Cyber Posture

OWASP ASVS 5.0 · All chapters

V9 Self-contained Tokens

7 verification requirement(s) in this chapter.

← V8 V10 →

V9.1 Token source and integrity

IDVerify that…Level
V9.1.1 Verify that self-contained tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents.
IA-5 IA-1 IA-13
 L1
V9.1.2 Verify that only algorithms on an allowlist can be used to create and verify self-contained tokens, for a given context. The allowlist must include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and must not include the 'None' algorithm. If both symmetric and asymmetric must be supported, additional controls will be needed to prevent key confusion.
CWE-757 IA-5
 L1
V9.1.3 Verify that key material that is used to validate self-contained tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.
CWE-1289 CWE-829 IA-5 IA-13.1
 L1

V9.2 Token content

IDVerify that…Level
V9.2.1 Verify that, if a validity time span is present in the token data, the token and its content are accepted only if the verification time is within this validity time span. For example, for JWTs, the claims 'nbf' and 'exp' must be verified.
CWE-670 IA-5 SC-45
 L1
V9.2.2 Verify that the service receiving a token validates the token to be the correct type and is meant for the intended purpose before accepting the token's contents. For example, only access tokens can be accepted for authorization decisions and only ID Tokens can be used for proving user authentication.
CWE-1289 CWE-1390 CWE-267 CWE-99 IA-13 IA-5 IA-9
 L2
V9.2.3 Verify that the service only accepts tokens which are intended for use with that service (audience). For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service.
CWE-267 IA-5 IA-13 IA-9
 L2
V9.2.4 Verify that, if a token issuer uses the same private key for issuing tokens to different audiences, the issued tokens contain an audience restriction that uniquely identifies the intended audiences. This will prevent a token from being reused with an unintended audience. If the audience identifier is dynamically provisioned, the token issuer must validate these audiences in order to make sure that they do not result in audience impersonation.
CWE-694 IA-4 IA-13.3
 L2
← V8 V10 →

Source: OWASP ASVS 5.0.0 · Licensed under CC BY-SA 4.0 · CWE / NIST 800-53 cross-references are a separate (Phase B) LLM-authored mapping, not yet rendered here.