Claude Code Plugins

Community-maintained marketplace

Feedback

asvs-requirements

@majiayu000/claude-skill-registry
5
0

OWASP ASVS 5.0 requirements database for security audits. Provides chapter structure, control objectives, and verification requirements for all 17 ASVS domains.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name asvs-requirements
description OWASP ASVS 5.0 requirements database for security audits. Provides chapter structure, control objectives, and verification requirements for all 17 ASVS domains.

ASVS 5.0 Requirements

Structured access to OWASP Application Security Verification Standard (ASVS) 5.0 requirements for security auditing.

When to Use This Skill

  • Planning security audits - To understand which chapters apply to the project
  • Scoping audit depth - To select appropriate verification level (L1/L2/L3)
  • Building auditor agents - To define specific checks for each domain
  • Mapping findings - To reference ASVS requirements in audit reports

When NOT to Use This Skill

  • Quick vulnerability checks - Use vulnerability-patterns skill instead
  • Remediation guidance - Use remediation-library skill instead
  • Non-ASVS audits - Use industry compliance auditors directly

ASVS Verification Levels

Level Name Applicability Depth
L1 Opportunistic All applications Minimum baseline
L2 Standard Most applications Recommended
L3 Advanced High-value/critical apps Maximum rigor

Mapping to Audit Modes:

  • Quick Scan → L1 requirements only
  • Standard Audit → L1 + L2 requirements
  • Comprehensive Audit → L1 + L2 + L3 requirements

Chapter Overview

Chapter Name Requirements Primary Focus
V1 Encoding & Sanitization 28 Injection prevention
V2 Validation & Business Logic 15 Input validation
V3 Web Frontend Security 32 Browser security
V4 API & Web Service 17 API security
V5 File Handling 14 File security
V6 Authentication 44 Identity verification
V7 Session Management 18 Session security
V8 Authorization 11 Access control
V9 Self-contained Tokens 7 JWT security
V10 OAuth & OIDC 50 OAuth/OIDC security
V11 Cryptography 32 Crypto implementation
V12 Secure Communications 13 TLS/transport
V13 Configuration 18 Secure config
V14 Data Protection 15 Data handling
V15 Secure Coding 20 Code quality
V16 Security Logging 19 Audit logging
V17 WebRTC 15 WebRTC security
Total 369

V1: Encoding and Sanitization (28 requirements)

Control Objective

Ensure the application correctly encodes and decodes data to prevent injection attacks.

Sections

  • V1.1 Encoding Architecture
  • V1.2 Injection Prevention
  • V1.3 Sanitization
  • V1.4 Memory/String Safety
  • V1.5 Safe Deserialization

Key Requirements

ID Level Requirement
V1.2.1 L1 Parameterized queries for all database operations
V1.2.2 L1 No string concatenation for SQL/NoSQL commands
V1.2.3 L1 OS command injection prevention
V1.3.1 L1 HTML output encoding
V1.5.1 L1 No unsafe deserialization (use JSON)

Detection Patterns

  • SQL string concatenation: "SELECT * FROM " + table
  • Command injection: shell invocation with user input
  • Unsafe deserialize: Python object serialization, PHP unserialize

V2: Validation and Business Logic (15 requirements)

Control Objective

Ensure input validation enforces business expectations and prevents logic bypass.

Sections

  • V2.1 Documentation
  • V2.2 Input Validation
  • V2.3 Business Logic Security
  • V2.4 Anti-automation

Key Requirements

ID Level Requirement
V2.2.1 L1 Server-side validation for all inputs
V2.2.2 L1 Allowlist validation preferred
V2.3.1 L1 Sequential step enforcement
V2.4.1 L2 Rate limiting on sensitive ops

Detection Patterns

  • Client-only validation: if (form.valid) without server check
  • Missing rate limiting: No throttle on login/register
  • Mass assignment: Accepting all form fields without filtering

V3: Web Frontend Security (32 requirements)

Control Objective

Protect browsers against common web attacks through proper headers and configurations.

