Skip to content

Commit

Permalink
#2184 - update token integrity check
Browse files Browse the repository at this point in the history
  • Loading branch information
Elar Lang authored and tghosth committed Nov 14, 2024
1 parent 4c5ac9d commit 2537696
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion 5.0/en/0x12-V3-Session-management.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ Token-based session management includes JWT, OAuth, SAML, and API keys. Of these
| :---: | :--- | :---: | :---: | :---: | :---: |
| **3.5.1** | [GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications. | ||| 290 |
| **3.5.2** | [MOVED TO 3.1.3] | | | | |
| **3.5.3** | [MODIFIED, LEVEL L2 > L1] Verify that stateless tokens use a digital signature or MAC to protect against tampering, which is checked before accepting the token's contents. |||| 345 |
| **3.5.3** | [MODIFIED, LEVEL L2 > L1] Verify that cryptographically secured tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents. |||| 345 |
| **3.5.4** | [ADDED] Verify that, if a validity time span is present in the token data, the token and it's content are accepted only if the verification time is within this validity time span. For example, for JWTs the claims 'nbf' and 'exp' must be verified. |||| 613 |
| **3.5.5** | [ADDED] Verify that only algorithms on an allowlist can be used to create and verify cryptographically secured tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion. |||| 757 |
| **3.5.6** | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. |||| 287 |
Expand Down

0 comments on commit 2537696

Please sign in to comment.