Fluid Attacks Database

OWASP ASVS

Last updated: 2023/09/18

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Control-Requirement Mapping

Definition	Requirements
1_1_1. Secure Software Development Lifecycle	331. Guarantee legal compliance
1_2_1. Authentication architecture	186. Use the principle of least privilege 096. Set user's required privileges
1_2_2. Authentication architecture	186. Use the principle of least privilege 228. Authenticate using standard protocols
1_2_3. Authentication architecture	264. Request authentication
1_2_4. Authentication architecture	328. Request MFA for critical systems
1_4_1. Access control architecture	265. Restrict access to critical processes 320. Avoid client-side control enforcement
1_5_2. Input and output architecture	321. Avoid deserializing untrusted data
1_5_3. Input and output architecture	173. Discard unsafe inputs
1_5_4. Input and output architecture	160. Encode system outputs
1_6_2. Cryptographic architecture	145. Protect system cryptographic keys
1_6_3. Cryptographic architecture	361. Replace cryptographic keys
1_6_4. Cryptographic architecture	145. Protect system cryptographic keys
1_7_2. Errors, logging and auditing architecture	378. Use of log management system
1_8_2. Data protection and privacy architecture	185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
1_9_1. Communications architecture	147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
1_9_2. Communications architecture	336. Disable insecure TLS versions
1_12_2. Secure File Upload Architecture	349. Include HTTP security headers
1_14_5. Configuration architecture	321. Avoid deserializing untrusted data 374. Use of isolation methods in running applications
1_14_6. Configuration architecture	262. Verify third-party components
2_1_1. Password security	133. Passwords with at least 20 characters
2_1_2. Password security	132. Passphrases with at least 4 words
2_1_3. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
2_1_4. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
2_1_5. Password security	126. Set a password regeneration mechanism
2_1_6. Password security	141. Force re-authentication
2_1_7. Password security	332. Prevent the use of breached passwords
2_1_8. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
2_1_9. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
2_1_10. Password security	129. Validate previous passwords
2_2_1. General authenticator security	237. Ascertain human interaction
2_2_2. General authenticator security	153. Out of band transactions 231. Implement a biometric verification component
2_2_3. General authenticator security	153. Out of band transactions
2_2_4. General authenticator security	328. Request MFA for critical systems
2_2_6. General authenticator security	139. Set minimum OTP length 140. Define OTP lifespan 347. Invalidate previous OTPs
2_2_7. General authenticator security	153. Out of band transactions 231. Implement a biometric verification component
2_3_1. Authenticator lifecycle	138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
2_3_2. Authenticator lifecycle	153. Out of band transactions 231. Implement a biometric verification component
2_4_1. Credential storage	127. Store hashed passwords 134. Store passwords with salt 150. Set minimum size for hash functions
2_4_2. Credential storage	135. Passwords with random salt
2_4_3. Credential storage	127. Store hashed passwords
2_4_4. Credential storage	127. Store hashed passwords
2_4_5. Credential storage	135. Passwords with random salt
2_5_1. Credential recovery	126. Set a password regeneration mechanism
2_5_2. Credential recovery	334. Avoid knowledge-based authentication
2_5_3. Credential recovery	238. Establish safe recovery
2_5_4. Credential recovery	142. Change system default credentials
2_5_5. Credential recovery	301. Notify configuration changes
2_5_6. Credential recovery	140. Define OTP lifespan 238. Establish safe recovery
2_6_1. Look-up secret verifier	131. Deny multiple password changing attempts
2_6_2. Look-up secret verifier	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
2_6_3. Look-up secret verifier	126. Set a password regeneration mechanism 238. Establish safe recovery
2_7_1. Out of band verifier	153. Out of band transactions
2_7_2. Out of band verifier	335. Define out of band token lifespan
2_7_3. Out of band verifier	335. Define out of band token lifespan
2_7_4. Out of band verifier	338. Implement perfect forward secrecy
2_7_6. Out of band verifier	223. Uniform distribution in random numbers
2_8_1. One time verifier	140. Define OTP lifespan
2_8_2. One time verifier	232. Require equipment identity
