This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

ASVS V16 Files and Resources

Revision as of 00:05, 6 November 2018 by Tonimir Kisasondi (talk | contribs) (Fixed table, made the content readable.)

Jump to: navigation, search

V16: File and Resources Verification Requirements

Control Objective

Ensure that a verified application satisfies the following high level requirements:

  • Untrusted file data should be handled accordingly and in a secure manner
  • Obtained from untrusted sources are stored outside the webroot and limited permissions.

Security Verification Requirements:

# Description L1 L2 L3
16.1 Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. 2.0
16.2 Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. 3.1
16.3 Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. 2.0
16.4 Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. 3.1
16.5 Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. 2.0
16.6 Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. 3.0
16.7 Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. 2.0
16.8 Verify the application code does not execute uploaded data obtained from untrusted sources. 3.0
16.9 Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. 3.1
16.10 Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. 3.1


For more information, see also: