The OWASP Application Security Verification Standard is used in the development of web applications.
Securely handle files and resources to prevent unauthorized access, manipulation, and execution of malicious content. For example, validate file uploads with allowlists, implement malware scanning, and enforce secure storage locations; Prevent path traversal attacks by sanitizing file paths and restricting direct file access; Continuously monitor file interactions, log access attempts, and audit resource usage to mitigate security risks.
V12.1 File Upload Requirements Validate file types and extensions before allowing upload, ensuring only allowed formats are accepted. Enforce size limits on file uploads to prevent DoS (Denial of Service) via large files. Use temporary storage for uploaded files and validate them using antivirus scanning and other security checks before processing. Implement authentication and authorization checks to ensure only authorized users can upload files. V12.2 File Integrity Requirements Use checksums or hashes (e.g., SHA-256) to verify file integrity during upload, ensuring the file has not been tampered with. Apply integrity controls during file transmission, ensuring files are not altered or corrupted in transit. Monitor file uploads for unusual activity and alert administrators if integrity checks fail or anomalies are detected. V12.3 File Execution Requirements Restrict file execution to only authorized directories or services, preventing malicious files from being executed. Avoid allowing executable file types (e.g., .exe, .bat, .sh) to be uploaded or executed on the server. Implement sandboxing for files that must be processed or executed to limit the risk of exploitation. V12.4 File Storage Requirements Store files in a separate, isolated storage location, distinct from the main web server or sensitive systems. Encrypt sensitive files at rest, using strong encryption algorithms to ensure data confidentiality. Apply access controls to restrict access to files based on user roles, ensuring only authorized personnel can view or modify files. V12.5 File Download Requirements Implement authentication and authorization checks before allowing file downloads, ensuring only authorized users can access files. Sanitize file names and paths to prevent directory traversal or path injection attacks. Use secure download mechanisms such as HTTPS to protect data integrity and confidentiality during the download process. V12.6 SSRF Protection Requirements Restrict outbound network access for uploaded files to prevent SSRF (Server-Side Request Forgery) attacks. Implement an allowlist for URLs that the server can access, preventing arbitrary connections to internal or external services. Use input validation and sanitization on any URLs or data submitted by users to prevent manipulation and SSRF vulnerabilities. By enforcing secure file upload and download mechanisms, file integrity checks, and robust SSRF protections, organizations can minimize the risks associated with file handling and ensure the integrity and confidentiality of uploaded data.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-12-01-01 | Secure handling of file uploads | Ensure that all file uploads are scanned for malware and other potential threats. Implement checks to ensure uploaded files do not contain malicious code. | Development | Security Engineers, DevOps Teams |
| SSS-02-11-12-01-02 | Prevent path traversal attacks | Protect against path traversal attacks by blocking sequences like ../ and validating file paths to ensure files are stored in secure directories, avoiding unauthorized access. | Development | Security Engineers, Software Developers |
| SSS-02-11-12-01-03 | Validate mime types for uploaded files | Ensure proper MIME type validation for uploaded files to prevent the uploading of dangerous files (e.g., executable files disguised as images or documents). | Development | Security Teams, QA Teams |
| SSS-02-11-12-01-04 | Implement access control for uploaded files | Prevent direct access to uploaded files by enforcing proper access control policies, such as using unique URLs, file permission settings, and authentication checks. | Deployment | Security Engineers, IT Operations |
| SSS-02-11-12-01-05 | Secure handling of external resources | Safeguard against Server-Side Request Forgery (SSRF) and similar attacks by validating and sanitizing external resource requests, and preventing unauthorized internal resource access. | Post-deployment | Security Teams, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |