ASVS 5.0 Requirements
Structured access to OWASP Application Security Verification Standard (ASVS) 5.0 requirements for security auditing.
When to Use This Skill
- •Planning security audits - To understand which chapters apply to the project
- •Scoping audit depth - To select appropriate verification level (L1/L2/L3)
- •Building auditor agents - To define specific checks for each domain
- •Mapping findings - To reference ASVS requirements in audit reports
When NOT to Use This Skill
- •Quick vulnerability checks - Use vulnerability-patterns skill instead
- •Remediation guidance - Use remediation-library skill instead
- •Non-ASVS audits - Use industry compliance auditors directly
ASVS Verification Levels
| Level | Name | Applicability | Depth |
|---|---|---|---|
| L1 | Opportunistic | All applications | Minimum baseline |
| L2 | Standard | Most applications | Recommended |
| L3 | Advanced | High-value/critical apps | Maximum rigor |
Mapping to Audit Modes:
- •Quick Scan → L1 requirements only
- •Standard Audit → L1 + L2 requirements
- •Comprehensive Audit → L1 + L2 + L3 requirements
Chapter Overview
| Chapter | Name | Requirements | Primary Focus |
|---|---|---|---|
| V1 | Encoding & Sanitization | 28 | Injection prevention |
| V2 | Validation & Business Logic | 15 | Input validation |
| V3 | Web Frontend Security | 32 | Browser security |
| V4 | API & Web Service | 17 | API security |
| V5 | File Handling | 14 | File security |
| V6 | Authentication | 44 | Identity verification |
| V7 | Session Management | 18 | Session security |
| V8 | Authorization | 11 | Access control |
| V9 | Self-contained Tokens | 7 | JWT security |
| V10 | OAuth & OIDC | 50 | OAuth/OIDC security |
| V11 | Cryptography | 32 | Crypto implementation |
| V12 | Secure Communications | 13 | TLS/transport |
| V13 | Configuration | 18 | Secure config |
| V14 | Data Protection | 15 | Data handling |
| V15 | Secure Coding | 20 | Code quality |
| V16 | Security Logging | 19 | Audit logging |
| V17 | WebRTC | 15 | WebRTC security |
| Total | 369 |
V1: Encoding and Sanitization (28 requirements)
Control Objective
Ensure the application correctly encodes and decodes data to prevent injection attacks.
Sections
- •V1.1 Encoding Architecture
- •V1.2 Injection Prevention
- •V1.3 Sanitization
- •V1.4 Memory/String Safety
- •V1.5 Safe Deserialization
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V1.2.1 | L1 | Parameterized queries for all database operations |
| V1.2.2 | L1 | No string concatenation for SQL/NoSQL commands |
| V1.2.3 | L1 | OS command injection prevention |
| V1.3.1 | L1 | HTML output encoding |
| V1.5.1 | L1 | No unsafe deserialization (use JSON) |
Detection Patterns
- •SQL string concatenation:
"SELECT * FROM " + table - •Command injection: shell invocation with user input
- •Unsafe deserialize: Python object serialization, PHP unserialize
V2: Validation and Business Logic (15 requirements)
Control Objective
Ensure input validation enforces business expectations and prevents logic bypass.
Sections
- •V2.1 Documentation
- •V2.2 Input Validation
- •V2.3 Business Logic Security
- •V2.4 Anti-automation
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V2.2.1 | L1 | Server-side validation for all inputs |
| V2.2.2 | L1 | Allowlist validation preferred |
| V2.3.1 | L1 | Sequential step enforcement |
| V2.4.1 | L2 | Rate limiting on sensitive ops |
Detection Patterns
- •Client-only validation:
if (form.valid)without server check - •Missing rate limiting: No throttle on login/register
- •Mass assignment: Accepting all form fields without filtering
V3: Web Frontend Security (32 requirements)
Control Objective
Protect browsers against common web attacks through proper headers and configurations.
Sections
- •V3.1 Documentation
- •V3.2 Content Interpretation
- •V3.3 Cookie Setup
- •V3.4 Security Headers
- •V3.5 Origin Separation
- •V3.6 External Resources
- •V3.7 Other Browser Security
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V3.3.1 | L1 | Cookies: Secure, HttpOnly, SameSite |
| V3.4.1 | L1 | Content-Security-Policy header |
| V3.4.2 | L1 | X-Content-Type-Options: nosniff |
| V3.4.3 | L1 | Strict-Transport-Security (HSTS) |
| V3.6.1 | L2 | Subresource integrity for CDN scripts |
Detection Patterns
- •Missing CSP: No Content-Security-Policy header
- •Insecure cookies: Missing Secure/HttpOnly flags
- •No HSTS: Missing Strict-Transport-Security
V4: API and Web Service (17 requirements)
Control Objective
Ensure API endpoints are secure against common attack patterns.
Sections
- •V4.1 Generic Web Service Security
- •V4.2 HTTP Message Validation
- •V4.3 GraphQL
- •V4.4 WebSocket
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V4.1.1 | L1 | Content-Type header validation |
| V4.2.1 | L2 | HTTP request smuggling prevention |
| V4.3.1 | L2 | GraphQL query depth limiting |
| V4.3.2 | L2 | GraphQL introspection disabled in prod |
| V4.4.1 | L2 | WebSocket authentication |
Detection Patterns
- •GraphQL introspection:
introspectionQueryenabled - •No depth limit: Unbounded GraphQL queries
- •Missing auth: WebSocket without handshake validation
V5: File Handling (14 requirements)
Control Objective
Handle files securely throughout upload, storage, and download lifecycle.
Sections
- •V5.1 Documentation
- •V5.2 File Upload
- •V5.3 File Storage
- •V5.4 File Download
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V5.2.1 | L1 | File extension validation |
| V5.2.2 | L1 | Content-type validation |
| V5.2.3 | L1 | Upload size limits |
| V5.3.1 | L1 | Uploads cannot run as code |
| V5.4.1 | L1 | Path traversal prevention |
Detection Patterns
- •No extension check: Accepting any file type
- •Path traversal:
../in filenames not sanitized - •Direct run: Uploads served from code directory
V6: Authentication (44 requirements)
Control Objective
Ensure robust authentication mechanisms protect user accounts.
Sections
- •V6.1 Documentation
- •V6.2 Password Security
- •V6.3 General Auth Security
- •V6.4 Factor Lifecycle
- •V6.5 Multi-factor Auth
- •V6.6 Out-of-Band Auth
- •V6.7 Cryptographic Auth
- •V6.8 Identity Provider Auth
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V6.2.1 | L1 | Minimum 8 character passwords |
| V6.2.2 | L1 | 64+ character max allowed |
| V6.2.3 | L1 | Password breach checking |
| V6.2.4 | L1 | Secure hashing (bcrypt/argon2) |
| V6.3.1 | L1 | Account lockout after failures |
| V6.5.1 | L2 | MFA for sensitive operations |
Detection Patterns
- •Weak hashing: MD5/SHA1 for passwords
- •No lockout: Unlimited login attempts
- •Plain text: Passwords in logs/storage
V7: Session Management (18 requirements)
Control Objective
Ensure session tokens are generated, managed, and invalidated securely.
Sections
- •V7.1 Documentation
- •V7.2 Session Token Lifecycle
- •V7.3 Session Logout and Timeout
- •V7.4 Cookie-based Session Management
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V7.2.1 | L1 | Cryptographically random session IDs |
| V7.2.2 | L1 | 128+ bit entropy |
| V7.3.1 | L1 | Session invalidation on logout |
| V7.3.2 | L2 | Absolute session timeout |
| V7.4.1 | L1 | Cookie security attributes |
Detection Patterns
- •Predictable IDs: Sequential or timestamp-based
- •No logout: Missing session invalidation
- •No timeout: Sessions never expire
V8: Authorization (11 requirements)
Control Objective
Ensure access control is enforced at all levels of the application.
