1	Encoding & Sanitization	28	Injection prevention
V2	Validation & Business Logic	15	Input validation
V3	Web Frontend Security	32	Browser security
V4	API & Web Service	17	API security
V5	File Handling	14	File security
V6	Authentication	44	Identity verification
V7	Session Management	18	Session security
V8	Authorization	11	Access control
V9	Self-contained Tokens	7	JWT security
V10	OAuth & OIDC	50	OAuth/OIDC security
V11	Cryptography	32	Crypto implementation
V12	Secure Communications	13	TLS/transport
V13	Configuration	18	Secure config
V14	Data Protection	15	Data handling
V15	Secure Coding	20	Code quality
V16	Security Logging	19	Audit logging
V17	WebRTC	15	WebRTC security
Total		369

---

V1: Encoding and Sanitization (28 requirements)

Control Objective

Ensure the application correctly encodes and decodes data to prevent injection attacks.

Sections

• V1.1 Encoding Architecture
• V1.2 Injection Prevention
• V1.3 Sanitization
• V1.4 Memory/String Safety
• V1.5 Safe Deserialization

Key Requirements

ID	Level	Requirement
V1.2.1	L1	Parameterized queries for all database operations
V1.2.2	L1	No string concatenation for SQL/NoSQL commands
V1.2.3	L1	OS command injection prevention
V1.3.1	L1	HTML output encoding
V1.5.1	L1	No unsafe deserialization (use JSON)

Detection Patterns

• SQL string concatenation: "SELECT * FROM " + table
• Command injection: shell invocation with user input
• Unsafe deserialize: Python object serialization, PHP unserialize

---

V2: Validation and Business Logic (15 requirements)

Control Objective

Ensure input validation enforces business expectations and prevents logic bypass.

Sections

• V2.1 Documentation
• V2.2 Input Validation
• V2.3 Business Logic Security
• V2.4 Anti-automation

Key Requirements

ID	Level	Requirement
V2.2.1	L1	Server-side validation for all inputs
V2.2.2	L1	Allowlist validation preferred
V2.3.1	L1	Sequential step enforcement
V2.4.1	L2	Rate limiting on sensitive ops

Detection Patterns

• Client-only validation: if (form.valid) without server check
• Missing rate limiting: No throttle on login/register
• Mass assignment: Accepting all form fields without filtering

---

V3: Web Frontend Security (32 requirements)

Control Objective

Protect browsers against common web attacks through proper headers and configurations.

Sections

• V3.1 Documentation
• V3.2 Content Interpretation
• V3.3 Cookie Setup
• V3.4 Security Headers
• V3.5 Origin Separation
• V3.6 External Resources
• V3.7 Other Browser Security

Key Requirements

ID	Level	Requirement
V3.3.1	L1	Cookies: Secure, HttpOnly, SameSite
V3.4.1	L1	Content-Security-Policy header
V3.4.2	L1	X-Content-Type-Options: nosniff
V3.4.3	L1	Strict-Transport-Security (HSTS)
V3.6.1	L2	Subresource integrity for CDN scripts

Detection Patterns

• Missing CSP: No Content-Security-Policy header
• Insecure cookies: Missing Secure/HttpOnly flags
• No HSTS: Missing Strict-Transport-Security

---

V4: API and Web Service (17 requirements)

Control Objective

Ensure API endpoints are secure against common attack patterns.

Sections

• V4.1 Generic Web Service Security
• V4.2 HTTP Message Validation
• V4.3 GraphQL
• V4.4 WebSocket

Key Requirements

ID	Level	Requirement
V4.1.1	L1	Content-Type header validation
V4.2.1	L2	HTTP request smuggling prevention
V4.3.1	L2	GraphQL query depth limiting
V4.3.2	L2	GraphQL introspection disabled in prod
V4.4.1	L2	WebSocket authentication

Detection Patterns

• GraphQL introspection: introspectionQuery enabled
• No depth limit: Unbounded GraphQL queries
• Missing auth: WebSocket without handshake validation

---

V5: File Handling (14 requirements)

Control Objective

Handle files securely throughout upload, storage, and download lifecycle.

Sections

• V5.1 Documentation
• V5.2 File Upload
• V5.3 File Storage
• V5.4 File Download

Key Requirements

ID	Level	Requirement
V5.2.1	L1	File extension validation
V5.2.2	L1	Content-type validation
V5.2.3	L1	Upload size limits
V5.3.1	L1	Uploads cannot run as code
V5.4.1	L1	Path traversal prevention

Detection Patterns

• No extension check: Accepting any file type
• Path traversal: ../ in filenames not sanitized
• Direct run: Uploads served from code directory

---

V6: Authentication (44 requirements)

Control Objective

Ensure robust authentication mechanisms protect user accounts.

