ASVS V16 Files and Resources

1. V16: File and Resources Verification Requirements

1. 1. Control Objective

Ensure that a verified application satisfies the following high level requirements:

• Untrusted file data should be handled accordingly and in a secure manner
• Obtained from untrusted sources are stored outside the webroot and limited permissions.

1. 1. Security Verification Requirements

| # | Description | L1 | L2 | L3 | Since | | --- | --- | --- | --- | -- | -- | | **16.1** | Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. | ✓ | ✓ | ✓ | 2.0 | | **16.2** | Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. | ✓ | ✓ | ✓ | 3.1 | | **16.3** | Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. | ✓ | ✓ | ✓ | 2.0 | | **16.4** | Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. | ✓ | ✓ | ✓ | 3.1 | | **16.5** | Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. | ✓ | ✓ | ✓ | 2.0 | | **16.6** | Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. | | ✓ | ✓ | 3.0 | | **16.7** | Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. | | ✓ | ✓ | 2.0 | | **16.8** | Verify the application code does not execute uploaded data obtained from untrusted sources. | ✓ | ✓ | ✓ | 3.0 | | **16.9** | Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. | ✓ | ✓ | ✓ | 3.1 | | **16.10** | Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. | ✓ | ✓ | ✓ | 3.1 |

1. 1. References

For more information, see also:

• [File Extension Handling for Sensitive Information](https://www.owasp.org/index.php/Unrestricted_File_Upload)
• [Reflective file download by Oren Hatif](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)