Sections

  • V3.1 Documentation
  • V3.2 Content Interpretation
  • V3.3 Cookie Setup
  • V3.4 Security Headers
  • V3.5 Origin Separation
  • V3.6 External Resources
  • V3.7 Other Browser Security

Key Requirements

ID Level Requirement
V3.3.1 L1 Cookies: Secure, HttpOnly, SameSite
V3.4.1 L1 Content-Security-Policy header
V3.4.2 L1 X-Content-Type-Options: nosniff
V3.4.3 L1 Strict-Transport-Security (HSTS)
V3.6.1 L2 Subresource integrity for CDN scripts

Detection Patterns

  • Missing CSP: No Content-Security-Policy header
  • Insecure cookies: Missing Secure/HttpOnly flags
  • No HSTS: Missing Strict-Transport-Security

V4: API and Web Service (17 requirements)

Control Objective

Ensure API endpoints are secure against common attack patterns.

Sections

  • V4.1 Generic Web Service Security
  • V4.2 HTTP Message Validation
  • V4.3 GraphQL
  • V4.4 WebSocket

Key Requirements

ID Level Requirement
V4.1.1 L1 Content-Type header validation
V4.2.1 L2 HTTP request smuggling prevention
V4.3.1 L2 GraphQL query depth limiting
V4.3.2 L2 GraphQL introspection disabled in prod
V4.4.1 L2 WebSocket authentication

Detection Patterns

  • GraphQL introspection: introspectionQuery enabled
  • No depth limit: Unbounded GraphQL queries
  • Missing auth: WebSocket without handshake validation

V5: File Handling (14 requirements)

Control Objective

Handle files securely throughout upload, storage, and download lifecycle.

Sections

  • V5.1 Documentation
  • V5.2 File Upload
  • V5.3 File Storage
  • V5.4 File Download

Key Requirements

ID Level Requirement
V5.2.1 L1 File extension validation
V5.2.2 L1 Content-type validation
V5.2.3 L1 Upload size limits
V5.3.1 L1 Uploads cannot run as code
V5.4.1 L1 Path traversal prevention

Detection Patterns

  • No extension check: Accepting any file type
  • Path traversal: ../ in filenames not sanitized
  • Direct run: Uploads served from code directory

V6: Authentication (44 requirements)

Control Objective

Ensure robust authentication mechanisms protect user accounts.

Sections

  • V6.1 Documentation
  • V6.2 Password Security
  • V6.3 General Auth Security
  • V6.4 Factor Lifecycle
  • V6.5 Multi-factor Auth
  • V6.6 Out-of-Band Auth
  • V6.7 Cryptographic Auth
  • V6.8 Identity Provider Auth

Key Requirements

ID Level Requirement
V6.2.1 L1 Minimum 8 character passwords
V6.2.2 L1 64+ character max allowed
V6.2.3 L1 Password breach checking
V6.2.4 L1 Secure hashing (bcrypt/argon2)
V6.3.1 L1 Account lockout after failures
V6.5.1 L2 MFA for sensitive operations

Detection Patterns

  • Weak hashing: MD5/SHA1 for passwords
  • No lockout: Unlimited login attempts
  • Plain text: Passwords in logs/storage

V7: Session Management (18 requirements)

Control Objective

Ensure session tokens are generated, managed, and invalidated securely.

Sections

  • V7.1 Documentation
  • V7.2 Session Token Lifecycle
  • V7.3 Session Logout and Timeout
  • V7.4 Cookie-based Session Management

Key Requirements

ID Level Requirement
V7.2.1 L1 Cryptographically random session IDs
V7.2.2 L1 128+ bit entropy
V7.3.1 L1 Session invalidation on logout
V7.3.2 L2 Absolute session timeout
V7.4.1 L1 Cookie security attributes

Detection Patterns

  • Predictable IDs: Sequential or timestamp-based
  • No logout: Missing session invalidation
  • No timeout: Sessions never expire

V8: Authorization (11 requirements)

Control Objective

Ensure access control is enforced at all levels of the application.

