The system should store neither user-uploaded files nor files containing sensitive information in the web root.
The web root is the topmost directory on a web server. If there is no sufficient access control, any file in this directory will be publicly available. Therefore, user-uploaded files and files containing sensitive information should not be stored in it.
CAPEC-116: Excavation: An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data.
CWE-219: Storage of File with Sensitive Data Under Web Root: The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
CWE-552: Files or Directories Accessible to External Parties: The product makes files or directories accessible to unauthorized actors, even though they should not be.
CWE-548: Exposure of Information Through Directory Listing: A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
CWE-922: Insecure Storage of Sensitive Information: The software stores sensitive information without properly limiting read or write access by unauthorized actors.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V1.12 Secure File Upload Architectural Requirements.(1.12.1): Verify that user-uploaded files are stored outside of the web root.
OWASP-ASVS v4.0.1 V4.3 Other Access Control Considerations.(4.3.2): Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.
OWASP-ASVS v4.0.1 V12.4 File Storage Requirements.(12.4.1): Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation.