Vendor Security Assessment Questionnaire

Load answers from file:

Web Application Security Questionnaire🔗

Application🔗

Application Metadata🔗

The name of the application:

A brief description:

What frameworks (if any) does this application require?

Vulnerability Reporting and Management🔗

Because no system is entirely free of security issues, it's important to provide ways for external users to offer input and report vulnerabilities.

Do you have an easily discoverable way for external researchers to report security vulnerabilities in your systems?

Yes, we have a published security email contact, or we provide another way for users to report security issues. Incoming reports are timely reviewed and triaged.

No, we do not currently offer a way to report security vulnerabilities for priority handling.

Warning — possible medium-risk issue

Make it easy for others to let you know about security issues in your products. That way you'll learn about vulnerabilities earlier and can respond to them quickly. Also, without an easy way to report issues directly to you, external researchers might publish issues widely instead.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below. If you're working to address this issue, include an estimate of when it will be resolved:

HTTPS and Mixed-Content Risks🔗

Select the option that best describes your web application:

The web application is reachable exclusively over HTTPS. Even if the user manually edits the URL to start with http://, it won't work or it will redirect to https://.

The web application is flexible — users can reach it over HTTP or over HTTPS.

The web application supports HTTP only, and can't be reached over HTTPS even if you edit the URL.

Warning — possible high-risk issue

It's often extremely easy for attackers to eavesdrop on packets transmitted between users and web applications (for example, on public Wi-Fi networks). To avoid exposing sensitive data in transit, any application that allows users to log in — or contains anything but public data — should be available solely over HTTPS. It's also fine to use a web server that listens on port 80 (plain HTTP) and redirects users to the SSL version; this method can make it easier for users to access the application.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below.

Configuring SSL/TLS🔗

Have you recently reviewed your SSL configuration to ensure that only secure protocols and ciphers are offered to clients?

Yes, we regularly review the cipher suite advertised by the server and the protocols it uses.

We're not sure whether our SSL/TLS configuration is secure.

Tip

Detailed guidance on SSL/TLS and cipher suites is beyond the scope of this questionnaire. A very good and well-maintained resource is Mozilla's SSL/TLS configuration wiki page, which gives up-to-date recommendations for the most common use cases. Another good resource for reviewing the security of your SSL/TLS server is SSL Labs' server test.

Does your server offer forward secrecy for clients that support it?

Yes, the server supports ECDHE and DHE ciphers that offer forward secrecy.

No, no ciphers providing forward secrecy are enabled.

Tip

In ciphers that support forward secrecy, an ephemeral key is negotiated for each connection, using the Diffie-Hellman algorithm. This key is used for a limited period of time, after which it is "forgotten." Even if the private SSL key is later compromised, an attacker who recorded conversations between the server and clients won't be able to decrypt those conversations without also breaking the associated ephemeral keys. Enabling ciphers that offer forward secrecy can protect your users against future disclosure of the information transmitted between them and your server.

Are your SSL/TLS private keys appropriately protected on your web servers?

Yes, we have taken all necessary steps to protect our private keys.

I'm not sure how well protected they are.

Tip

Make sure private SSL/TLS keys are, at a minimum, protected through file system permissions. It's important to make sure the user account that's used to serve web pages does not have access; otherwise, a vulnerability in the web app could easily lead to a compromise of the keys. If you are using an SSL certificate with a wildcard CN (e.g., *.example.net), ensure that the private key is well protected on all the servers it resides on (not just your most important server).

Where is the SSL connection between the user and your application terminated?

At the application server

At the load balancer

Somewhere else

Provide more details on the termination point:

How is traffic between the load balancer and the application servers protected?

Traffic is encrypted and certificates between load balancer and application servers are validated.

Traffic is unencrypted, but all networks transited between load balancers and application servers are owned and exclusively used by us.

Traffic is unencrypted, and traffic has to transit through networks not owned and exclusively used by us.

Through other means.

Tip

Because user traffic appears to transit networks behind your load balancer that are not fully owned and operated by you, we strongly recommend that you establish another SSL/TLS connection between the load balancer and the servers that actually serve the application. Otherwise, an attacker who can listen in on the traffic behind your load balancers will be able to see unencrypted user data.

Describe how the traffic is protected:

Applications served over SSL may still be vulnerable to attacks if resources (often JavaScript, style sheets, or other active content) are included over plain HTTP. This defeats the purpose of SSL, because the active content loaded through plain HTTP will have access to the DOM of content protected by SSL. Make sure no resources are included from plain HTTP sites. Typically, browsers will help identify cases where resources from non-SSL sites are included, by displaying mixed content warnings.

