339 – Avoid storing sensitive files in the web root

Summary

The system should store neither user-uploaded files nor files containing sensitive information in the web root.

Description

The web root is the topmost directory on a web server. If there is no sufficient access control, any file in this directory will be publicly available. Therefore, user-uploaded files and files containing sensitive information should not be stored on it.

Supported In

Advanced: True

References

• CAPEC-116. Excavation
• CWE-219. Storage of file with sensitive data under web root
• CWE-922. Insecure storage of sensitive information
• OWASP10-A2. Cryptographic failures
• PADSS-9_1. Any web server and any cardholder data storage component are not required to be on the same server
• PDPA-6_24. Protection of personal data
• CMMC-SI_L1-3_14_5. System & file scanning
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• NISTSSDF-PS_3_1. Archive and protect each software release
• ISSAF-K_9_1. Network security - Storage Area Network SAN (practices for the data-at-rest)
• ISSAF-T_19_2. Web application assessment - Global Countermeasures (server-side)
• OWASPSCP-12. File management
• ASVS-12_4_1. File storage
• CASA-8_2_2. Client-side Data Protection
• CASA-12_4_1. File Storage

Last updated

2023/09/18