Skip to main content

OWASP ASVS

logo

Summary

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Definitions

DefinitionRequirements
1_1_1. Secure Software Development Lifecycle
331. Guarantee legal compliance
1_2_1. Authentication architecture
096. Set user's required privileges
186. Use the principle of least privilege
1_2_2. Authentication architecture
186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication architecture
264. Request authentication
1_2_4. Authentication architecture
328. Request MFA for critical systems
1_4_1. Access control architecture
265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_5_2. Input and output architecture
321. Avoid deserializing untrusted data
1_5_3. Input and output architecture
173. Discard unsafe inputs
1_5_4. Input and output architecture
160. Encode system outputs
1_6_2. Cryptographic architecture
145. Protect system cryptographic keys
1_6_3. Cryptographic architecture
361. Replace cryptographic keys
1_6_4. Cryptographic architecture
145. Protect system cryptographic keys
1_7_2. Errors, logging and auditing architecture
378. Use of log management system
1_8_2. Data protection and privacy architecture
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications architecture
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_9_2. Communications architecture
336. Disable insecure TLS versions
1_12_2. Secure File Upload Architecture
349. Include HTTP security headers
1_14_5. Configuration architecture
321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration architecture
262. Verify third-party components
2_1_1. Password security
133. Passwords with at least 20 characters
2_1_2. Password security
132. Passphrases with at least 4 words
2_1_3. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_4. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_5. Password security
126. Set a password regeneration mechanism
2_1_6. Password security
141. Force re-authentication
2_1_7. Password security
332. Prevent the use of breached passwords
2_1_8. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_9. Password security
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
2_1_10. Password security
129. Validate previous passwords
2_2_1. General authenticator security
237. Ascertain human interaction
2_2_2. General authenticator security
153. Out of band transactions
231. Implement a biometric verification component
2_2_3. General authenticator security
153. Out of band transactions
2_2_4. General authenticator security
328. Request MFA for critical systems
2_2_6. General authenticator security
139. Set minimum OTP length
140. Define OTP lifespan
347. Invalidate previous OTPs
2_2_7. General authenticator security
153. Out of band transactions
231. Implement a biometric verification component
2_3_1. Authenticator lifecycle
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_3_2. Authenticator lifecycle
153. Out of band transactions
231. Implement a biometric verification component
2_4_1. Credential storage
127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_2. Credential storage
135. Passwords with random salt
2_4_3. Credential storage
127. Store hashed passwords
2_4_4. Credential storage
127. Store hashed passwords
2_4_5. Credential storage
135. Passwords with random salt
2_5_1. Credential recovery
126. Set a password regeneration mechanism
2_5_2. Credential recovery
334. Avoid knowledge-based authentication
2_5_3. Credential recovery
238. Establish safe recovery
2_5_4. Credential recovery
142. Change system default credentials
2_5_5. Credential recovery
301. Notify configuration changes
2_5_6. Credential recovery
140. Define OTP lifespan
238. Establish safe recovery
2_6_1. Look-up secret verifier
131. Deny multiple password changing attempts
2_6_2. Look-up secret verifier
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
2_6_3. Look-up secret verifier
126. Set a password regeneration mechanism
238. Establish safe recovery
2_7_1. Out of band verifier
153. Out of band transactions
2_7_2. Out of band verifier
335. Define out of band token lifespan
2_7_3. Out of band verifier
335. Define out of band token lifespan
2_7_4. Out of band verifier
338. Implement perfect forward secrecy
2_7_6. Out of band verifier
223. Uniform distribution in random numbers
2_8_1. One time verifier
140. Define OTP lifespan
2_8_2. One time verifier
232. Require equipment identity
2_8_3. One time verifier
147. Use pre-existent mechanisms
2_8_4. One time verifier
347. Invalidate previous OTPs
2_8_5. One time verifier
377. Store logs based on valid regulation
2_8_6. One time verifier
141. Force re-authentication
2_8_7. One time verifier
231. Implement a biometric verification component
2_9_1. Cryptographic verifier
145. Protect system cryptographic keys
2_9_3. Cryptographic verifier
224. Use secure cryptographic mechanisms
2_10_2. Service authentication
142. Change system default credentials
2_10_3. Service authentication
134. Store passwords with salt
2_10_4. Service authentication
156. Source code without sensitive information
3_1_1. Fundamental session management security
037. Parameters without sensitive data
3_2_1. Session binding
030. Avoid object reutilization
3_2_2. Session binding
224. Use secure cryptographic mechanisms
3_2_3. Session binding
029. Cookies with security attributes
3_2_4. Session binding
224. Use secure cryptographic mechanisms
3_3_1. Session termination
030. Avoid object reutilization
3_3_2. Session termination
141. Force re-authentication
3_3_3. Session termination
028. Allow users to log out
141. Force re-authentication
3_3_4. Session termination
028. Allow users to log out
3_4_1. Cookie-based session management
