Skip to main content

OWASP ASVS

logo

Summary

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Definitions

DefinitionRequirements
1_1_1. Secure Software Development Lifecycle
331. Guarantee legal compliance
1_2_1. Authentication architecture
096. Set user's required privileges
186. Use the principle of least privilege
1_2_2. Authentication architecture
186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication architecture
264. Request authentication
1_2_4. Authentication architecture
328. Request MFA for critical systems
1_4_1. Access control architecture
265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_5_2. Input and output architecture
321. Avoid deserializing untrusted data
1_5_3. Input and output architecture
173. Discard unsafe inputs
1_5_4. Input and output architecture
160. Encode system outputs
1_6_2. Cryptographic architecture
145. Protect system cryptographic keys
1_6_3. Cryptographic architecture
361. Replace cryptographic keys
1_6_4. Cryptographic architecture
145. Protect system cryptographic keys
1_7_2. Errors, logging and auditing architecture
378. Use of log management system
1_8_2. Data protection and privacy architecture
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications architecture
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_9_2. Communications architecture
336. Disable insecure TLS versions
1_12_2. Secure File Upload Architecture
349. Include HTTP security headers
1_14_5. Configuration architecture
321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration architecture
262. Verify third-party components
2_1_1. Password security
133. Passwords with at least 20 characters
2_1_2. Password security
132. Passphrases with at least 4 words
2_1_3. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_4. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_5. Password security
126. Set a password regeneration mechanism
2_1_6. Password security
141. Force re-authentication
2_1_7. Password security
332. Prevent the use of breached passwords
2_1_8. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_9. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_10. Password security
129. Validate previous passwords
2_2_1. General authenticator security
237. Ascertain human interaction
2_2_2. General authenticator security
153. Out of band transactions
231. Implement a biometric verification component
2_2_3. General authenticator security
153. Out of band transactions
2_2_4. General authenticator security
328. Request MFA for critical systems
2_2_6. General authenticator security
139. Set minimum OTP length
140. Define OTP lifespan
347. Invalidate previous OTPs
2_2_7. General authenticator security
153. Out of band transactions
231. Implement a biometric verification component
2_3_1. Authenticator lifecycle
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_3_2. Authenticator lifecycle
153. Out of band transactions
231. Implement a biometric verification component
2_4_1. Credential storage
127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_2. Credential storage
135. Passwords with random salt
2_4_3. Credential storage
127. Store hashed passwords
2_4_4. Credential storage
127. Store hashed passwords
2_4_5. Credential storage
135. Passwords with random salt
2_5_1. Credential recovery
126. Set a password regeneration mechanism
2_5_2. Credential recovery
334. Avoid knowledge-based authentication
2_5_3. Credential recovery
238. Establish safe recovery
2_5_4. Credential recovery
142. Change system default credentials
2_5_5. Credential recovery
301. Notify configuration changes
2_5_6. Credential recovery
140. Define OTP lifespan
238. Establish safe recovery
2_6_1. Look-up secret verifier
131. Deny multiple password changing attempts
2_6_2. Look-up secret verifier
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
2_6_3. Look-up secret verifier
126. Set a password regeneration mechanism
238. Establish safe recovery
2_7_1. Out of band verifier
153. Out of band transactions
2_7_2. Out of band verifier
335. Define out of band token lifespan
2_7_3. Out of band verifier
335. Define out of band token lifespan
2_7_4. Out of band verifier
338. Implement perfect forward secrecy
2_7_6. Out of band verifier
223. Uniform distribution in random numbers
2_8_1. One time verifier
140. Define OTP lifespan
2_8_2. One time verifier
232. Require equipment identity
2_8_3. One time verifier
147. Use pre-existent mechanisms
2_8_4. One time verifier
347. Invalidate previous OTPs
2_8_5. One time verifier
377. Store logs based on valid regulation
2_8_6. One time verifier
141. Force re-authentication
2_8_7. One time verifier
231. Implement a biometric verification component
2_9_1. Cryptographic verifier
145. Protect system cryptographic keys
2_9_3. Cryptographic verifier
224. Use secure cryptographic mechanisms
2_10_2. Service authentication
142. Change system default credentials
2_10_3. Service authentication
134. Store passwords with salt
2_10_4. Service authentication
156. Source code without sensitive information
3_1_1. Fundamental session management security
037. Parameters without sensitive data
3_2_1. Session binding
030. Avoid object reutilization
3_2_2. Session binding
224. Use secure cryptographic mechanisms
3_2_3. Session binding
029. Cookies with security attributes
3_2_4. Session binding
224. Use secure cryptographic mechanisms
3_3_1. Session termination
030. Avoid object reutilization
3_3_2. Session termination
141. Force re-authentication
3_3_3. Session termination
028. Allow users to log out
141. Force re-authentication
3_3_4. Session termination
028. Allow users to log out
3_4_1. Cookie-based session management