2_8_3. One time verifier	147. Use pre-existent mechanisms
2_8_4. One time verifier	347. Invalidate previous OTPs
2_8_5. One time verifier	377. Store logs based on valid regulation
2_8_6. One time verifier	141. Force re-authentication
2_8_7. One time verifier	231. Implement a biometric verification component
2_9_1. Cryptographic verifier	145. Protect system cryptographic keys
2_9_3. Cryptographic verifier	224. Use secure cryptographic mechanisms
2_10_2. Service authentication	142. Change system default credentials
2_10_3. Service authentication	134. Store passwords with salt
2_10_4. Service authentication	156. Source code without sensitive information
3_1_1. Fundamental session management security	037. Parameters without sensitive data
3_2_1. Session binding	030. Avoid object reutilization
3_2_2. Session binding	224. Use secure cryptographic mechanisms
3_2_3. Session binding	029. Cookies with security attributes
3_2_4. Session binding	224. Use secure cryptographic mechanisms
3_3_1. Session termination	030. Avoid object reutilization
3_3_2. Session termination	141. Force re-authentication
3_3_3. Session termination	141. Force re-authentication 028. Allow users to log out
3_3_4. Session termination	028. Allow users to log out
3_4_1. Cookie-based session management	029. Cookies with security attributes
3_4_2. Cookie-based session management	029. Cookies with security attributes
3_4_3. Cookie-based session management	029. Cookies with security attributes
3_4_4. Cookie-based session management	029. Cookies with security attributes
3_4_5. Cookie-based session management	029. Cookies with security attributes 031. Discard user session data
3_5_2. Token-based session management	357. Use stateless session tokens
3_5_3. Token-based session management	357. Use stateless session tokens
3_7_1. Defenses against session management exploits	319. Make authentication options equally secure
4_1_1. General access control design	341. Use the principle of deny by default 096. Set user's required privileges
4_1_2. General access control design	026. Encrypt client-side session information 096. Set user's required privileges
4_1_3. General access control design	186. Use the principle of least privilege
4_1_5. General access control design	359. Avoid using generic exceptions
4_2_1. Operation level access control	176. Restrict system objects
4_2_2. Operation level access control	141. Force re-authentication 030. Avoid object reutilization 031. Discard user session data
4_3_1. Other access control considerations	122. Validate credential ownership 153. Out of band transactions 176. Restrict system objects 229. Request access credentials 231. Implement a biometric verification component 264. Request authentication 266. Disable insecure functionalities 319. Make authentication options equally secure 328. Request MFA for critical systems
5_1_1. Input validation	342. Validate request parameters
5_1_2. Input validation	237. Ascertain human interaction 327. Set a rate limit
5_1_3. Input validation	342. Validate request parameters
5_1_4. Input validation	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
5_1_5. Input validation	324. Control redirects
5_2_1. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
5_2_2. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_2_3. Sanitization and sandboxing	115. Filter malicious emails 118. Inspect attachments 173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_2_4. Sanitization and sandboxing	344. Avoid dynamic code execution
5_2_5. Sanitization and sandboxing	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 266. Disable insecure functionalities
5_2_6. Sanitization and sandboxing	173. Discard unsafe inputs 324. Control redirects
5_2_7. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_2_8. Sanitization and sandboxing	374. Use of isolation methods in running applications 050. Control calls to interpreted code
5_3_1. Output encoding and injection prevention	160. Encode system outputs
5_3_2. Output encoding and injection prevention	044. Define an explicit charset
5_3_3. Output encoding and injection prevention	173. Discard unsafe inputs 342. Validate request parameters
5_3_4. Output encoding and injection prevention	169. Use parameterized queries
5_3_5. Output encoding and injection prevention	169. Use parameterized queries 173. Discard unsafe inputs 342. Validate request parameters
5_3_6. Output encoding and injection prevention	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
5_3_7. Output encoding and injection prevention	173. Discard unsafe inputs
5_3_8. Output encoding and injection prevention	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
