MASVS V4 and MSTG-AUTH-12 #624
-
|
Both v1.4.2 and master, we have MASVS 4.12 which refers to MSTG-AUTH-12, but I couldn't find MSTG-AUTH-12 by
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @NAROUGA, thanks for reaching out. I can tell you that you're not missing anything. Unfortunately we don't have a test case in the MSTG for that requirement yet. We have an issue for it: There's actually less that you can test on the app side besides ensuring that no authorization is being enforced within it. Similar to many other MASVS-AUTH requirements, this one is better tested directly on the remote endpoint. Here's the OWASP WSTG that you might find what you need to test this kind of requirements: |
Beta Was this translation helpful? Give feedback.
-
|
Alright, understood the current situation. Thanks for your informative reply! |
Beta Was this translation helpful? Give feedback.
Hi @NAROUGA, thanks for reaching out. I can tell you that you're not missing anything. Unfortunately we don't have a test case in the MSTG for that requirement yet. We have an issue for it:
OWASP/owasp-mastg#1489
There's actually less that you can test on the app side besides ensuring that no authorization is being enforced within it. Similar to many other MASVS-AUTH requirements, this one is better tested directly on the remote endpoint.
Here's the OWASP WSTG that you might find what you need to test this kind of requirements:
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/README