029. Cookies with security attributes
3_4_2. Cookie-based session management
029. Cookies with security attributes
3_4_3. Cookie-based session management
029. Cookies with security attributes
3_4_4. Cookie-based session management
029. Cookies with security attributes
3_4_5. Cookie-based session management
029. Cookies with security attributes
031. Discard user session data
3_5_2. Token-based session management
357. Use stateless session tokens
3_5_3. Token-based session management
357. Use stateless session tokens
3_7_1. Defenses against session management exploits
319. Make authentication options equally secure
4_1_1. General access control design
096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General access control design
026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General access control design
186. Use the principle of least privilege
4_1_5. General access control design
359. Avoid using generic exceptions
4_2_1. Operation level access control
176. Restrict system objects
4_2_2. Operation level access control
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other access control considerations
122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
5_1_1. Input validation
342. Validate request parameters
5_1_2. Input validation
237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input validation
342. Validate request parameters
5_1_4. Input validation
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input validation
324. Control redirects
5_2_1. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_2_2. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_3. Sanitization and sandboxing
115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and sandboxing
344. Avoid dynamic code execution
5_2_5. Sanitization and sandboxing
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and sandboxing
173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_8. Sanitization and sandboxing
050. Control calls to interpreted code
374. Use of isolation methods in running applications
5_3_1. Output encoding and injection prevention
160. Encode system outputs
5_3_2. Output encoding and injection prevention
044. Define an explicit charset
5_3_3. Output encoding and injection prevention
173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output encoding and injection prevention
169. Use parameterized queries
5_3_5. Output encoding and injection prevention
169. Use parameterized queries
173. Discard unsafe inputs
342. Validate request parameters
5_3_6. Output encoding and injection prevention
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output encoding and injection prevention
173. Discard unsafe inputs
5_3_8. Output encoding and injection prevention
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output encoding and injection prevention
348. Use consistent encoding
5_3_10. Output encoding and injection prevention
173. Discard unsafe inputs
5_4_1. Memory, string, and unmanaged code
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
5_4_2. Memory, string, and unmanaged code
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_4_3. Memory, string, and unmanaged code
345. Establish protections against overflows
5_5_1. Deserialization prevention
321. Avoid deserializing untrusted data
5_5_2. Deserialization prevention
157. Use the strict mode
5_5_3. Deserialization prevention
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
5_5_4. Deserialization prevention
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
6_1_1. Data classification
185. Encrypt sensitive information
6_1_2. Data classification
185. Encrypt sensitive information
6_1_3. Data classification
185. Encrypt sensitive information
6_2_1. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_2. Algorithms
147. Use pre-existent mechanisms
6_2_3. Algorithms
346. Use initialization vectors once
6_2_4. Algorithms
223. Uniform distribution in random numbers
6_2_5. Algorithms
148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms
346. Use initialization vectors once
6_2_7. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms
224. Use secure cryptographic mechanisms
6_3_1. Random values
223. Uniform distribution in random numbers
6_3_2. Random values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_1. Secret management
145. Protect system cryptographic keys
380. Define a password management tool
6_4_2. Secret management
156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log content
083. Avoid logging sensitive data
7_1_2. Log content
377. Store logs based on valid regulation
7_1_3. Log content
075. Record exceptional events in logs
7_1_4. Log content
322. Avoid excessive logging
7_2_2. Log processing
075. Record exceptional events in logs
378. Use of log management system
7_2_4. Log processing
083. Avoid logging sensitive data
7_3_1. Log protection
080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log protection
080. Prevent log modification
7_3_4. Log protection
079. Record exact occurrence time of events
7_4_1. Error handling
075. Record exceptional events in logs
7_4_2. Error handling
075. Record exceptional events in logs
079. Record exact occurrence time of events
7_4_3. Error handling
378. Use of log management system
8_1_1. General data protection
266. Disable insecure functionalities
8_1_2. General data protection
177. Avoid caching and temporary files
8_1_3. General data protection
173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_4. General data protection
075. Record exceptional events in logs
378. Use of log management system
8_2_1. Client-side data protection