To avoid these issues, do you have checks in place to ensure that all references to resources either point to SSL or are protocol-relative?

Yes, we are very careful and have specific controls in place to prevent mixed-content issues.

It wouldn't be too difficult for something to fall through the cracks and introduce mixed-content bugs.

Warning — possible medium-risk issue

Mixed content is a big deal, and it's becoming more problematic as an increasing number of users roam on public Wi-Fi and other insecure networks. We recommend cleaning up your codebase to avoid this kind of issue, and establishing procedures to help guard against new instances.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below.

To improve security for your users even further, have you deployed HTTP Strict Transport Security (HSTS) on your server?

Yes, we have HSTS configured with a max-age value of at least 6 months.

No, we don't use HTTP Strict Transport Security, or we have a short max-age configured.

Warning — possible high-risk issue

Strict Transport Security is an HTTP response header that tells clients to initiate connections over HTTPS only. This defense-in-depth mechanism helps mitigate certain issues, such as the accidental inclusion of (or linking to) resources over plain HTTP. In HSTS, the header must be configured with a 'max-age' value; this tells clients how long to honor the directive.

Sensitive web applications should enable HSTS to ensure that users are always protected by SSL/TLS. For this protection to be effective, the max-age value should be in the 6+ months range.

If your application supports authentication, are authentication cookies marked with the secure attribute?

Yes, the authentication cookies are marked secure.

I'm not sure whether the application does that.

Warning — possible medium-risk issue

Unless a cookie has the secure attribute set, the browser will add the cookie to plain-text HTTP requests, even if the application is SSL-only. A man-in-the-middle attack can use this vulnerability to steal authentication cookies.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below.

Authentication and Authorization🔗

Basic Information🔗

To get started, tell us a little about your application so we can ask you the right questions.

Our application requires regular users to log in. Most features aren't available without logging in.

In addition to an interface for regular users, our application provides an administration interface.

Our application features complex user management. Various roles can be assigned to user accounts.

Briefly describe the different roles your application provides. If your application also offers custom role definitions, be sure to mention that.

Is your application integrated with any of the following single sign-on (SSO) mechanisms?

SAML 2.0

OpenID Connect / OAuth2 Login

OpenID 2.0

LDAP / Active Directory

Other

None of the above

What other SSO mechanisms does the application support?

Warning — possible high-risk issue

OpenID 2.0 has been replaced by OpenID Connect (also called OAuth2 Login). We recommend updating your application's SSO integration to support OpenID Connect.

Warning — possible high-risk issue

Integrating with LDAP and/or Active Directory has a significant downside: any application that integrates with it has to receive the user's SSO password. As a result, a vulnerability in any integrated application puts the password at risk for all other applications. We recommend using an SSO mechanism that does not require the password to be sent anywhere other than a central authentication system.

OAuth2 Login🔗

Implementing OAuth2 Login / OpenID Connect from scratch is fairly complex and error-prone, and mistakes can result in security vulnerabilities. Select the option that best describes your implementation:

Very secure: We're using a standard OAuth2 library, and we update it when security fixes are released.

Secure: We implemented OAuth2 on our own, but our employees are experts and we're convinced that it is implemented securely.

Not sure: We implemented OAuth2 on our own, and it seemed simple at the time. I'm not sure about the security of our implementation.

Tip

If your employees really are OAuth2 experts, you're probably fine. But note that even standard libraries have had vulnerabilities due to the intricacies of the standard. Be sure to ask your penetration testing provider to take a look at the OAuth2 implementation.

Warning — possible high-risk issue

Implementing OAuth2 on your own is extremely dangerous. Even the experts on the OAuth2 standards panel concluded that the only way to securely implement it is through a well-known and well-tested library. Some of these libraries are very easy to use (e.g., the Google Identity Toolkit), so replacing your custom implementation should be feasible.

Does any part of the application employ username/password-based authentication?

Yes

No, all authentication is based on single sign-on (SSO).

Username/Password Authentication🔗

What username/password-based logins does the application use? For example, if there's a separate administrator authentication, mention that.

Does your application allow users to change their passwords?

Yes

Warning — possible high-risk issue

Allowing users to change their passwords is important. A user might be recovering from a compromise, or might have accidentally typed the password elsewhere.

Does the application enforce minimum password security requirements (e.g., a certain length, character classes, etc.)?

Yes

Warning — possible medium-risk issue

Please help protect users from themselves by enforcing certain minimum password requirements. It's up to you to determine the details of these requirements, but they should account for the sensitivity of the information and should conform to industry standards.

Password Storage🔗

How does the application store passwords?

In plain text (unencrypted)

Using reversible encryption (e.g., DES, 3DES, AES, etc.).

Using a secure cryptographic one-way hash function (such as SHA-256) of the password, without the use of a salt

Using a secure cryptographic one-way hash function (such as SHA-256) of the salted password

Using a dedicated password-based key derivation function, such as bcrypt, PBKDF2 or scrypt

None of the above

Explain how your application stores passwords:

Warning — possible critical-risk issue

Passwords should be stored in such a way that the original passwords cannot be easily recovered, even if an attacker manages to get access to the storage location (e.g., through a SQL injection vulnerability). At a minimum, passwords should be secured using a cryptographic one-way hash function and a salt. We strongly recommended using password-based key derivation function like bcrypt PBKDF2 or scrypt instead; they were specifically designed for this use case and make it significantly harder for attackers to crack password hashes.

Setting an Initial Password🔗

How do users get their initial passwords?

Users self-register and set their passwords online directly within the application.

The initial password or a link to set the initial password is sent to users by email.

The initial password is provided in a (physical) letter sent to a verified address.

None of the above.

Explain how users get their initial passwords:

When the user gets their initial password, will their account be prepopulated with any confidential information? For example, in an online payroll portal, a user can typically access previous pay statements even when the account is brand new.

Yes, when users log in for the first time, confidential information will already be present.

No, at the initial login, no confidential information will be available to the user.

Warning — possible high-risk issue

When users self-register for prepopulated accounts, some initial authentication of the user should be performed. Otherwise, arbitrary users could gain access to the prepopulated information. The type of authentication depends on the sensitivity of the prepopulated information. Commonly requested information — like the last four digits of the social security number, a home address, or an employee ID — is rarely secret enough to be used for authentication

Explain how users are identified and authenticated when they self-register in the application:

Tip

If passwords are sent by email, make sure users are required to change their initial passwords when they first log in.

Account Recovery🔗

Sometimes, passwords are simply forgotten — it happens to the best of us. How does your application deal with users who can no longer access their accounts?

The user is asked questions that were set up when the account was created.

A password reset link is sent via email to the user's registered email address.

A new password is sent via email to the user's registered email address.

None of the above.

Describe your password recovery mechanism:

Warning — possible high-risk issue

Recovery questions alone should not be sufficient for resetting a password. The answers to these questions are often not as secret as they might seem; in particular, friends and family can often easily guess the answers.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below:

Warning — possible medium-risk issue

Sending passwords by email is rarely a good idea. Email is generally unencrypted, so it should not be used for sensitive information. Instead, we recommend sending a token that can be used to set the actual password. Although an attacker with the token could still reset the password, the user would at least become aware of the reset when they later attempted to log in.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below:

Authentication Cookies and Sessions🔗

Cookies can be decorated with a special keyword, HttpOnly. If this keyword is set, the browser will not allow JavaScript to access the cookie. Even if the application has a cross-site scripting vulnerability, this keyword makes it much harder for an attacker to steal the session cookie.

The HttpOnly keyword is set for all our authentication cookies.

Our application does not make use of this defense-in-depth mechanism.

Warning — possible medium-risk issue

Setting the HttpOnly attribute is a very simple defense-in-depth mechanism. We highly recommended making use of it.

If there are specific reasons why this is not possible in your case please explain below:

Session IDs can be constructed in many ways. Select the methods used in your application:

The web application framework we use has a built-in session ID mechanism.

Our session IDs are randomly generated strings or numbers.

We store a signed token as a cookie to indicate that the user is successfully logged in.

We use some other mechanism.

Describe the mechanism you're using:

What's the name of the framework that generates your session IDs?

Do sessions automatically time out after a specified period of inactivity?

Yes

Warning — possible medium-risk issue

If you don't specify a session timeout, an attacker who has stolen a session ID once will have a permanent back door to the application. Be sure to implement a timeout — even if it's fairly long, it's still better than no timeout at all).

How long is the session timeout?

Does the application use a secure cryptographic pseudo random number generator (PRNG) to generate session IDs? The PRNG should not allow the state of the generator to be recalculated from its output, and the entropy of the session ID should be sufficient to make brute-forcing infeasible.

Yes, we use a PRNG that meets these criteria.

No, we don't use a PRNG, or our PRNG doesn't meet these criteria.

Warning — possible high-risk issue

If you're not using a cryptographic PRNG, an attacker can recalculate the state of the generator in order to guess subsequent session IDs and steal those users' sessions. Many programming languages already have a secure PRNG built in (e.g., Java has java.security.SecureRandom; C# has System.Security.Cryptography.RNGCryptoServiceProvider; Python has os.urandom), and in most cases it is as easy to use as a less secure option.

Does your application offer a "log out" button or link that, when clicked, not only terminates the session (deletes cookies from the client) but also invalidates the entire session ID?

Yes

Warning — possible medium-risk issue

Unless sessions are invalidated on logout, an attacker who has stolen a session ID will have access to the user's data until the session expires. Make sure all logout actions invalidate the session ID.

Authorization🔗

In most applications, certain information should only be accessible to certain users. For example, in most applications that require authentication, only the currently logged-in user should be able to change master data (such as the username, the associated email address, or the account password). When an application has data that should not be available to other users or should be restricted to certain roles, authorization must be enforced on the server side.

Horizontal Access Control: Horizontal access control refers to isolation between users of the same role. For example, consider an application that allows users to access their payroll statements. The application must ensure that a user cannot access another user's statements; i.e., if the user's statement for the month of May is found at statement.html?id=8372&month=5, it shouldn't be possible to see someone else's pay stub simply by loading statement.html?id=8373&month=5.

Our application enforces these restrictions on the server side. We have processes in place to make sure nothing slips through the cracks.

It's possible that we missed checks like this in a few places.

Warning — possible high-risk issue

Applications must have controls in place that help protect all data from unauthorized access. We recommend that you thoroughly audit your code for vulnerabilities resulting from inadequate access control.

Vertical Access Control: When an application supports multiple roles, users should not be able to gain privileges or perform unauthorized actions by loading pages or features that should only be available to users in a different role. Throughout your application, have you ensured that users can perform only those actions that are appropriate for their roles?

Our application enforces these restrictions on the server side. We have processes in place to make sure nothing slips through the cracks.

It's possible that we missed checks like this in a few places.

Warning — possible high-risk issue

Applications must have controls in place that protect all functionality from unauthorized access. We recommend that you thoroughly audit your code for vulnerabilities resulting from inadequate access control.

Authorization-Related Web Vulnerabilities🔗

Cross Site Request Forgery🔗

Applications must protect all state-changing actions against cross-site request forgery (XSRF). In this attack, a malicious user forces the victim to send a request to the application, for example by luring the user to a page under the attacker's control. Because the browser automatically attaches available authentication cookies, the request will appear to be authorized if the user is logged in to the application.

For example, consider an online banking application that allows users to transfer money to another account. The URL for transfers might look something like this:

https://www.example.com/bank-transfer.html?dest_account=123456&amount=99.90&submit=true

If an attacker manages to lure the victim to a malicious site, the site could include HTML that causes such a request to be sent:

<img src="https://www.example.com/bank-transfer.html?dest_account=666&amount=99.90& submit=true">

If the user is logged in to the online banking portal, the application will receive that request and check for authentication cookies — which will be present, since the request was sent from the authorized user's browser.

Does your application protect all state-changing actions against XSRF?

Yes, all state-changing actions are protected. We have a way to ensure that no actions are missed (such as enforcing XSRF-token checks in a central place).

Some actions might not be protected against XSRF.

Warning — possible high-risk issue

Web applications used to process private or confidential information should protect against XSRF. We recommend that you thoroughly audit your code for XSRF vulnerabilities, and put procedures in place so that future code is also protected.

What strategy do you use to protect against XSRF?

We protect requests that change the state with tokens that are bound to the user they were generated for, and that expire after a certain amount of time.

We use a custom fixed header that we add to requests.

The application does one of the following: verifies the referrer header; requires all state-changing actions to be POST requests; employs another mechanism to protect against XSRF.

Tip

Various browser plugins (such as Flash and Java) have had security vulnerabilities that allowed an attacker to set arbitrary custom headers on cross-domain requests. We highly recommend the use of tokens instead of headers.

Warning — possible high-risk issue

Unfortunately, using POST requests does not protect against XSRF. Attackers can perform cross-domain POST requests by submitting a form with the appropriate action parameter, via JavaScript. Referrer checks are similarly ineffective because attackers can get around them through open redirects.