Sections
- •V8.1 Documentation
- •V8.2 Application Access Control
- •V8.3 Directory Browsing and Resource Protection
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V8.2.1 | L1 | Enforce access control on every request |
| V8.2.2 | L1 | IDOR prevention |
| V8.2.3 | L1 | Principle of least privilege |
| V8.3.1 | L1 | Directory listing disabled |
| V8.3.2 | L1 | Sensitive files not accessible |
Detection Patterns
- •Missing IDOR check: Direct object access without ownership validation
- •Role bypass: Admin functions without role verification
- •Open directories: Index enabled on sensitive paths
V9: Self-contained Tokens (7 requirements)
Control Objective
Ensure JWT and similar tokens are implemented securely.
Sections
- •V9.1 Documentation
- •V9.2 Token Generation
- •V9.3 Token Verification
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V9.2.1 | L1 | Strong algorithm (RS256/ES256) |
| V9.2.2 | L1 | No "none" algorithm |
| V9.3.1 | L1 | Signature verification |
| V9.3.2 | L1 | Expiration (exp) validation |
| V9.3.3 | L2 | Issuer (iss) validation |
Detection Patterns
- •Weak algorithm: HS256 with weak secret
- •None algorithm:
alg: "none"accepted - •No expiry: Missing or ignored
expclaim
V10: OAuth and OIDC (50 requirements)
Control Objective
Ensure OAuth 2.0 and OpenID Connect implementations follow security best practices.
Sections
- •V10.1 Documentation
- •V10.2 OAuth Client
- •V10.3 OAuth Authorization Server
- •V10.4 OAuth Resource Server
- •V10.5 OIDC Client
- •V10.6 OIDC Provider
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V10.2.1 | L1 | PKCE for public clients |
| V10.2.2 | L1 | State parameter validation |
| V10.2.3 | L1 | No credentials in URLs |
| V10.3.1 | L1 | Redirect URI validation |
| V10.5.1 | L2 | ID token validation |
Detection Patterns
- •Missing PKCE: Public clients without code_challenge
- •Open redirect: Insufficient redirect_uri validation
- •Token in URL: Access token exposed in query params
V11: Cryptography (32 requirements)
Control Objective
Ensure cryptographic implementations use secure algorithms and configurations.
Sections
- •V11.1 Documentation
- •V11.2 Key Management
- •V11.3 Random Values
- •V11.4 Symmetric Encryption
- •V11.5 Hashing and Hash-based Functions
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V11.2.1 | L1 | Keys not in source code |
| V11.3.1 | L1 | CSPRNG for security-sensitive values |
| V11.4.1 | L2 | AES-GCM or ChaCha20-Poly1305 |
| V11.5.1 | L1 | SHA-256+ for hashing |
| V11.5.2 | L2 | No MD5/SHA1 |
Detection Patterns
- •Hardcoded keys:
secretKey = "..."in code - •Weak PRNG:
Math.random()for tokens - •Deprecated crypto: DES, RC4, MD5 usage
V12: Secure Communications (13 requirements)
Control Objective
Ensure all communications use secure transport layer protocols.
Sections
- •V12.1 Documentation
- •V12.2 TLS Configuration
- •V12.3 Certificate Validation
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V12.2.1 | L1 | TLS 1.2+ only |
| V12.2.2 | L1 | Strong cipher suites |
| V12.2.3 | L2 | Certificate pinning for mobile |
| V12.3.1 | L1 | Certificate validation enabled |
| V12.3.2 | L1 | No self-signed certs in prod |
Detection Patterns
- •TLS disabled:
verify=False,NODE_TLS_REJECT_UNAUTHORIZED=0 - •Weak TLS: SSLv3, TLS 1.0/1.1 enabled
- •Self-signed: Non-CA certs in production
V13: Configuration (18 requirements)
Control Objective
Ensure secure default configurations and proper secrets management.
