Merge pull request #1980 from OWASP/capec-asvs5-1

Mapping CAPEC to ASVS 5.0 for the Authorization suite

Author: sydseter

cornucopia.owasp.org/data/cards/webapp-cards-2.2-en/cryptography/CR7/explanation.md

@@ -20,7 +20,7 @@ Gunter targets an online service that uses encryption for data transmission. How
 
 The primary applicable STRIDE categories for this scenario is **Information Disclosure** and **Tampering**.
 
-Because Gunter can intercept and decrypt the data in transit due to weak protocol deployment, misconfigured SSL/TLS, or untrusted/invalid certificates. This is a confidentiality failure, but as he can also modify the encrypted data (MITM style, degrade the connection, or re-encrypt altered content), it also falls into **Tampering**.
+Because Gunter can intercept and decrypt the data in transit due to weak protocol deployment, misconfigured SSL/TLS, or untrusted/invalid certificates. This is a confidentiality failure, but as he can also modify the encrypted data (MITM style, degrade the connection, or re-encrypt altered content), it also falls into **Tampering**, finally, if cryptographic signatures is used and can be faked, the **Tampering** can also lead to **Spoofing**.
 
 ### What can go wrong?
 

resources/templates/owasp_cornucopia_webapp_ver_cards_tarot_lang.idml

@@ -318,7 +318,7 @@ suits:
     id: "CR7"
     value: "7"
     url: "https://cornucopia.owasp.org/cards/CR7"
-    desc: "Gunter can intercept or modify encrypted data in transit because the protocol is poorly deployed, or weakly configured, or certificates are invalid, or certificates are not trusted, or the connection can be degraded to a weaker or un-encrypted communication"
+    desc: "Gunter can intercept or modify encrypted and/or hashed data in transit because the protocol is poorly deployed, or weakly configured, or certificates are invalid, or certificates are not trusted, or the connection can be degraded to a weaker or un-encrypted communication"
   -
     id: "CR8"
     value: "8"

