How to configure Compliance Policy in TeamServer for ASVS (OWASP Application Security Verification Standard) version 3.0.1

  • Updated

The below command can be used to create a Compliance Policy in TeamServer for the ASVS standard version 3.0.1 for the applicable Contrast Assess rules.  The policy will be named  "ASVS" and will be enabled by default for all applications.

Prerequisites: 

  • Curl utility is installed
  • Change the 4 variables $CONTRAST_URL, $ORG_UUID, $AUTH_HEADER, and $API_KEY to have values for your environment (URL, and account keys). 
    • Either set them in your shell to appropriate values, or replace them directly in the command.
curl -X POST \
'$CONTRAST_URL/api/ng/$ORG_UUID/policy/compliance?expand=skip_links/' \
-H 'Authorization: $AUTH_HEADER' \
-H 'API-Key: $API_KEY' \
-H 'Accept: application/json' \
-H 'Content-type: application/json' \
-d '{"name":"ASVS","all_applications":true,"application_importance":[],"applications":[],"all_rules":false,"rule_severities":[],"rules":["cache-controls-missing","cookie-flags-missing","unvalidated-forward","escape-templates-off","cache-control-disabled","cmd-injection","reflected-xss","csrf","custom-errors-off","session-regenerate","expression-language-injection","autocomplete-missing","hardcoded-key","hardcoded-password","header-injection","hql-injection","http-only-disabled","crypto-bad-ciphers","crypto-bad-mac","insecure-socket-factory","ldap-injection","log-injection","nosql-injection","nosql-injection-dynamodb","session-timeout","overly-permissive-cross-domain-policy","clickjacking-control-missing","parameter-pollution","path-traversal","rails-http-only-disabled","reflection-injection","redos","request-validation-disabled","request-validation-control-disabled","csp-header-insecure","hsts-header-missing","xxssprotection-header-disabled","csp-header-missing","xcontenttype-header-missing","ssrf","httponly","secure-flag-missing","session-rewriting","smtp-injection","sql-injection","stored-xss","trace-enabled","trace-enabled-aspx","trust-boundary-violation","spring-unchecked-autobinding","plaintext-conn-strings","unsafe-code-execution","unsafe-xml-decode","untrusted-deserialization","unvalidated-redirect","unsafe-readline","verb-tampering","x-powered-by-header","version-header-enabled","crypto-weak-randomness","xxe","xpath-injection"],"standards":[]}'

Example in Windows (a bit tricky as you need to escape the internal quotation marks in the data. You should copy from the code snippet and modify it in a plain text editor)

curl -X POST "$CONTRAST_URL/api/ng/$ORG_UUID/policy/compliance?expand=skip_links/" -H "Authorization: $AUTH_HEADER" -H "API-Key: $API_KEY" -H "Accept: application/json" -H "Content-type: application/json" -d "{\"name\":\"ASVS\",\"all_applications\":true,\"application_importance\":[],\"applications\":[],\"all_rules\":false,\"rule_severities\":[],\"rules\":[\"cache-controls-missing\",\"cookie-flags-missing\",\"unvalidated-forward\",\"escape-templates-off\",\"cache-control-disabled\",\"cmd-injection\",\"reflected-xss\",\"csrf\",\"custom-errors-off\",\"session-regenerate\",\"expression-language-injection\",\"autocomplete-missing\",\"hardcoded-key\",\"hardcoded-password\",\"header-injection\",\"hql-injection\",\"http-only-disabled\",\"crypto-bad-ciphers\",\"crypto-bad-mac\",\"insecure-socket-factory\",\"ldap-injection\",\"log-injection\",\"nosql-injection\",\"nosql-injection-dynamodb\",\"session-timeout\",\"overly-permissive-cross-domain-policy\",\"clickjacking-control-missing\",\"parameter-pollution\",\"path-traversal\",\"rails-http-only-disabled\",\"reflection-injection\",\"redos\",\"request-validation-disabled\",\"request-validation-control-disabled\",\"csp-header-insecure\",\"hsts-header-missing\",\"xxssprotection-header-disabled\",\"csp-header-missing\",\"xcontenttype-header-missing\",\"ssrf\",\"httponly\",\"secure-flag-missing\",\"session-rewriting\",\"smtp-injection\",\"sql-injection\",\"stored-xss\",\"trace-enabled\",\"trace-enabled-aspx\",\"trust-boundary-violation\",\"spring-unchecked-autobinding\",\"plaintext-conn-strings\",\"unsafe-code-execution\",\"unsafe-xml-decode\",\"untrusted-deserialization\",\"unvalidated-redirect\",\"unsafe-readline\",\"verb-tampering\",\"x-powered-by-header\",\"version-header-enabled\",\"crypto-weak-randomness\",\"xxe\",\"xpath-injection\"],\"standards\":[]}"

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request