029. Cookies with security attributes
3_4_2. Cookie-based session management
029. Cookies with security attributes
3_4_3. Cookie-based session management
029. Cookies with security attributes
3_4_4. Cookie-based session management
029. Cookies with security attributes
3_4_5. Cookie-based session management
029. Cookies with security attributes
031. Discard user session data
3_5_2. Token-based session management
357. Use stateless session tokens
3_5_3. Token-based session management
357. Use stateless session tokens
3_7_1. Defenses against session management exploits
319. Make authentication options equally secure
4_1_1. General access control design
096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General access control design
026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General access control design
186. Use the principle of least privilege
4_1_5. General access control design
359. Avoid using generic exceptions
4_2_1. Operation level access control
176. Restrict system objects
4_2_2. Operation level access control
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other access control considerations
122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
5_1_1. Input validation
342. Validate request parameters
5_1_2. Input validation
237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input validation
342. Validate request parameters
5_1_4. Input validation
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input validation
324. Control redirects
5_2_1. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_2_2. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_3. Sanitization and sandboxing
115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and sandboxing
344. Avoid dynamic code execution
5_2_5. Sanitization and sandboxing
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and sandboxing
173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_8. Sanitization and sandboxing
050. Control calls to interpreted code
374. Use of isolation methods in running applications
5_3_1. Output encoding and injection prevention
160. Encode system outputs
5_3_2. Output encoding and injection prevention
044. Define an explicit charset
5_3_3. Output encoding and injection prevention
173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output encoding and injection prevention
169. Use parameterized queries
5_3_5. Output encoding and injection prevention
169. Use parameterized queries
173. Discard unsafe inputs
342. Validate request parameters
5_3_6. Output encoding and injection prevention
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output encoding and injection prevention
173. Discard unsafe inputs
5_3_8. Output encoding and injection prevention
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output encoding and injection prevention
348. Use consistent encoding
5_3_10. Output encoding and injection prevention
173. Discard unsafe inputs
5_4_1. Memory, string, and unmanaged code
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
5_4_2. Memory, string, and unmanaged code
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_4_3. Memory, string, and unmanaged code
345. Establish protections against overflows
5_5_1. Deserialization prevention
321. Avoid deserializing untrusted data
5_5_2. Deserialization prevention
157. Use the strict mode
5_5_3. Deserialization prevention
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
5_5_4. Deserialization prevention
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
6_1_1. Data classification
185. Encrypt sensitive information
6_1_2. Data classification
185. Encrypt sensitive information
6_1_3. Data classification
185. Encrypt sensitive information
6_2_1. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_2. Algorithms
147. Use pre-existent mechanisms
6_2_3. Algorithms
346. Use initialization vectors once
6_2_4. Algorithms
223. Uniform distribution in random numbers
6_2_5. Algorithms
148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms
346. Use initialization vectors once
6_2_7. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms
224. Use secure cryptographic mechanisms
6_3_1. Random values
223. Uniform distribution in random numbers
6_3_2. Random values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_1. Secret management
145. Protect system cryptographic keys
380. Define a password management tool
6_4_2. Secret management
156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log content
083. Avoid logging sensitive data
7_1_2. Log content
377. Store logs based on valid regulation
7_1_3. Log content
075. Record exceptional events in logs
7_1_4. Log content
322. Avoid excessive logging
7_2_2. Log processing
075. Record exceptional events in logs
378. Use of log management system
7_2_4. Log processing
083. Avoid logging sensitive data
7_3_1. Log protection
080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log protection
080. Prevent log modification
7_3_4. Log protection
079. Record exact occurrence time of events
7_4_1. Error handling
075. Record exceptional events in logs
7_4_2. Error handling
075. Record exceptional events in logs
079. Record exact occurrence time of events
7_4_3. Error handling
378. Use of log management system
8_1_1. General data protection
266. Disable insecure functionalities
8_1_2. General data protection
177. Avoid caching and temporary files
8_1_3. General data protection
173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_4. General data protection
075. Record exceptional events in logs
378. Use of log management system
8_2_1. Client-side data protection
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_3_1. Sensitive private data
