This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ASVS V16 Files and Resources"
From OWASP
(Created page with "# V16: File and Resources Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * Untrusted fil...") |
|||
| Line 1: | Line 1: | ||
| − | + | V16: File and Resources Verification Requirements | |
| − | + | Control Objective | |
Ensure that a verified application satisfies the following high level requirements: | Ensure that a verified application satisfies the following high level requirements: | ||
| Line 9: | Line 9: | ||
| − | + | Security Verification Requirements | |
| − | | # | + | {| class="wikitable" |
| − | | - | + | ! # !! Description !! L1 !! L2 !! L3 !! Since | |
| − | | | + | |- |
| − | | | + | | 16.1 || Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. || ✓ || ✓ || ✓ || 2.0 |
| − | | | + | |- |
| − | | | + | | 16.2 || Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. || ✓ || ✓ || ✓ || 3.1 |
| − | | | + | |- |
| − | | | + | | 16.3 || Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. || ✓ || ✓ || ✓ || 2.0 |
| − | | | + | |- |
| − | | | + | | 16.4 || Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. || ✓ || ✓ || ✓ || 3.1 |
| − | | | + | |- |
| − | | | + | | 16.5 || Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. || ✓ || ✓ || ✓ || 2.0 |
| + | |- | ||
| + | | 16.6 || Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. || || ✓ || ✓ || 3.0 | ||
| + | |- | ||
| + | | 16.7 || Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. || || ✓ || ✓ || 2.0 | ||
| + | |- | ||
| + | | 16.8 || Verify the application code does not execute uploaded data obtained from untrusted sources. || ✓ || ✓ || ✓ || 3.0 | ||
| + | |- | ||
| + | | 16.9 || Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. || ✓ || ✓ || ✓ || 3.1 | ||
| + | |- | ||
| + | | 16.10 || Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. || ✓ || ✓ || ✓ || 3.1 | ||
| + | |} | ||
| − | + | References | |
| − | |||
For more information, see also: | For more information, see also: | ||
Revision as of 00:04, 6 November 2018
V16: File and Resources Verification Requirements
Control Objective
Ensure that a verified application satisfies the following high level requirements:
- Untrusted file data should be handled accordingly and in a secure manner
- Obtained from untrusted sources are stored outside the webroot and limited permissions.
Security Verification Requirements
| # | Description | L1 | L2 | L3 | |
|---|---|---|---|---|---|
| 16.1 | Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. | ✓ | ✓ | ✓ | 2.0 |
| 16.2 | Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |
| 16.3 | Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. | ✓ | ✓ | ✓ | 2.0 |
| 16.4 | Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |
| 16.5 | Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. | ✓ | ✓ | ✓ | 2.0 |
| 16.6 | Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. | ✓ | ✓ | 3.0 | |
| 16.7 | Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. | ✓ | ✓ | 2.0 | |
| 16.8 | Verify the application code does not execute uploaded data obtained from untrusted sources. | ✓ | ✓ | ✓ | 3.0 |
| 16.9 | Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. | ✓ | ✓ | ✓ | 3.1 |
| 16.10 | Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. | ✓ | ✓ | ✓ | 3.1 |
References
For more information, see also:
- [File Extension Handling for Sensitive Information](https://www.owasp.org/index.php/Unrestricted_File_Upload)
- [Reflective file download by Oren Hatif](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)
