This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ASVS V16 Files and Resources"
From OWASP
(Fixed table, made the content readable.) (Tag: Visual edit) |
|||
| Line 1: | Line 1: | ||
| − | V16: File and Resources Verification Requirements | + | == V16: File and Resources Verification Requirements == |
| − | + | '''Control Objective''' | |
| − | Control Objective | ||
Ensure that a verified application satisfies the following high level requirements: | Ensure that a verified application satisfies the following high level requirements: | ||
| Line 9: | Line 8: | ||
| − | Security Verification Requirements | + | '''Security Verification Requirements:''' |
{| class="wikitable" | {| class="wikitable" | ||
| Line 35: | Line 34: | ||
|} | |} | ||
| − | + | '''References:''' | |
| − | References | ||
For more information, see also: | For more information, see also: | ||
Revision as of 00:05, 6 November 2018
V16: File and Resources Verification Requirements
Control Objective
Ensure that a verified application satisfies the following high level requirements:
- Untrusted file data should be handled accordingly and in a secure manner
- Obtained from untrusted sources are stored outside the webroot and limited permissions.
Security Verification Requirements:
| # | Description | L1 | L2 | L3 | |
|---|---|---|---|---|---|
| 16.1 | Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. | ✓ | ✓ | ✓ | 2.0 |
| 16.2 | Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |
| 16.3 | Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. | ✓ | ✓ | ✓ | 2.0 |
| 16.4 | Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |
| 16.5 | Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. | ✓ | ✓ | ✓ | 2.0 |
| 16.6 | Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. | ✓ | ✓ | 3.0 | |
| 16.7 | Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. | ✓ | ✓ | 2.0 | |
| 16.8 | Verify the application code does not execute uploaded data obtained from untrusted sources. | ✓ | ✓ | ✓ | 3.0 |
| 16.9 | Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. | ✓ | ✓ | ✓ | 3.1 |
| 16.10 | Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. | ✓ | ✓ | ✓ | 3.1 |
References:
For more information, see also:
- [File Extension Handling for Sensitive Information](https://www.owasp.org/index.php/Unrestricted_File_Upload)
- [Reflective file download by Oren Hatif](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)