349. Include HTTP security headers
8_3_2. Sensitive private data
317. Allow erasure requests
8_3_3. Sensitive private data
189. Specify the purpose of data collection
8_3_4. Sensitive private data
315. Provide processed data information
8_3_5. Sensitive private data
323. Exclude unverifiable files
8_3_6. Sensitive private data
350. Enable memory protection mechanisms
8_3_7. Sensitive private data
147. Use pre-existent mechanisms
9_1_1. Client communication security
336. Disable insecure TLS versions
9_1_2. Client communication security
181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client communication security
336. Disable insecure TLS versions
9_2_1. Server communication security
091. Use internally signed certificates
092. Use externally signed certificates
9_2_2. Server communication security
181. Transmit data using secure protocols
9_2_3. Server communication security
176. Restrict system objects
264. Request authentication
10_1_1. Code integrity
155. Application free of malicious code
10_2_1. Malicious code search
041. Scan files for malicious code
155. Application free of malicious code
10_2_3. Malicious code search
154. Eliminate backdoors
10_2_4. Malicious code search
262. Verify third-party components
10_2_5. Malicious code search
262. Verify third-party components
10_2_6. Malicious code search
041. Scan files for malicious code
155. Application free of malicious code
10_3_1. Application integrity
088. Request client certificates
090. Use valid certificates
093. Use consistent certificates
178. Use digital signatures
10_3_2. Application integrity
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application integrity
266. Disable insecure functionalities
11_1_1. Business logic security
337. Make critical logic flows thread safe
11_1_2. Business logic security
072. Set maximum response time
327. Set a rate limit
11_1_3. Business logic security
072. Set maximum response time
327. Set a rate limit
11_1_4. Business logic security
039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_1_1. File upload
039. Define maximum file size
12_1_2. File upload
039. Define maximum file size
042. Validate file format
12_1_3. File upload
039. Define maximum file size
12_2_1. File integrity
340. Use octet stream downloads
12_3_1. File execution
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
12_3_2. File execution
173. Discard unsafe inputs
176. Restrict system objects
12_3_3. File execution
348. Use consistent encoding
12_3_4. File execution
043. Define an explicit content type
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
12_3_5. File execution
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
12_3_6. File execution
266. Disable insecure functionalities
340. Use octet stream downloads
12_4_1. File storage
339. Avoid storing sensitive files in the web root
12_4_2. File storage
118. Inspect attachments
12_5_1. File download
040. Compare file format and extension
12_5_2. File download
040. Compare file format and extension
042. Validate file format
043. Define an explicit content type
12_6_1. SSRF protection
173. Discard unsafe inputs
324. Control redirects
13_1_1. Generic web service security
348. Use consistent encoding
13_1_3. Generic web service security
261. Avoid exposing sensitive information
13_1_5. Generic web service security
062. Define standard configurations
349. Include HTTP security headers
13_2_1. RESTful web service
266. Disable insecure functionalities
13_2_2. RESTful web service
342. Validate request parameters
13_2_3. RESTful web service
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
13_2_5. RESTful web service
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
13_2_6. RESTful web service
181. Transmit data using secure protocols
336. Disable insecure TLS versions
13_3_1. SOAP web service
173. Discard unsafe inputs
13_3_2. SOAP web service
228. Authenticate using standard protocols
13_4_1. GraphQL
077. Avoid disclosing technical information
176. Restrict system objects
264. Request authentication
14_1_1. Build and deploy
051. Store source code in a repository
062. Define standard configurations
14_1_2. Build and deploy
157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
14_1_3. Build and deploy
266. Disable insecure functionalities
14_1_4. Build and deploy
062. Define standard configurations
14_1_5. Build and deploy
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency
302. Declare dependencies explicitly
14_2_2. Dependency
360. Remove unnecessary sensitive information
14_2_3. Dependency
330. Verify Subresource Integrity
14_2_4. Dependency
362. Assign MFA mechanisms to a single account
14_2_5. Dependency
262. Verify third-party components
14_2_6. Dependency
374. Use of isolation methods in running applications
14_3_2. Unintended security disclosure
078. Disable debugging events
14_3_3. Unintended security disclosure
077. Avoid disclosing technical information
14_4_1. HTTP security headers
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
14_4_2. HTTP security headers
043. Define an explicit content type
349. Include HTTP security headers
14_4_3. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_4. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_5. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_6. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_4_7. HTTP security headers
062. Define standard configurations
349. Include HTTP security headers
14_5_1. HTTP request header validation
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
320. Avoid client-side control enforcement
349. Include HTTP security headers
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on