Sections
- •V13.1 Documentation
- •V13.2 Build and Deployment Configuration
- •V13.3 Secrets Management
- •V13.4 Dependency Management
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V13.2.1 | L1 | Debug disabled in production |
| V13.2.2 | L1 | Error details not exposed |
| V13.3.1 | L1 | Secrets not in version control |
| V13.3.2 | L1 | Secrets not in environment vars (prefer vault) |
| V13.4.1 | L2 | Dependency vulnerability scanning |
Detection Patterns
- •Debug enabled:
DEBUG=Truein production - •Secrets in git: API keys in committed files
- •Outdated deps: Known vulnerable packages
V14: Data Protection (15 requirements)
Control Objective
Ensure sensitive data is identified, classified, and protected appropriately.
Sections
- •V14.1 Documentation
- •V14.2 Data Classification
- •V14.3 Data at Rest
- •V14.4 Data in Transit
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V14.2.1 | L1 | Sensitive data identified |
| V14.3.1 | L2 | PII encrypted at rest |
| V14.3.2 | L2 | Database encryption |
| V14.4.1 | L1 | Sensitive data over TLS only |
Detection Patterns
- •Unencrypted PII: Plain text storage of personal data
- •No column encryption: Sensitive fields not encrypted
- •HTTP endpoints: Sensitive data sent over HTTP
V15: Secure Coding (20 requirements)
Control Objective
Ensure code follows secure development practices.
Sections
- •V15.1 Documentation
- •V15.2 Memory Safety
- •V15.3 Code Quality
- •V15.4 Dependency Management
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V15.2.1 | L1 | Buffer overflow prevention |
| V15.3.1 | L1 | No unreachable code |
| V15.3.2 | L2 | Static analysis in CI |
| V15.4.1 | L1 | Known vulnerable deps addressed |
Detection Patterns
- •Buffer issues: Unbounded array access
- •Dead code: Unreachable branches
- •Vulnerable deps: CVEs in dependencies
V16: Security Logging (19 requirements)
Control Objective
Ensure security events are logged with appropriate detail for incident response.
Sections
- •V16.1 Documentation
- •V16.2 Event Content
- •V16.3 Log Protection
- •V16.4 Error Handling
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V16.2.1 | L1 | Authentication events logged |
| V16.2.2 | L1 | Authorization failures logged |
| V16.3.1 | L2 | No sensitive data in logs |
| V16.3.2 | L2 | Log injection prevention |
| V16.4.1 | L1 | Generic error messages to users |
Detection Patterns
- •No auth logging: Login attempts not recorded
- •PII in logs: Passwords/tokens logged
- •Verbose errors: Stack traces to users
V17: WebRTC (15 requirements)
Control Objective
Ensure WebRTC implementations are secure.
Sections
- •V17.1 Documentation
- •V17.2 WebRTC Security
Key Requirements
| ID | Level | Requirement |
|---|---|---|
| V17.2.1 | L2 | DTLS-SRTP encryption |
| V17.2.2 | L2 | ICE candidate restrictions |
| V17.2.3 | L2 | Signaling channel authentication |
| V17.2.4 | L2 | TURN server authentication |
Detection Patterns
- •No encryption: Unencrypted media streams
- •Open signaling: Unauthenticated signaling server
- •ICE leaks: Exposing internal IPs
Feature-to-Chapter Mapping
Use this to select relevant chapters based on project features:
| Project Feature | Primary Chapters | Secondary Chapters |
|---|---|---|
| authentication | V6 | V7, V11 |
| oauth | V10 | V6, V9 |
| file-upload | V5 | V1, V14 |
| api | V4 | V1, V2, V8 |
| graphql | V4 | V8 |
| database | V1, V2 | V14 |
| websockets | V4, V12 | V6 |
| payments | V12, V11 | V6, V14 |
| frontend | V3 | V1 |
| logging | V16 | V14 |
External Resources
- •ASVS 5.0 Full Specification: https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/docs_en/OWASP_Application_Security_Verification_Standard_5.0.0_en.csv
- •OWASP ASVS Project: https://owasp.org/www-project-application-security-verification-standard/
- •Secure Coding Rules:
~/projects/claude-secure-coding-rules/
See Also
- •
Skill: project-context- Detect project features for chapter selection - •
Skill: vulnerability-patterns- Language-specific vulnerability patterns - •
Skill: remediation-library- Fix patterns for findings