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_3_1. Sensitive private data
349. Include HTTP security headers
8_3_2. Sensitive private data
317. Allow erasure requests
8_3_3. Sensitive private data
189. Specify the purpose of data collection
8_3_4. Sensitive private data
315. Provide processed data information
8_3_5. Sensitive private data
323. Exclude unverifiable files
8_3_6. Sensitive private data
350. Enable memory protection mechanisms
8_3_7. Sensitive private data
147. Use pre-existent mechanisms
9_1_1. Client communication security
336. Disable insecure TLS versions
9_1_2. Client communication security
181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client communication security
336. Disable insecure TLS versions
9_2_1. Server communication security
091. Use internally signed certificates
092. Use externally signed certificates
9_2_2. Server communication security
181. Transmit data using secure protocols
9_2_3. Server communication security
176. Restrict system objects
264. Request authentication
10_1_1. Code integrity
155. Application free of malicious code
10_2_1. Malicious code search
041. Scan files for malicious code
155. Application free of malicious code
10_2_3. Malicious code search
154. Eliminate backdoors
10_2_4. Malicious code search
262. Verify third-party components
10_2_5. Malicious code search
262. Verify third-party components
10_2_6. Malicious code search
041. Scan files for malicious code
155. Application free of malicious code
10_3_1. Application integrity
088. Request client certificates
090. Use valid certificates
093. Use consistent certificates
178. Use digital signatures
10_3_2. Application integrity
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application integrity
266. Disable insecure functionalities
11_1_1. Business logic security
337. Make critical logic flows thread safe
11_1_2. Business logic security
072. Set maximum response time
327. Set a rate limit
11_1_3. Business logic security
072. Set maximum response time
327. Set a rate limit
11_1_4. Business logic security
039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_1_1. File upload
039. Define maximum file size
12_1_2. File upload
039. Define maximum file size
042. Validate file format
12_1_3. File upload
039. Define maximum file size
12_2_1. File integrity
340. Use octet stream downloads
12_3_1. File execution
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
12_3_2. File execution
173. Discard unsafe inputs
176. Restrict system objects
12_3_3. File execution
348. Use consistent encoding
12_3_4. File execution
043. Define an explicit content type
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
12_3_5. File execution
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
12_3_6. File execution
266. Disable insecure functionalities
340. Use octet stream downloads
12_4_1. File storage
339. Avoid storing sensitive files in the web root
12_4_2. File storage
118. Inspect attachments
12_5_1. File download
040. Compare file format and extension
12_5_2. File download
040. Compare file format and extension
042. Validate file format
043. Define an explicit content type
12_6_1. SSRF protection
173. Discard unsafe inputs
324. Control redirects
13_1_1. Generic web service security
348. Use consistent encoding
13_1_3. Generic web service security
261. Avoid exposing sensitive information
13_1_5. Generic web service security
062. Define standard configurations
349. Include HTTP security headers
13_2_1. RESTful web service
266. Disable insecure functionalities
13_2_2. RESTful web service
342. Validate request parameters
13_2_3. RESTful web service
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
13_2_5. RESTful web service
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
13_2_6. RESTful web service
181. Transmit data using secure protocols
336. Disable insecure TLS versions
13_3_1. SOAP web service
173. Discard unsafe inputs
13_3_2. SOAP web service
228. Authenticate using standard protocols
13_4_1. GraphQL
077. Avoid disclosing technical information
176. Restrict system objects
264. Request authentication
14_1_1. Build and deploy
051. Store source code in a repository
062. Define standard configurations
14_1_2. Build and deploy
157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
14_1_3. Build and deploy
266. Disable insecure functionalities
14_1_4. Build and deploy
062. Define standard configurations
14_1_5. Build and deploy
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency
302. Declare dependencies explicitly
14_2_2. Dependency
360. Remove unnecessary sensitive information
14_2_3. Dependency
330. Verify Subresource Integrity
14_2_4. Dependency
362. Assign MFA mechanisms to a single account
14_2_5. Dependency
262. Verify third-party components
14_2_6. Dependency
374. Use of isolation methods in running applications
14_3_2. Unintended security disclosure
078. Disable debugging events
14_3_3. Unintended security disclosure
077. Avoid disclosing technical information
14_4_1. HTTP security headers
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
14_4_2. HTTP security headers
043. Define an explicit content type
349. Include HTTP security headers
14_4_3. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_4. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_5. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_6. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_7. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_5_1. HTTP request header validation
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
320. Avoid client-side control enforcement
349. Include HTTP security headers
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.