If you are using an alternative, effective method to protect against XSRF, describe it:

Cross-Site Script Inclusion🔗

Many web applications use AJAX to exchange data in the background, using a syntax that can be automatically interpreted as JavaScript by the user's browser. Unfortunately, this leads to cross-site script inclusion (XSSI) vulnerabilities: the JavaScript can be included from a different origin, and any variables set at the other origin can be read.

For example, consider a contact management application that transmits the user's contacts in a JSON file (contacts.js):

var contacts = {"name": "John Doe", "address": "jdoe@example.com", ... }

An attacker can include the following script from their own site, so that when the user visits the attacker's site while logged in to the contact management application, the attacker can read the variable contacts and get access to all of the victim's contact information.

<script src="http://www.example.com/contacts.js"></script>

Do either of the following statements describe your application?

Our application makes use of JSONP.

Our application uses another format that sets variables or calls functions with non-public information.

Your application may be affected by XSSI, unless you specifically protect against this kind of attack.

We use one of the following mechanisms to protect against this kind of attack:

protect transmission of such data with an unguessable, unpredictable token (this token must fulfill the same requirements as those described for XSRF tokens above).
require POST requests, so the data cannot be included in <script> tags.

It's possible that part of our web application is vulnerable to XSSI.

Warning — possible high-risk issue

Web applications that transmit private information must be protected against XSSI, to prevent attackers from stealing the private data.

If you are using an alternative, effective method to protect against XSSI, describe it:

Clickjacking🔗

Depending on the nature of your application and the actions that can be taken in it, you may need to protect against clickjacking.

If you don't typically need to frame web pages, your application should use the X-Frame-Options response header to tell the browser not to render any page that's framed from a different origin:

X-Frame-Options: SAMEORIGIN

Our application employs protections against clickjacking (such as using the X-Frame-Options header).

Our application does not have such protections.

Tip

Clickjacking is difficult to address. But in high-risk applications, clickjacking protection is essential.

Explain why you consider clickjacking protection unnecessary:

Common Web Vulnerabilities🔗

Certain features can result in security issues, if used incorrectly. To help us identify potential issues, select the statements that describe your application:

The application uses a database back end, or any other persistence back end that can be queried with SQL or a related language (e.g., GQL, FQL, SOQL, etc.).

The application requires a plugin, such as Java, Flash, Silverlight, etc.

The application has a file upload feature.

The application loads active content, such as scripts, applets, or style sheets, from third-party servers (i.e., any server that is not under your direct control).

The application processes or manipulates user-provided XML.

The application uses cryptography to encrypt data or protect its integrity.

Warning — possible medium-risk issue

Loading content from other sites is dangerous under certain circumstances; security issues in the other sites might also affect the security of your application. Scripts, for example, have full access to the DOM of the site on which they're included — so if one of the servers that hosts your third-party JavaScript gets compromised, the attacker also gains access to all of your users' data, simply by injecting a bit of code.

Unless you trust the third party completely (not only to not do something malicious, but also to be secure enough to adequately protect their infrastructure against attackers), it's best not to load scripts or style sheets (e.g., via <script src=...> or <style src=...>) from third-party sites.

Similarly (although to a lesser extent), directly embedding videos, frames, or images (including advertisements, tracking pixels, etc.) from third-party sources can be dangerous. Loading such a resource can leak information to the site it's loaded from (e.g., through the referrer). This can be a privacy issue as well as a security issue.

If your application loads third-party content, describe your threat model:

Warning — possible medium-risk issue

Dealing with user-provided and untrusted XML may make your application vulnerable to attacks. For example, the expat XML parser (written in C) has been found vulnerable to buffer overflow attacks. Even if you use a secure parser (or run it in a sandbox), things that can go wrong.

Various attacks rely on the attacker's ability to specify XML entities. Entities are "codes" (such as ") that are translated into defined strings by the parser. HTML has a predefined set of entities, but in XML, entities can be specified arbitrarily. An entity specification usually looks like this:

<!ENTITY ent "Hello!">

With this definition, whenever the parser comes across &ent;, it will replace it with Hello!. Entities are usually defined in the document type, which can be provided in a separate file or in the <!DOCTYPE> section at the beginning of an XML document.Entities are used in a variety of XML-related attacks. For example, they can be used for something called the billion laughs attack, where an entity resolves to other entities, which resolve to other entities, etc., causing high memory usage and essentially resulting in a denial-of-service attack.