source/webapp-cards-3.0-en.yaml

@@ -207,7 +207,7 @@ suits:
     owasp_asvs: [ 5.2.1, 5.2.2, 5.3.4, 5.3.7, 5.3.8, 5.3.9, 5.3.10 ]
     owasp_asvs_print: [ 5.2.1, 5.2.2, 5.3.4, 5.3.7-10 ]
     owasp_appsensor: [ CIE1, CIE2 ]
-    capec: [ 19, 23, 28, 66, 83, 88, 93, 126, 136, 137, 153, 160, 183, 250, 253, 261, 664, 676 ]
+    capec: [ 19, 23, 28, 66, 83, 88, 93, 126, 136, 137, 153, 160, 183, 201, 250, 253, 261, 664, 676 ]
     safecode: [ 2, 19, 20 ]
     owasp_cre:
       owasp_asvs: [ 542-445, 538-446, 732-873, 531-558, 857-718, 547-283, 134-207 ]
@@ -668,7 +668,7 @@ suits:
     owasp_asvs: [ 4.1.3, 4.2.1, 5.1.5 ]
     owasp_asvs_print: [ 4.1.3, 4.2.1, 5.1.5 ]
     owasp_appsensor: [ "-" ]
-    capec: [ 94, 154, 161, 173, 240, 569 ]
+    capec: [ 62, 94, 154, 157, 173, 240, 481, 569 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 368-633, 304-667, 232-217 ]
@@ -684,7 +684,7 @@ suits:
     owasp_asvs: [ 4.1.3, 4.1.5, 8.1.2, 8.2.1, 8.3.1, 8.3.4, 8.3.6, 8.3.8, 12.4.1 ]
     owasp_asvs_print: [ 4.1.3, 4.1.5, 8.1.2, 8.2.1, 8.3.1, 8.3.4, 8.3.6, 8.3.8, 12.4.1 ]
     owasp_appsensor: [ "-" ]
-    capec: [ 33, 69, 126, 213, 233 ]
+    capec: [ 30, 69, 126, 204, 234 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 368-633, 166-151, 157-430, 473-758, 186-540, 227-045, 715-304, 268-272, 307-111 ]
@@ -700,7 +700,7 @@ suits:
     owasp_asvs: [ 4.1.5 ]
     owasp_asvs_print: [ 4.1.5 ]
     owasp_appsensor: [ "-" ]
-    capec: [ 122 ]
+    capec: [ 180 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 166-151 ]
@@ -718,7 +718,7 @@ suits:
     owasp_asvs_print: [ 1.2.2, 4.1.1, 4.1.3, 4.2.1 ]
     owasp_appsensor: [ ACE1, ACE2, ACE3, ACE4, HT2 ]
     owasp_appsensor_print: [ ACE1-4, HT2 ]
-    capec: [ 13, 54, 58, 75, 87, 95, 122, 126, 143, 144, 149, 155, 203, 265 ]
+    capec: [ 54, 58, 75, 77, 87, 122, 126, 143, 144, 149, 155, 203, 268 ]
     safecode: [ 8, 10, 11, 13 ]
     owasp_cre:
       owasp_asvs: [ 278-413, 650-560, 368-633, 304-667 ]
@@ -752,7 +752,7 @@ suits:
     owasp_asvs_print: [ 4.1.3, 4.2.1 ]
     owasp_appsensor: [ ACE1, ACE2, ACE3, ACE4 ]
     owasp_appsensor_print: [ ACE1-4 ]
-    capec: [ 122, 212 ]
+    capec: [ 58, 122, 212 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 368-633, 304-667 ]
@@ -768,7 +768,7 @@ suits:
     owasp_asvs: [ 4.1.2, 4.2.1, 4.3.3, 7.3.4, 11.1.1, 11.1.2 ]
     owasp_asvs_print: [ 4.1.2, 4.2.1, 4.3.3, 7.3.4, 11.1.1-2 ]
     owasp_appsensor: [ ACE3 ]
-    capec: [ 25, 31, 39, 74, 162, 166, 172, 207, 212, 240 ]
+    capec: [ 39, 74, 162, 166, 172, 207, 212 ]
     safecode: [ 8, 10, 11, 12 ]
     owasp_cre:
       owasp_asvs: [ 368-633, 304-667, 284-521, 770-361, 534-605, 456-535 ]
@@ -785,7 +785,7 @@ suits:
     owasp_asvs_print: [ 11.1.3-4 ]
     owasp_appsensor: [ AE3, FIO1, FIO2, UT2, UT3, UT4, STE1, STE2, STE3 ]
     owasp_appsensor_print: [ AE3, FIO1-2, UT2-4, STE1-3 ]
-    capec: [ 26, 29, 125, 212, 261, 469, 488 ]
+    capec: [ 26, 125, 130, 212, 227, 469 ]
     safecode: [ 1, 35 ]
     owasp_cre:
       owasp_asvs: [ 746-705, 630-573 ]
@@ -802,7 +802,7 @@ suits:
     owasp_asvs_print: [ 1.1.6, 4.1.1 ]
     owasp_appsensor: [ ACE1, ACE2, ACE3, ACE4 ]
     owasp_appsensor_print: [ ACE1-4 ]
-    capec: [ 36, 95, 121, 179, 554 ]
+    capec: [ 1, 22, 36, 95, 121, 179, 180 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 344-611, 650-560 ]
@@ -818,7 +818,7 @@ suits:
     owasp_asvs: [ 4.1.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6 ]
     owasp_asvs_print: [ 4.1.2, 10.2.3-6 ]
     owasp_appsensor: [ "-" ]
-    capec: [ 75, 116, 122, 133, 176, 180, 203 ]
+    capec: [ 1, 11, 75, 116, 133, 176, 179, 180, 207 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 368-633, 838-636, 418-525, 265-800, 154-031 ]
@@ -834,7 +834,7 @@ suits:
     owasp_asvs: [ 5.3.8 ]
     owasp_asvs_print: [ 5.3.8 ]
     owasp_appsensor: [ "-" ]
-    capec: [ 17, 23, 30, 35, 66, 69, 88, 122, 136, 233, 234, 242, 248, 250, 676 ]
+    capec: [ 35, 93, 122, 233, 242, 248 ]
     safecode: [ 8, 10, 11 ]
     owasp_cre:
       owasp_asvs: [ 857-718 ]
@@ -965,7 +965,7 @@ suits:
     owasp_asvs: [ 1.9.2, 6.2.7, 9.1.1, 9.2.1, 9.2.4, 14.4.5 ]
     owasp_asvs_print: [ 1.9.2, 6.2.7, 9.1.1, 9.2.1, 9.2.4, 14.4.5 ]
     owasp_appsensor: [ IE4 ]
-    capec: [ 31, 90, 94, 114, 117, 212, 216, 220, 272, 594, 620 ]
+    capec: [ 39, 94, 114, 145, 157, 216, 218, 220, 272, 594, 620 ]
     safecode: [ 14, 29, 30 ]
     owasp_cre:
       owasp_asvs: [ 530-671, 786-224, 745-045, 430-636, 537-367, '036-147' ]