Sections

• V6.1 Documentation
• V6.2 Password Security
• V6.3 General Auth Security
• V6.4 Factor Lifecycle
• V6.5 Multi-factor Auth
• V6.6 Out-of-Band Auth
• V6.7 Cryptographic Auth
• V6.8 Identity Provider Auth

Key Requirements

ID	Level	Requirement
V6.2.1	L1	Minimum 8 character passwords
V6.2.2	L1	64+ character max allowed
V6.2.3	L1	Password breach checking
V6.2.4	L1	Secure hashing (bcrypt/argon2)
V6.3.1	L1	Account lockout after failures
V6.5.1	L2	MFA for sensitive operations

Detection Patterns

• Weak hashing: MD5/SHA1 for passwords
• No lockout: Unlimited login attempts
• Plain text: Passwords in logs/storage

---

V7: Session Management (18 requirements)

Control Objective

Ensure session tokens are generated, managed, and invalidated securely.

Sections

• V7.1 Documentation
• V7.2 Session Token Lifecycle
• V7.3 Session Logout and Timeout
• V7.4 Cookie-based Session Management

Key Requirements

ID	Level	Requirement
V7.2.1	L1	Cryptographically random session IDs
V7.2.2	L1	128+ bit entropy
V7.3.1	L1	Session invalidation on logout
V7.3.2	L2	Absolute session timeout
V7.4.1	L1	Cookie security attributes

Detection Patterns

• Predictable IDs: Sequential or timestamp-based
• No logout: Missing session invalidation
• No timeout: Sessions never expire

---

V8: Authorization (11 requirements)

Control Objective

Ensure access control is enforced at all levels of the application.

Sections

• V8.1 Documentation
• V8.2 Application Access Control
• V8.3 Directory Browsing and Resource Protection

Key Requirements

ID	Level	Requirement
V8.2.1	L1	Enforce access control on every request
V8.2.2	L1	IDOR prevention
V8.2.3	L1	Principle of least privilege
V8.3.1	L1	Directory listing disabled
V8.3.2	L1	Sensitive files not accessible

Detection Patterns

• Missing IDOR check: Direct object access without ownership validation
• Role bypass: Admin functions without role verification
• Open directories: Index enabled on sensitive paths

---

V9: Self-contained Tokens (7 requirements)

Control Objective

Ensure JWT and similar tokens are implemented securely.

Sections

• V9.1 Documentation
• V9.2 Token Generation
• V9.3 Token Verification

Key Requirements

ID	Level	Requirement
V9.2.1	L1	Strong algorithm (RS256/ES256)
V9.2.2	L1	No "none" algorithm
V9.3.1	L1	Signature verification
V9.3.2	L1	Expiration (exp) validation
V9.3.3	L2	Issuer (iss) validation

Detection Patterns

• Weak algorithm: HS256 with weak secret
• None algorithm: alg: "none" accepted
• No expiry: Missing or ignored exp claim

---

V10: OAuth and OIDC (50 requirements)

Control Objective

Ensure OAuth 2.0 and OpenID Connect implementations follow security best practices.

Sections

• V10.1 Documentation
• V10.2 OAuth Client
• V10.3 OAuth Authorization Server
• V10.4 OAuth Resource Server
• V10.5 OIDC Client
• V10.6 OIDC Provider

Key Requirements

ID	Level	Requirement
V10.2.1	L1	PKCE for public clients
V10.2.2	L1	State parameter validation
V10.2.3	L1	No credentials in URLs
V10.3.1	L1	Redirect URI validation
V10.5.1	L2	ID token validation

Detection Patterns

• Missing PKCE: Public clients without code_challenge
• Open redirect: Insufficient redirect_uri validation
• Token in URL: Access token exposed in query params

---

V11: Cryptography (32 requirements)

Control Objective

Ensure cryptographic implementations use secure algorithms and configurations.

Sections

• V11.1 Documentation
• V11.2 Key Management
• V11.3 Random Values
• V11.4 Symmetric Encryption
• V11.5 Hashing and Hash-based Functions

Key Requirements

ID	Level	Requirement
V11.2.1	L1	Keys not in source code
V11.3.1	L1	CSPRNG for security-sensitive values
V11.4.1	L2	AES-GCM or ChaCha20-Poly1305
V11.5.1	L1	SHA-256+ for hashing
V11.5.2	L2	No MD5/SHA1

Detection Patterns

• Hardcoded keys: secretKey = "..." in code
• Weak PRNG: Math.random() for tokens
• Deprecated crypto: DES, RC4, MD5 usage

---

V12: Secure Communications (13 requirements)

Control Objective

Ensure all communications use secure transport layer protocols.