Even more serious is an attack using external entities. Definitions of external entities look similar to regular entity definitions, but they reference local files or URLs. Unless the XML parser has been specifically instructed not to expand external entities, a definition like <!ENTITY etc SYSTEM "file:///etc/passwd"> would include the /etc/passwd file where the entity &etc; occurs in the XML document, leading to the disclosure of files as well as internal URLs.It's very important to restrict entity specification in user-provided or untrusted XML. Make sure your parser is adequately configured.

Cross-Site Scripting🔗

Cross-site scripting (or XSS for short) occurs when an application redisplays insufficiently sanitized user input in the context of the application's origin (as defined by the same-origin policy). If the user input contains certain kinds of scripting code, it may read or alter the DOM of the current page when redisplayed. In many cases, XSS is used to steal users' cookies or other application-related data, but it may also be used for phishing attacks, or even to deface the web page. Unfortunately, XSS is one of the most common security issues in web applications, and due to browser quirks and other factors, quite hard to protect against. Select the statements that describe your strategy:

We use a templating system that automatically escapes all user input before redisplaying it.

Our application has a central choke point where all user input is validated and escaped, depending on the context in which it will be interpreted.

Some of the pages (or all of them) escape user input.

We are using some other technique to protect against XSS.

Part of the application deals with user-provided HTML that is sanitized and re-displayed to the user.

Warning

You didn't select a strategy for protecting against cross-site scripting.

Explain why:

Tip

Using a templating system to escape user input is a good way to protect against XSS. But be careful with directives that disable automatic escaping, and watch for the direct display of user input (for example, in error messages). Additionally, be aware of the context in which user input is used in templates. Not all templating systems automatically understand that different escaping may be required, depending on where in the application the user input is displayed. For example, many templating systems would not correctly escape a construct such as >a href="{{ user_input }}"<, where a user could supply javascript:alert(/xss/) as user_input. We recommend using a context-sensitive templating system.

Tip

A central choke point for validating and escaping user input is generally a good way to protect against XSS. But make sure your application identifies the context in which the user input is being used; otherwise, it might still be possible to smuggle in JavaScript through user input. You might also want to consider using a context-sensitive templating system, to address this issue automatically.

Warning — possible medium-risk issue

Escaping user input on each page individually is a fairly dangerous strategy: it's very easy to miss something. We recommend using a templating system that automatically escapes user input, ideally in a context-sensitive fashion. Some examples are listed below. Note that not all of these are context-sensitive, so you may still need to do manual escaping (or explicitly tag a variable in the template) when the context is something other than HTML.

Django (Python)
Google CTemplates (C++)
Jsilver (Java)
Closure/Soy (Javascript, Java)
JQuery (JavaScript)
Smarty (PHP)

Describe your strategy for protecting against XSS vulnerabilities:

Warning — possible medium-risk issue

Unfortunately, due to error-correcting behavior and browser quirks, getting HTML sanitization right is very difficult. The sanitization code has to build an in-memory representation of the DOM, and then serialize that to a known-safe format. Some libraries do this correctly, so we highly recommended using a well-tested library.

Describe how your application deals with HTML sanitization:

In addition to applying the strategies you've identified, does the application set a valid and appropriate content type and character set for each page (in the Content-Type HTTP header)?

Yes, we take great care to set this, knowing that otherwise we might be introducing XSS vulnerabilities.

I'm not sure all pages set an appropriate content type.

Warning — possible medium-risk issue

Not setting both a content type and a character set often leads to cross-site scripting vulnerabilities. For example, if the application outputs JSON but sets the content type to text/html, this might result in XSS because JavaScript/JSON escaping is different from HTML escaping. We recommend that you thoroughly audit your code for pages that don't set the content type correctly.

Earlier, you noted that the application has a file upload feature. Does the application allow other users (or administrators) to access the files that are uploaded?

Yes, this is a feature of our application.

No; uploaded files are processed but can't be downloaded again.

Warning — possible medium-risk issue

Hosting and serving user-provided content is almost guaranteed to introduce XSS vulnerabilities. Because of various browser quirks, countermeasures (such as setting a Content-Disposition: attachment header) do not provide full protection. We recommend serving user-provided content on a domain separate from all domains that have authentication cookies. However, this approach introduces another problem, if access to the content is intended to be authenticated. You can solve this by using short-lived random tokens, or by serving each document from a separate domain. If you use the latter approach, each domain should have a unique set of authentication cookies, valid only for the one document that's served from the domain.