Sections

  • V8.1 Documentation
  • V8.2 Application Access Control
  • V8.3 Directory Browsing and Resource Protection

Key Requirements

ID Level Requirement
V8.2.1 L1 Enforce access control on every request
V8.2.2 L1 IDOR prevention
V8.2.3 L1 Principle of least privilege
V8.3.1 L1 Directory listing disabled
V8.3.2 L1 Sensitive files not accessible

Detection Patterns

  • Missing IDOR check: Direct object access without ownership validation
  • Role bypass: Admin functions without role verification
  • Open directories: Index enabled on sensitive paths

V9: Self-contained Tokens (7 requirements)

Control Objective

Ensure JWT and similar tokens are implemented securely.

Sections

  • V9.1 Documentation
  • V9.2 Token Generation
  • V9.3 Token Verification

Key Requirements

ID Level Requirement
V9.2.1 L1 Strong algorithm (RS256/ES256)
V9.2.2 L1 No "none" algorithm
V9.3.1 L1 Signature verification
V9.3.2 L1 Expiration (exp) validation
V9.3.3 L2 Issuer (iss) validation

Detection Patterns

  • Weak algorithm: HS256 with weak secret
  • None algorithm: alg: "none" accepted
  • No expiry: Missing or ignored exp claim

V10: OAuth and OIDC (50 requirements)

Control Objective

Ensure OAuth 2.0 and OpenID Connect implementations follow security best practices.

Sections

  • V10.1 Documentation
  • V10.2 OAuth Client
  • V10.3 OAuth Authorization Server
  • V10.4 OAuth Resource Server
  • V10.5 OIDC Client
  • V10.6 OIDC Provider

Key Requirements

ID Level Requirement
V10.2.1 L1 PKCE for public clients
V10.2.2 L1 State parameter validation
V10.2.3 L1 No credentials in URLs
V10.3.1 L1 Redirect URI validation
V10.5.1 L2 ID token validation

Detection Patterns

  • Missing PKCE: Public clients without code_challenge
  • Open redirect: Insufficient redirect_uri validation
  • Token in URL: Access token exposed in query params

V11: Cryptography (32 requirements)

Control Objective

Ensure cryptographic implementations use secure algorithms and configurations.

Sections

  • V11.1 Documentation
  • V11.2 Key Management
  • V11.3 Random Values
  • V11.4 Symmetric Encryption
  • V11.5 Hashing and Hash-based Functions

Key Requirements

ID Level Requirement
V11.2.1 L1 Keys not in source code
V11.3.1 L1 CSPRNG for security-sensitive values
V11.4.1 L2 AES-GCM or ChaCha20-Poly1305
V11.5.1 L1 SHA-256+ for hashing
V11.5.2 L2 No MD5/SHA1

Detection Patterns

  • Hardcoded keys: secretKey = "..." in code
  • Weak PRNG: Math.random() for tokens
  • Deprecated crypto: DES, RC4, MD5 usage

V12: Secure Communications (13 requirements)

Control Objective

Ensure all communications use secure transport layer protocols.

Sections

  • V12.1 Documentation
  • V12.2 TLS Configuration
  • V12.3 Certificate Validation

Key Requirements

ID Level Requirement
V12.2.1 L1 TLS 1.2+ only
V12.2.2 L1 Strong cipher suites
V12.2.3 L2 Certificate pinning for mobile
V12.3.1 L1 Certificate validation enabled
V12.3.2 L1 No self-signed certs in prod

Detection Patterns

  • TLS disabled: verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0
  • Weak TLS: SSLv3, TLS 1.0/1.1 enabled
  • Self-signed: Non-CA certs in production

V13: Configuration (18 requirements)

Control Objective

Ensure secure default configurations and proper secrets management.

