Skip to main content

OWASP ASVS

logo

Summary

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Definitions

DefinitionRequirements
1_2_1. Authentication architecture096. Set user's required privileges
186. Use the principle of least privilege
1_2_3. Authentication architecture264. Request authentication
1_2_4. Authentication architecture328. Request MFA for critical systems
1_4_1. Access control architecture265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_5_2. Input and output architecture321. Avoid deserializing untrusted data
1_5_3. Input and output architecture173. Discard unsafe inputs
1_5_4. Input and output architecture160. Encode system outputs
1_6_2. Cryptographic architecture145. Protect system cryptographic keys
1_6_3. Cryptographic architecture361. Replace cryptographic keys
1_7_2. Errors, logging and auditing architecture378. Use of log management system
1_8_2. Data protection and privacy architecture026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications architecture147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_9_2. Communications architecture336. Disable insecure TLS versions
1_14_5. Configuration architecture321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
2_1_1. Password security133. Passwords with at least 20 characters
2_1_2. Password security132. Passphrases with at least 4 words
2_1_6. Password security141. Force re-authentication
2_1_7. Password security332. Prevent the use of breached passwords
2_1_10. Password security129. Validate previous passwords
2_2_3. General authenticator security153. Out of band transactions
2_2_4. General authenticator security328. Request MFA for critical systems
2_2_6. General authenticator security139. Set minimum OTP length
140. Define OTP lifespan
347. Invalidate previous OTPs
2_3_1. Authenticator lifecycle138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_4_1. Credential storage127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_2. Credential storage135. Passwords with random salt
2_4_3. Credential storage127. Store hashed passwords
2_4_4. Credential storage127. Store hashed passwords
2_4_5. Credential storage135. Passwords with random salt
2_5_2. Credential recovery334. Avoid knowledge-based authentication
2_5_3. Credential recovery238. Establish safe recovery
2_5_5. Credential recovery301. Notify configuration changes
2_5_6. Credential recovery140. Define OTP lifespan
238. Establish safe recovery
2_6_2. Look-up secret verifier223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
2_7_1. Out of band verifier153. Out of band transactions
2_7_2. Out of band verifier335. Define out of band token lifespan
2_7_3. Out of band verifier335. Define out of band token lifespan
2_7_4. Out of band verifier338. Implement perfect forward secrecy
2_7_6. Out of band verifier223. Uniform distribution in random numbers
2_8_1. One time verifier140. Define OTP lifespan
2_8_4. One time verifier347. Invalidate previous OTPs
2_8_7. One time verifier231. Implement a biometric verification component
2_9_1. Cryptographic verifier145. Protect system cryptographic keys
2_9_3. Cryptographic verifier224. Use secure cryptographic mechanisms
3_1_1. Fundamental session management security037. Parameters without sensitive data
3_2_3. Session binding029. Cookies with security attributes
3_2_4. Session binding224. Use secure cryptographic mechanisms
3_3_1. Session termination030. Avoid object reutilization
3_3_2. Session termination141. Force re-authentication
3_3_4. Session termination028. Allow users to log out
3_4_2. Cookie-based session management029. Cookies with security attributes
3_4_3. Cookie-based session management029. Cookies with security attributes
3_5_2. Token-based session management357. Use stateless session tokens
3_5_3. Token-based session management357. Use stateless session tokens
3_7_1. Defenses against session management exploits319. Make authentication options equally secure
4_1_3. General access control design186. Use the principle of least privilege
4_1_5. General access control design359. Avoid using generic exceptions
5_1_1. Input validation342. Validate request parameters
5_1_3. Input validation342. Validate request parameters
5_1_5. Input validation324. Control redirects
5_2_4. Sanitization and sandboxing344. Avoid dynamic code execution
5_2_5. Sanitization and sandboxing173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and sandboxing173. Discard unsafe inputs
324. Control redirects
5_3_1. Output encoding and injection prevention160. Encode system outputs
5_3_4. Output encoding and injection prevention169. Use parameterized queries
5_3_7. Output encoding and injection prevention173. Discard unsafe inputs
5_3_8. Output encoding and injection prevention173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output encoding and injection prevention348. Use consistent encoding