5_3_9. Output encoding and injection prevention	348. Use consistent encoding
5_3_10. Output encoding and injection prevention	173. Discard unsafe inputs
5_4_1. Memory, string, and unmanaged code	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs
5_4_2. Memory, string, and unmanaged code	173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_4_3. Memory, string, and unmanaged code	345. Establish protections against overflows
5_5_1. Deserialization prevention	321. Avoid deserializing untrusted data
5_5_2. Deserialization prevention	157. Use the strict mode
5_5_3. Deserialization prevention	173. Discard unsafe inputs 321. Avoid deserializing untrusted data
5_5_4. Deserialization prevention	173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
6_1_1. Data classification	185. Encrypt sensitive information
6_1_2. Data classification	185. Encrypt sensitive information
6_1_3. Data classification	185. Encrypt sensitive information
6_2_1. Algorithms	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols
6_2_2. Algorithms	147. Use pre-existent mechanisms
6_2_3. Algorithms	346. Use initialization vectors once
6_2_4. Algorithms	223. Uniform distribution in random numbers
6_2_5. Algorithms	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
6_2_6. Algorithms	346. Use initialization vectors once
6_2_7. Algorithms	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols
6_2_8. Algorithms	224. Use secure cryptographic mechanisms
6_3_1. Random values	223. Uniform distribution in random numbers
6_3_2. Random values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
6_3_3. Random values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
6_4_1. Secret management	145. Protect system cryptographic keys 380. Define a password management tool
6_4_2. Secret management	156. Source code without sensitive information 380. Define a password management tool
7_1_1. Log content	083. Avoid logging sensitive data
7_1_2. Log content	377. Store logs based on valid regulation
7_1_3. Log content	075. Record exceptional events in logs
7_1_4. Log content	322. Avoid excessive logging
7_2_2. Log processing	378. Use of log management system 075. Record exceptional events in logs
7_2_4. Log processing	083. Avoid logging sensitive data
7_3_1. Log protection	173. Discard unsafe inputs 080. Prevent log modification
7_3_3. Log protection	080. Prevent log modification
7_3_4. Log protection	079. Record exact occurrence time of events
7_4_1. Error handling	075. Record exceptional events in logs
7_4_2. Error handling	075. Record exceptional events in logs 079. Record exact occurrence time of events
7_4_3. Error handling	378. Use of log management system
8_1_1. General data protection	266. Disable insecure functionalities
8_1_2. General data protection	177. Avoid caching and temporary files
8_1_3. General data protection	173. Discard unsafe inputs 320. Avoid client-side control enforcement
8_1_4. General data protection	378. Use of log management system 075. Record exceptional events in logs
8_2_1. Client-side data protection	329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
8_3_1. Sensitive private data	349. Include HTTP security headers
8_3_2. Sensitive private data	317. Allow erasure requests
8_3_3. Sensitive private data	189. Specify the purpose of data collection
8_3_4. Sensitive private data	315. Provide processed data information
8_3_5. Sensitive private data	323. Exclude unverifiable files
8_3_6. Sensitive private data	350. Enable memory protection mechanisms
8_3_7. Sensitive private data	147. Use pre-existent mechanisms
9_1_1. Client communication security	336. Disable insecure TLS versions
9_1_2. Client communication security	181. Transmit data using secure protocols 336. Disable insecure TLS versions
9_1_3. Client communication security	336. Disable insecure TLS versions
9_2_1. Server communication security	091. Use internally signed certificates 092. Use externally signed certificates
9_2_2. Server communication security	181. Transmit data using secure protocols
9_2_3. Server communication security	176. Restrict system objects 264. Request authentication
10_1_1. Code integrity	155. Application free of malicious code
10_2_1. Malicious code search	155. Application free of malicious code 041. Scan files for malicious code
10_2_3. Malicious code search	154. Eliminate backdoors
10_2_4. Malicious code search	262. Verify third-party components
10_2_5. Malicious code search	262. Verify third-party components
10_2_6. Malicious code search	155. Application free of malicious code 041. Scan files for malicious code