Describe your strategy for protecting against XSS vulnerabilities introduced by serving user-provided content:

Some XSS vulnerabilities work exclusively on the client side, in an application's scripting code. This kind of XSS is commonly referred to as DOM-based XSS. Because server-side escaping of user input does not protect against DOM-based XSS, you need a strategy for dealing with client-side scripting code that handles user input, as well as parts of the DOM that may contain user input (such as document.location).

We know about DOM-based XSS, and we take specific steps to protect against this kind of vulnerability.

It may be possible that something slipped through the cracks and our application has DOM-based XSS vulnerabilities.

Warning — possible medium-risk issue

We recommend that you thoroughly audit your code for DOM-based XSS vulnerabilities, and put procedures in place so that future code is also protected.

Persistence Back Ends and Querying🔗

Because your application uses a database or a similar back end to persist data, we need to make sure it's not vulnerable to injection attacks, such as SQL injection.

An application is vulnerable to SQL injection when some portion of user input is interpreted by the database as part of a query. When this occurs, an attacker may be able to read or even write data directly from or to the database.

Our application uses an object-relational mapping (ORM) framework. When we need to manually construct queries or conditions, we use one of the mechanisms selected below:

We use prepared statements and let the framework take care of correctly escaping the user input.

We pass user input to the database via stored procedures.

We manually escape user input whenever we need to use it in a database query.

We do something else.

Describe the other mechanism you're using to protect against SQL injection:

Tip

Using an ORM layer is generally a good way to protect against SQL injection. However, in most ORM frameworks, it's possible to directly specify parts of the SQL query. Some ORM frameworks also have a special querying language that makes it possible to set the WHERE part of the statement. In these cases, you still need to be sure to guard against injection vulnerabilities.

What ORM framework are you using?

Tip

Using stored procedures is generally a good way to protect against SQL injection. But this strategy must be used consistently. Make sure neither the stored procedures themselves nor the calls of the stored procedures are vulnerable to injection attacks.

Do you take special steps (policies, code reviews, audits, etc.) to ensure that prepared statements are used consistently, and that string concatenation is never used to construct database queries?

Yes, we have all or most of these measures in place, and we're very confident that there are no SQL injection vulnerabilities in our code.

We try to make our developers use prepared statements, but it may be possible for some string concatenation to slip through.

Warning — possible medium-risk issue

Manually escaping SQL (or related) queries is error-prone and very difficult to do consistently. Here are a couple of examples:

PHP provides the function mysql_escape_string for escaping user input that will be used in a database query. Unfortunately, that function does not take into account the character set of the connection, so it may still be possible to smuggle in user input that will be interpreted as part of the SQL query. Applications should use mysql_real_escape_string instead.
In SQL, numbers do not need to be surrounded with quotation marks when used in a statement. For example, SELECT username WHERE id=123 is perfectly valid. But if user-provided input that will be used as a number is not confirmed to be actually numeric, the resulting code will be vulnerable to SQL injection (even if the input is escaped).

We highly recommend using something like prepared statements, or using an ORM layer consistently throughout the application. Make sure you have procedures in place to enforce your approach (such as static tests when code is checked into the repository).

Browser Plugins🔗

You mentioned that your application requires certain browser plugins to work correctly. Which of the following plugins are required?

Java

Flash

Silverlight

Other

What other plugins are required by your application?

Explain what the plugin is used for, what technology it uses (e.g., ActiveX, NPAPI, Chrome plugin, etc.), how it is usually deployed to your users, and what privileges it requires:

Warning — possible medium-risk issue

Enabling Java in the browser exposes users to a variety of security issues. We strongly discourage requiring Java.

Is Java absolutely necessary for your application to function correctly? Are there any workarounds?

Warning — possible high-risk issue

In most cases, custom plugins are considered a security risk. Plugins can operate outside of the usual constraints (such as a same-origin policy, sandboxing, etc.) and can introduce security vulnerabilities that affect the entire browser. It's also often difficult to deploy and centrally manage them. We strongly discourage using custom plugins.

If you have compensating controls in place or feel that this issue does not constitute a risk in your specific circumstances, please explain below:

File Uploads🔗

You mentioned previously that your application allows users to upload files. Where does the application store those files?