5_3_10. Output encoding and injection prevention173. Discard unsafe inputs
5_4_1. Memory, string, and unmanaged code158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
5_4_3. Memory, string, and unmanaged code345. Establish protections against overflows
5_5_1. Deserialization prevention321. Avoid deserializing untrusted data
5_5_2. Deserialization prevention157. Use the strict mode
6_1_1. Data classification185. Encrypt sensitive information
6_1_2. Data classification185. Encrypt sensitive information
6_1_3. Data classification185. Encrypt sensitive information
6_2_2. Algorithms147. Use pre-existent mechanisms
6_2_3. Algorithms346. Use initialization vectors once
6_2_4. Algorithms223. Uniform distribution in random numbers
6_2_5. Algorithms148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms346. Use initialization vectors once
6_3_1. Random values223. Uniform distribution in random numbers
6_3_3. Random values223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
7_1_1. Log content083. Avoid logging sensitive data
7_1_2. Log content377. Store logs based on valid regulation
7_1_3. Log content075. Record exceptional events in logs
7_1_4. Log content322. Avoid excessive logging
7_2_4. Log processing083. Avoid logging sensitive data
7_3_3. Log protection080. Prevent log modification
7_3_4. Log protection079. Record exact occurrence time of events
7_4_1. Error handling075. Record exceptional events in logs
8_1_1. General data protection266. Disable insecure functionalities
8_1_2. General data protection177. Avoid caching and temporary files
8_1_3. General data protection173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_2_1. Client-side data protection329. Keep client-side storage without sensitive data
8_3_1. Sensitive private data349. Include HTTP security headers
8_3_2. Sensitive private data317. Allow erasure requests
8_3_3. Sensitive private data189. Specify the purpose of data collection
8_3_4. Sensitive private data315. Provide processed data information
8_3_5. Sensitive private data323. Exclude unverifiable files
8_3_7. Sensitive private data147. Use pre-existent mechanisms
9_1_1. Client communication security336. Disable insecure TLS versions
9_1_3. Client communication security336. Disable insecure TLS versions
9_2_1. Server communication security091. Use internally signed certificates
092. Use externally signed certificates
9_2_2. Server communication security181. Transmit data using secure protocols
10_1_1. Code integrity155. Application free of malicious code
10_2_3. Malicious code search154. Eliminate backdoors
10_2_4. Malicious code search262. Verify third-party components
10_2_5. Malicious code search262. Verify third-party components
10_3_1. Application integrity088. Request client certificates
090. Use valid certificates
093. Use consistent certificates
178. Use digital signatures
10_3_2. Application integrity178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application integrity266. Disable insecure functionalities
11_1_1. Business logic security337. Make critical logic flows thread safe
12_1_1. File upload039. Define maximum file size
12_1_3. File upload039. Define maximum file size
12_2_1. File integrity340. Use octet stream downloads
12_3_1. File execution173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
12_3_3. File execution348. Use consistent encoding
12_3_6. File execution266. Disable insecure functionalities
340. Use octet stream downloads
12_4_1. File storage339. Avoid storing sensitive files in the web root
12_4_2. File storage118. Inspect attachments
12_5_1. File download040. Compare file format and extension
13_1_1. Generic web service security348. Use consistent encoding
13_1_3. Generic web service security261. Avoid exposing sensitive information
13_1_5. Generic web service security062. Define standard configurations
349. Include HTTP security headers
13_4_1. GraphQL077. Avoid disclosing technical information
176. Restrict system objects
14_1_3. Build and deploy266. Disable insecure functionalities
14_1_5. Build and deploy228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency302. Declare dependencies explicitly
14_2_2. Dependency360. Remove unnecessary sensitive information
14_2_4. Dependency362. Assign MFA mechanisms to a single account
14_2_6. Dependency374. Use of isolation methods in running applications
14_3_2. Unintended security disclosure078. Disable debugging events
14_3_3. Unintended security disclosure077. Avoid disclosing technical information
14_4_1. HTTP security headers062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
14_4_4. HTTP security headers062. Define standard configurations
349. Include HTTP security headers
14_4_6. HTTP security headers062. Define standard configurations
349. Include HTTP security headers