10_3_1. Application integrity	178. Use digital signatures 088. Request client certificates 090. Use valid certificates 093. Use consistent certificates
10_3_2. Application integrity	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
10_3_3. Application integrity	266. Disable insecure functionalities
11_1_1. Business logic security	337. Make critical logic flows thread safe
11_1_2. Business logic security	327. Set a rate limit 072. Set maximum response time
11_1_3. Business logic security	327. Set a rate limit 072. Set maximum response time
11_1_4. Business logic security	327. Set a rate limit 039. Define maximum file size 043. Define an explicit content type 072. Set maximum response time
12_1_1. File upload	039. Define maximum file size
12_1_2. File upload	039. Define maximum file size 042. Validate file format
12_1_3. File upload	039. Define maximum file size
12_2_1. File integrity	340. Use octet stream downloads
12_3_1. File execution	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
12_3_2. File execution	173. Discard unsafe inputs 176. Restrict system objects
12_3_3. File execution	348. Use consistent encoding
12_3_4. File execution	266. Disable insecure functionalities 349. Include HTTP security headers 043. Define an explicit content type 062. Define standard configurations
12_3_5. File execution	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
12_3_6. File execution	266. Disable insecure functionalities 340. Use octet stream downloads
12_4_1. File storage	339. Avoid storing sensitive files in the web root
12_4_2. File storage	118. Inspect attachments
12_5_1. File download	040. Compare file format and extension
12_5_2. File download	040. Compare file format and extension 042. Validate file format 043. Define an explicit content type
12_6_1. SSRF protection	173. Discard unsafe inputs 324. Control redirects
13_1_1. Generic web service security	348. Use consistent encoding
13_1_3. Generic web service security	261. Avoid exposing sensitive information
13_1_5. Generic web service security	349. Include HTTP security headers 062. Define standard configurations
13_2_1. RESTful web service	266. Disable insecure functionalities
13_2_2. RESTful web service	342. Validate request parameters
13_2_3. RESTful web service	174. Transactions without a distinguishable pattern 029. Cookies with security attributes
13_2_5. RESTful web service	266. Disable insecure functionalities 349. Include HTTP security headers 062. Define standard configurations
13_2_6. RESTful web service	181. Transmit data using secure protocols 336. Disable insecure TLS versions
13_3_1. SOAP web service	173. Discard unsafe inputs
13_3_2. SOAP web service	228. Authenticate using standard protocols
13_4_1. GraphQL	176. Restrict system objects 264. Request authentication 077. Avoid disclosing technical information
14_1_1. Build and deploy	051. Store source code in a repository 062. Define standard configurations
14_1_2. Build and deploy	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures
14_1_3. Build and deploy	266. Disable insecure functionalities
14_1_4. Build and deploy	062. Define standard configurations
14_1_5. Build and deploy	228. Authenticate using standard protocols 229. Request access credentials 235. Define credential interface 264. Request authentication
14_2_1. Dependency	302. Declare dependencies explicitly
14_2_2. Dependency	360. Remove unnecessary sensitive information
14_2_3. Dependency	330. Verify Subresource Integrity
14_2_4. Dependency	362. Assign MFA mechanisms to a single account
14_2_5. Dependency	262. Verify third-party components
14_2_6. Dependency	374. Use of isolation methods in running applications
14_3_2. Unintended security disclosure	078. Disable debugging events
14_3_3. Unintended security disclosure	077. Avoid disclosing technical information
14_4_1. HTTP security headers	266. Disable insecure functionalities 349. Include HTTP security headers 062. Define standard configurations
14_4_2. HTTP security headers	349. Include HTTP security headers 043. Define an explicit content type
14_4_3. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
14_4_4. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
14_4_5. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
14_4_6. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
14_4_7. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
14_5_1. HTTP request header validation	173. Discard unsafe inputs 266. Disable insecure functionalities 320. Avoid client-side control enforcement 349. Include HTTP security headers 062. Define standard configurations

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.