Skip to main content

OWASP ASVS

logo

Summary

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Definitions

DefinitionRequirements
1_1_1. Secure Software Development Lifecycle331. Guarantee legal compliance
1_2_1. Authentication architecture096. Set user's required privileges
186. Use the principle of least privilege
1_2_2. Authentication architecture186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication architecture264. Request authentication
1_2_4. Authentication architecture328. Request MFA for critical systems
1_4_1. Access control architecture265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_5_2. Input and output architecture321. Avoid deserializing untrusted data
1_5_3. Input and output architecture173. Discard unsafe inputs
1_5_4. Input and output architecture160. Encode system outputs
1_6_2. Cryptographic architecture145. Protect system cryptographic keys
1_6_3. Cryptographic architecture361. Replace cryptographic keys
1_6_4. Cryptographic architecture145. Protect system cryptographic keys
1_7_2. Errors, logging and auditing architecture378. Use of log management system
1_8_2. Data protection and privacy architecture026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications architecture147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_9_2. Communications architecture336. Disable insecure TLS versions
1_12_2. Secure File Upload Architecture349. Include HTTP security headers
1_14_5. Configuration architecture321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration architecture262. Verify third-party components
2_1_1. Password security133. Passwords with at least 20 characters
2_1_2. Password security132. Passphrases with at least 4 words
2_1_3. Password security132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_4. Password security132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_5. Password security126. Set a password regeneration mechanism
2_1_6. Password security141. Force re-authentication
2_1_7. Password security332. Prevent the use of breached passwords
2_1_8. Password security132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_9. Password security132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_10. Password security129. Validate previous passwords
2_2_1. General authenticator security237. Ascertain human interaction
2_2_2. General authenticator security153. Out of band transactions
231. Implement a biometric verification component
2_2_3. General authenticator security153. Out of band transactions
2_2_4. General authenticator security328. Request MFA for critical systems
2_2_6. General authenticator security139. Set minimum OTP length
140. Define OTP lifespan
347. Invalidate previous OTPs
2_2_7. General authenticator security153. Out of band transactions
231. Implement a biometric verification component
2_3_1. Authenticator lifecycle138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_3_2. Authenticator lifecycle153. Out of band transactions
231. Implement a biometric verification component
2_4_1. Credential storage127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_2. Credential storage135. Passwords with random salt
2_4_3. Credential storage127. Store hashed passwords
2_4_4. Credential storage127. Store hashed passwords
2_4_5. Credential storage135. Passwords with random salt
2_5_1. Credential recovery126. Set a password regeneration mechanism
2_5_2. Credential recovery334. Avoid knowledge-based authentication
2_5_3. Credential recovery238. Establish safe recovery
2_5_4. Credential recovery142. Change system default credentials
2_5_5. Credential recovery301. Notify configuration changes
2_5_6. Credential recovery140. Define OTP lifespan
238. Establish safe recovery
2_6_1. Look-up secret verifier131. Deny multiple password changing attempts
2_6_2. Look-up secret verifier223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
2_6_3. Look-up secret verifier126. Set a password regeneration mechanism
238. Establish safe recovery
2_7_1. Out of band verifier153. Out of band transactions
2_7_2. Out of band verifier335. Define out of band token lifespan
2_7_3. Out of band verifier335. Define out of band token lifespan
2_7_4. Out of band verifier338. Implement perfect forward secrecy
2_7_6. Out of band verifier223. Uniform distribution in random numbers
2_8_1. One time verifier140. Define OTP lifespan
2_8_2. One time verifier232. Require equipment identity
2_8_3. One time verifier147. Use pre-existent mechanisms
2_8_4. One time verifier347. Invalidate previous OTPs
2_8_5. One time verifier377. Store logs based on valid regulation
2_8_6. One time verifier141. Force re-authentication
2_8_7. One time verifier231. Implement a biometric verification component
2_9_1. Cryptographic verifier145. Protect system cryptographic keys
2_9_3. Cryptographic verifier224. Use secure cryptographic mechanisms
2_10_2. Service authentication142. Change system default credentials
2_10_3. Service authentication134. Store passwords with salt
2_10_4. Service authentication156. Source code without sensitive information
3_1_1. Fundamental session management security037. Parameters without sensitive data
3_2_1. Session binding030. Avoid object reutilization
3_2_2. Session binding224. Use secure cryptographic mechanisms
3_2_3. Session binding029. Cookies with security attributes
3_2_4. Session binding224. Use secure cryptographic mechanisms
3_3_1. Session termination030. Avoid object reutilization
3_3_2. Session termination141. Force re-authentication
3_3_3. Session termination028. Allow users to log out
141. Force re-authentication
3_3_4. Session termination028. Allow users to log out
3_4_1. Cookie-based session management029. Cookies with security attributes