Sections

• V12.1 Documentation
• V12.2 TLS Configuration
• V12.3 Certificate Validation

Key Requirements

ID	Level	Requirement
V12.2.1	L1	TLS 1.2+ only
V12.2.2	L1	Strong cipher suites
V12.2.3	L2	Certificate pinning for mobile
V12.3.1	L1	Certificate validation enabled
V12.3.2	L1	No self-signed certs in prod

Detection Patterns

• TLS disabled: verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0
• Weak TLS: SSLv3, TLS 1.0/1.1 enabled
• Self-signed: Non-CA certs in production

---

V13: Configuration (18 requirements)

Control Objective

Ensure secure default configurations and proper secrets management.

Sections

• V13.1 Documentation
• V13.2 Build and Deployment Configuration
• V13.3 Secrets Management
• V13.4 Dependency Management

Key Requirements

ID	Level	Requirement
V13.2.1	L1	Debug disabled in production
V13.2.2	L1	Error details not exposed
V13.3.1	L1	Secrets not in version control
V13.3.2	L1	Secrets not in environment vars (prefer vault)
V13.4.1	L2	Dependency vulnerability scanning

Detection Patterns

• Debug enabled: DEBUG=True in production
• Secrets in git: API keys in committed files
• Outdated deps: Known vulnerable packages

---

V14: Data Protection (15 requirements)

Control Objective

Ensure sensitive data is identified, classified, and protected appropriately.

Sections

• V14.1 Documentation
• V14.2 Data Classification
• V14.3 Data at Rest
• V14.4 Data in Transit

Key Requirements

ID	Level	Requirement
V14.2.1	L1	Sensitive data identified
V14.3.1	L2	PII encrypted at rest
V14.3.2	L2	Database encryption
V14.4.1	L1	Sensitive data over TLS only

Detection Patterns

• Unencrypted PII: Plain text storage of personal data
• No column encryption: Sensitive fields not encrypted
• HTTP endpoints: Sensitive data sent over HTTP

---

V15: Secure Coding (20 requirements)

Control Objective

Ensure code follows secure development practices.

Sections

• V15.1 Documentation
• V15.2 Memory Safety
• V15.3 Code Quality
• V15.4 Dependency Management

Key Requirements

ID	Level	Requirement
V15.2.1	L1	Buffer overflow prevention
V15.3.1	L1	No unreachable code
V15.3.2	L2	Static analysis in CI
V15.4.1	L1	Known vulnerable deps addressed

Detection Patterns

• Buffer issues: Unbounded array access
• Dead code: Unreachable branches
• Vulnerable deps: CVEs in dependencies

---

V16: Security Logging (19 requirements)

Control Objective

Ensure security events are logged with appropriate detail for incident response.

Sections

• V16.1 Documentation
• V16.2 Event Content
• V16.3 Log Protection
• V16.4 Error Handling

Key Requirements

ID	Level	Requirement
V16.2.1	L1	Authentication events logged
V16.2.2	L1	Authorization failures logged
V16.3.1	L2	No sensitive data in logs
V16.3.2	L2	Log injection prevention
V16.4.1	L1	Generic error messages to users

Detection Patterns

• No auth logging: Login attempts not recorded
• PII in logs: Passwords/tokens logged
• Verbose errors: Stack traces to users

---

V17: WebRTC (15 requirements)

Control Objective

Ensure WebRTC implementations are secure.

Sections

• V17.1 Documentation
• V17.2 WebRTC Security

Key Requirements

ID	Level	Requirement
V17.2.1	L2	DTLS-SRTP encryption
V17.2.2	L2	ICE candidate restrictions
V17.2.3	L2	Signaling channel authentication
V17.2.4	L2	TURN server authentication

Detection Patterns

• No encryption: Unencrypted media streams
• Open signaling: Unauthenticated signaling server
• ICE leaks: Exposing internal IPs

---

Feature-to-Chapter Mapping

Use this to select relevant chapters based on project features:

Project Feature	Primary Chapters	Secondary Chapters
authentication	V6	V7, V11
oauth	V10	V6, V9
file-upload	V5	V1, V14
api	V4	V1, V2, V8
graphql	V4	V8
database	V1, V2	V14
websockets	V4, V12	V6
payments	V12, V11	V6, V14
frontend	V3	V1
logging	V16	V14

---

External Resources

• ASVS 5.0 Full Specification: https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/docs_en/OWASP_Application_Security_Verification_Standard_5.0.0_en.csv
• OWASP ASVS Project: https://owasp.org/www-project-application-security-verification-standard/
• Secure Coding Rules: ~/projects/claude-secure-coding-rules/

See Also

• Skill: project-context - Detect project features for chapter selection
• Skill: vulnerability-patterns - Language-specific vulnerability patterns
• Skill: remediation-library - Fix patterns for findings