It is compatible with OWASPTOP10, IPA's How to Secure Your Web Site and ASVS4.0. The main peak values to be scanned are listed below.
Web Application Scan
The following items are included in the scan rules Web Application Scan.
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
A3:2017-Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A4:2017-XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5:2017-Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
A7:2017-Cross-Site Scripting (XSS)
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A9:2017-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Vulnerabilities not categorized in OWASP TOP 10.
■OWASP ASVS4.0 Level 1
Verify that user set passwords are at least 12 characters in length. (C6)
Verify that passwords 64 characters or longer are permitted. (C6)
Verify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced. (C6)
Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted.
Verify that password change functionality requires the user's current and new password.
Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new nonbreached password. (C6)
Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (C6)
Verify that "paste" functionality, browser password helpers, and external password managers are permitted.
Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.
Verify password hints or knowledge-based authentication (so-called "secret questions") are not present.
Verify password credential recovery does not reveal the current password in any way. (C6)
Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").
Verify the application never reveals session tokens in URL parameters or error messages.
Verify the application generates a new session token on user authentication. (C6)
Verify that session tokens possess at least 64 bits of entropy. (C6)
Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.
Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. (C6)
Verify that cookie-based session tokens have the 'Secure' attribute set. (C6)
Verify that cookie-based session tokens have the 'HttpOnly' attribute set. (C6)
Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. (C6)
Verify that cookie-based session tokens use "__Host-" prefix (see references) to provide session cookie confidentiality.
Verify the application ensures a valid login session or requires reauthentication or secondary verification before allowing any sensitive transactions or account modifications.
Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. (C7)
Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned. (C7)
Verify that access controls fail securely including when an exception occurs. (C10)
Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records.
Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.
Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.
Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. (C5)
Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (whitelisting). (C5)
Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). (C5)
Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content.
Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. (C5)
Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length.
Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection.
Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.
Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed.
Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, use whitelisting of protocols, domains, paths and ports.
Verify that the application sanitizes, disables, or sandboxes user-supplied SVG scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject.
Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar.
Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. (C4)
Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. (C4)
Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. (C3)
Verify that where parameterized or safer mechanisms are not present, contextspecific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. (C3, C4)
Verify that the application protects against LDAP Injection vulnerabilities, or that specific security controls to prevent LDAP Injection have been implemented. (C4)
Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. (C4)
Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.
Verify that the application protects against XPath injection or XML injection attacks. (C4)
Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. (C5)
Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XXE.
Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers).
Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks.
Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.
Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.
Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.
Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.
Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols. (C8)
Verify using online or up to date TLS testing tools that only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred.
Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite.
Verify that the application employs integrity protections, such as code signing or sub-resource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet.
Verify that the application has protection from sub-domain takeovers if the application relies upon DNS entries or DNS sub-domains, such as expired domain names, out of date DNS pointers or CNAMEs, expired projects at public source code repos, or transient cloud APIs, serverless functions, or storage buckets (autogen-bucket-id.cloud.example.com) or similar. Protections can include ensuring that DNS names used by applications are regularly checked for expiry or change.
Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps.
Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly.
Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis.
Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modelling or similar methodologies.
Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal.
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI).
Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF.
Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.
Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.
Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions, preferably with strong validation.
Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required.
Verify that the web or application server is configured with a whitelist of resources or systems to which the server can send requests or load data/files from.
Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks.
Verify that access to administration and management functions is limited to authorized administrators.
Verify API URLs do not expose sensitive information, such as the API key, session tokens etc.
Verify that enabled RESTful HTTP methods are a valid choice for the user or action, such as preventing normal users using DELETE or PUT on protected API or resources.
Verify that JSON schema validation is in place and verified before accepting input.
Verify that RESTful web services that utilize cookies are protected from CrossSite Request Forgery via the use of at least one or more of the following: triple or double submit cookie pattern (see references), CSRF nonces, or ORIGIN request header checks.
Verify that XSD schema validation takes place to ensure a properly formed XML document, followed by validation of each input field before any processing of that data takes place.
Verify that all components are up to date, preferably using a dependency checker during build or compile time. (C2)
Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users.
Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures.
Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures.
Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.
Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).
Verify that all API responses contain Content-Disposition: attachment; filename="api.json" (or other appropriate filename for the content type).
Verify that all responses contain X-Content-Type-Options: nosniff.
Verify that HTTP Strict Transport Security headers are included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.
Verify that a suitable "Referrer-Policy" header is included, such as "no-referrer" or "same-origin".
Verify that a suitable X-Frame-Options or Content-Security-Policy: frameancestors header is in use for sites where content should not be embedded in a third-party site.
Verify that the application server only accepts the HTTP methods in use by the application or API, including pre-flight OPTIONS.
Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker
Verify that the cross-domain resource sharing (CORS) Access-Control-AllowOrigin header uses a strict white-list of trusted domains to match against and does not support the "null" origin.
■Simple Network Scan
TCP（0-65535）/ UDP（major ports) port status survey
Software Detection, Version Detection
Service Configuration Flaws Inspection e.g. Telnet,FTP,SMTP,etc.
Default Account Detection Authentication Lack Inspection
■SSL/TLS Encryption Strength Inspection Cryptographic Algorithm Compromise Inspection *Final confirmation date: January 28, 2022
In addition, the list of TLS cipher suites is referenced and described in Internet Assigned Numbers Authority.
[List of cipher suites]