3_4_2. Cookie-based session management029. Cookies with security attributes
3_4_3. Cookie-based session management029. Cookies with security attributes
3_4_4. Cookie-based session management029. Cookies with security attributes
3_4_5. Cookie-based session management029. Cookies with security attributes
031. Discard user session data
3_5_2. Token-based session management357. Use stateless session tokens
3_5_3. Token-based session management357. Use stateless session tokens
3_7_1. Defenses against session management exploits319. Make authentication options equally secure
4_1_1. General access control design096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General access control design026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General access control design186. Use the principle of least privilege
4_1_5. General access control design359. Avoid using generic exceptions
4_2_1. Operation level access control176. Restrict system objects
4_2_2. Operation level access control030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other access control considerations122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
5_1_1. Input validation342. Validate request parameters
5_1_2. Input validation237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input validation342. Validate request parameters
5_1_4. Input validation173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input validation324. Control redirects
5_2_1. Sanitization and sandboxing173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_2_2. Sanitization and sandboxing173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_3. Sanitization and sandboxing115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and sandboxing344. Avoid dynamic code execution
5_2_5. Sanitization and sandboxing173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and sandboxing173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and sandboxing173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_8. Sanitization and sandboxing050. Control calls to interpreted code
374. Use of isolation methods in running applications
5_3_1. Output encoding and injection prevention160. Encode system outputs
5_3_2. Output encoding and injection prevention044. Define an explicit charset
5_3_3. Output encoding and injection prevention173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output encoding and injection prevention169. Use parameterized queries
5_3_5. Output encoding and injection prevention169. Use parameterized queries
173. Discard unsafe inputs
342. Validate request parameters
5_3_6. Output encoding and injection prevention173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output encoding and injection prevention173. Discard unsafe inputs
5_3_8. Output encoding and injection prevention173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output encoding and injection prevention348. Use consistent encoding
5_3_10. Output encoding and injection prevention173. Discard unsafe inputs
5_4_1. Memory, string, and unmanaged code158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
5_4_2. Memory, string, and unmanaged code173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_4_3. Memory, string, and unmanaged code345. Establish protections against overflows
5_5_1. Deserialization prevention321. Avoid deserializing untrusted data
5_5_2. Deserialization prevention157. Use the strict mode
5_5_3. Deserialization prevention173. Discard unsafe inputs
321. Avoid deserializing untrusted data
5_5_4. Deserialization prevention173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
6_1_1. Data classification185. Encrypt sensitive information
6_1_2. Data classification185. Encrypt sensitive information
6_1_3. Data classification185. Encrypt sensitive information
6_2_1. Algorithms148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_2. Algorithms147. Use pre-existent mechanisms
6_2_3. Algorithms346. Use initialization vectors once
6_2_4. Algorithms223. Uniform distribution in random numbers
6_2_5. Algorithms148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms346. Use initialization vectors once
6_2_7. Algorithms148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms224. Use secure cryptographic mechanisms
6_3_1. Random values223. Uniform distribution in random numbers
6_3_2. Random values223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random values223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_1. Secret management145. Protect system cryptographic keys
380. Define a password management tool
6_4_2. Secret management156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log content083. Avoid logging sensitive data
7_1_2. Log content377. Store logs based on valid regulation
7_1_3. Log content075. Record exceptional events in logs
7_1_4. Log content322. Avoid excessive logging
7_2_2. Log processing075. Record exceptional events in logs
378. Use of log management system
7_2_4. Log processing083. Avoid logging sensitive data
7_3_1. Log protection080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log protection080. Prevent log modification
7_3_4. Log protection079. Record exact occurrence time of events
7_4_1. Error handling075. Record exceptional events in logs
7_4_2. Error handling075. Record exceptional events in logs
079. Record exact occurrence time of events
7_4_3. Error handling378. Use of log management system
8_1_1. General data protection266. Disable insecure functionalities
8_1_2. General data protection177. Avoid caching and temporary files
8_1_3. General data protection173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_4. General data protection075. Record exceptional events in logs
378. Use of log management system
8_2_1. Client-side data protection329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_3_1. Sensitive private data349. Include HTTP security headers
8_3_2. Sensitive private data317. Allow erasure requests
8_3_3. Sensitive private data189. Specify the purpose of data collection
8_3_4. Sensitive private data315. Provide processed data information
8_3_5. Sensitive private data323. Exclude unverifiable files
8_3_6. Sensitive private data350. Enable memory protection mechanisms
8_3_7. Sensitive private data147. Use pre-existent mechanisms
9_1_1. Client communication security336. Disable insecure TLS versions
9_1_2. Client communication security181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client communication security336. Disable insecure TLS versions
9_2_1. Server communication security091. Use internally signed certificates
092. Use externally signed certificates
9_2_2. Server communication security181. Transmit data using secure protocols
9_2_3. Server communication security176. Restrict system objects
264. Request authentication
10_1_1. Code integrity155. Application free of malicious code
10_2_1. Malicious code search041. Scan files for malicious code
155. Application free of malicious code
10_2_3. Malicious code search154. Eliminate backdoors
10_2_4. Malicious code search262. Verify third-party components
10_2_5. Malicious code search262. Verify third-party components
10_2_6. Malicious code search041. Scan files for malicious code
155. Application free of malicious code
10_3_1. Application integrity088. Request client certificates
090. Use valid certificates
093. Use consistent certificates
178. Use digital signatures
10_3_2. Application integrity178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application integrity266. Disable insecure functionalities
11_1_1. Business logic security337. Make critical logic flows thread safe
11_1_2. Business logic security072. Set maximum response time
327. Set a rate limit
11_1_3. Business logic security072. Set maximum response time
327. Set a rate limit
11_1_4. Business logic security039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_1_1. File upload039. Define maximum file size
12_1_2. File upload039. Define maximum file size
042. Validate file format
12_1_3. File upload039. Define maximum file size
12_2_1. File integrity340. Use octet stream downloads
12_3_1. File execution173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
12_3_2. File execution173. Discard unsafe inputs
176. Restrict system objects
12_3_3. File execution348. Use consistent encoding
12_3_4. File execution043. Define an explicit content type
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
12_3_5. File execution173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
12_3_6. File execution266. Disable insecure functionalities
340. Use octet stream downloads
12_4_1. File storage339. Avoid storing sensitive files in the web root
12_4_2. File storage118. Inspect attachments
12_5_1. File download040. Compare file format and extension
12_5_2. File download040. Compare file format and extension
042. Validate file format
043. Define an explicit content type
12_6_1. SSRF protection173. Discard unsafe inputs
324. Control redirects
13_1_1. Generic web service security348. Use consistent encoding
13_1_3. Generic web service security261. Avoid exposing sensitive information
13_1_5. Generic web service security062. Define standard configurations
349. Include HTTP security headers
13_2_1. RESTful web service266. Disable insecure functionalities
13_2_2. RESTful web service342. Validate request parameters
13_2_3. RESTful web service029. Cookies with security attributes
174. Transactions without a distinguishable pattern
13_2_5. RESTful web service062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
13_2_6. RESTful web service181. Transmit data using secure protocols
336. Disable insecure TLS versions
13_3_1. SOAP web service173. Discard unsafe inputs
13_3_2. SOAP web service228. Authenticate using standard protocols
13_4_1. GraphQL077. Avoid disclosing technical information
176. Restrict system objects
264. Request authentication
14_1_1. Build and deploy051. Store source code in a repository
062. Define standard configurations
14_1_2. Build and deploy157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
14_1_3. Build and deploy266. Disable insecure functionalities
14_1_4. Build and deploy062. Define standard configurations
14_1_5. Build and deploy228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency302. Declare dependencies explicitly
14_2_2. Dependency360. Remove unnecessary sensitive information
14_2_3. Dependency330. Verify Subresource Integrity
14_2_4. Dependency362. Assign MFA mechanisms to a single account
14_2_5. Dependency262. Verify third-party components
14_2_6. Dependency374. Use of isolation methods in running applications
14_3_2. Unintended security disclosure078. Disable debugging events
14_3_3. Unintended security disclosure077. Avoid disclosing technical information
14_4_1. HTTP security headers062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
14_4_2. HTTP security headers043. Define an explicit content type
349. Include HTTP security headers
14_4_3. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_4_4. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_4_5. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_4_6. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_4_7. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_5_1. HTTP request header validation062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
320. Avoid client-side control enforcement
349. Include HTTP security headers
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.