Sections

  • V13.1 Documentation
  • V13.2 Build and Deployment Configuration
  • V13.3 Secrets Management
  • V13.4 Dependency Management

Key Requirements

ID Level Requirement
V13.2.1 L1 Debug disabled in production
V13.2.2 L1 Error details not exposed
V13.3.1 L1 Secrets not in version control
V13.3.2 L1 Secrets not in environment vars (prefer vault)
V13.4.1 L2 Dependency vulnerability scanning

Detection Patterns

  • Debug enabled: DEBUG=True in production
  • Secrets in git: API keys in committed files
  • Outdated deps: Known vulnerable packages

V14: Data Protection (15 requirements)

Control Objective

Ensure sensitive data is identified, classified, and protected appropriately.

Sections

  • V14.1 Documentation
  • V14.2 Data Classification
  • V14.3 Data at Rest
  • V14.4 Data in Transit

Key Requirements

ID Level Requirement
V14.2.1 L1 Sensitive data identified
V14.3.1 L2 PII encrypted at rest
V14.3.2 L2 Database encryption
V14.4.1 L1 Sensitive data over TLS only

Detection Patterns

  • Unencrypted PII: Plain text storage of personal data
  • No column encryption: Sensitive fields not encrypted
  • HTTP endpoints: Sensitive data sent over HTTP

V15: Secure Coding (20 requirements)

Control Objective

Ensure code follows secure development practices.

Sections

  • V15.1 Documentation
  • V15.2 Memory Safety
  • V15.3 Code Quality
  • V15.4 Dependency Management

Key Requirements

ID Level Requirement
V15.2.1 L1 Buffer overflow prevention
V15.3.1 L1 No unreachable code
V15.3.2 L2 Static analysis in CI
V15.4.1 L1 Known vulnerable deps addressed

Detection Patterns

  • Buffer issues: Unbounded array access
  • Dead code: Unreachable branches
  • Vulnerable deps: CVEs in dependencies

V16: Security Logging (19 requirements)

Control Objective

Ensure security events are logged with appropriate detail for incident response.

Sections

  • V16.1 Documentation
  • V16.2 Event Content
  • V16.3 Log Protection
  • V16.4 Error Handling

Key Requirements

ID Level Requirement
V16.2.1 L1 Authentication events logged
V16.2.2 L1 Authorization failures logged
V16.3.1 L2 No sensitive data in logs
V16.3.2 L2 Log injection prevention
V16.4.1 L1 Generic error messages to users

Detection Patterns

  • No auth logging: Login attempts not recorded
  • PII in logs: Passwords/tokens logged
  • Verbose errors: Stack traces to users

V17: WebRTC (15 requirements)

Control Objective

Ensure WebRTC implementations are secure.

Sections

  • V17.1 Documentation
  • V17.2 WebRTC Security

Key Requirements

ID Level Requirement
V17.2.1 L2 DTLS-SRTP encryption
V17.2.2 L2 ICE candidate restrictions
V17.2.3 L2 Signaling channel authentication
V17.2.4 L2 TURN server authentication

Detection Patterns

  • No encryption: Unencrypted media streams
  • Open signaling: Unauthenticated signaling server
  • ICE leaks: Exposing internal IPs

Feature-to-Chapter Mapping

Use this to select relevant chapters based on project features:

Project Feature Primary Chapters Secondary Chapters
authentication V6 V7, V11
oauth V10 V6, V9
file-upload V5 V1, V14
api V4 V1, V2, V8
graphql V4 V8
database V1, V2 V14
websockets V4, V12 V6
payments V12, V11 V6, V14
frontend V3 V1
logging V16 V14

External Resources

See Also

  • Skill: project-context - Detect project features for chapter selection
  • Skill: vulnerability-patterns - Language-specific vulnerability patterns
  • Skill: remediation-library - Fix patterns for findings