On the file system

In a database

Somewhere else

Explain where the uploaded files are stored:

Warning — possible medium-risk issue

Storing uploaded files on the file system can be dangerous. Here are a few issues that can occur:

Path traversal: The names of uploaded files must be carefully sanitized to prevent attackers from uploading files with paths in the name, such as ../../../../some_existing_file.html. Files like these can end up in the wrong directory.
Null bytes: The names of uploaded files must be examined for null bytes, which can cause file names to be truncated (e.g., a file called evilfile.exe[0x00].gif might become evilfile.exe when stored on disk).
Interpretation: Files on the file system are much more likely to end up being interpreted. For example, if an attacker manages to store an uploaded file somewhere underneath the web root and names it evilfile.php, it might be executed as PHP code by the web server.

To prevent issues like these, store user-uploaded content in a database instead. If your application stores files on the file system, be sure to implement careful handling, validation, and sanitization of uploaded files.

In most cases, file type restrictions should be in place for uploads. What types of files does your application white-list?

How does the application enforce these file type restrictions?

We verify the file type by checking the file extension on the server side.

We look at the content type that is sent by the user.

We decode and re-encode the file, storing only the result.

We employ another method to verify the file type.

Explain how you verify the file type and enforce the whitelist:

Warning — possible medium-risk issue

Some web servers are configured by default to allow double file extensions. For example, if a user uploads a file called malicious.php.gif, it might actually be executed as PHP code upon retrieval. Because you store uploaded files on the file system, this issue may affect your application. Make sure your web server uses only the last extension (i.e., the part after the right-most dot in the file name) when determining how to process the file.

Warning — possible medium-risk issue

Re-encoding files uploaded by users is usually a very good approach. However, note that because the decoding and re-encoding works on untrusted user input (and because parsing is difficult and error-prone), it's best to perform these operations in a sandbox. That way, even if an attacker successfully exploits a vulnerability in the parser, the effects would be constrained to the sandboxed environment. Various sandboxing APIs are available, such as the Seccomp library for Linux.

You could also run the decoder/encoder on an isolated virtual machine that's regularly reset to a predefined state. Note, however, that a successful attacker would still be able to observe all incoming and outgoing files, unless the reset happens after each individual file operation.

Even with a sandboxed encoder, some attacker-provided content may survive the re-encoding. For example, in images, the EXIF metadata may be left intact. If this occurs and the content type is incorrectly set (or browser content-sniffing behavior kicks in), cross-site scripting vulnerabilities can result.

Describe the steps you're taking to protect against vulnerabilities in the decoding and parsing code:

Warning — possible high-risk issue

Unfortunately, verifying the content type of uploaded files is generally not sufficient for enforcing a whitelist. Because the content type is a field in the HTTP request sent by the user, it can be arbitrarily set by an attacker (for example, by using an interception proxy). At a minimum, the application should also verify the extension at the very end of the file name and check it against the whitelist.

Use of Cryptography🔗

You previously mentioned that your application uses cryptography to ensure the confidentiality and/or integrity of information. That's great! But we want to make sure you're using cryptography correctly.

Note: when using cryptography, make sure algorithms are used in the right context and within appropriate constraints. For example, encrypting a session ID does not prevent an attacker from manipulating it. Similarly, a signature does not protect a message's confidentiality.

Describe your use of cryptography (what information is encrypted/signed, how, why, what algorithms are used, etc.). Be as specific and precise as possible:

Testing, QA, and Monitoring🔗

Security testing can be part of standard application tests. Here are some examples:

Simple unit tests: Unit tests are typically used to confirm that the basic building blocks of the application work as expected. Unit tests are easy to repeat — they can run whenever new code is checked into the repository, to confirm that the code still behaves as expected. Unit tests can also check for security features. For example, they can be used to confirm that requests fail without XSRF tokens; that authentication is required to access user data; or that unexpected HTML tags can't get through input filters or escaping routines.

Release testing: Before a new version of a product is released, human testers typically go through the application, try the new features, and make sure previous features still work correctly (regression testing). Security testing should be included in this process as well. For example, release testing is a great time to verify that user A cannot access the data of user B.

Monitoring: Once the application is deployed, the focus usually shifts from testing to monitoring. Watch out for unexpected spikes in error rates, sandbox violations, and other flaky or inexplicable behavior (including intermittent test failures) — and before you dismiss an anomaly, check with your security team. Crashes and flakiness can indicate a race condition or a memory corruption bug.

The next few questions assess the testing and monitoring of your application.

Are you using unit tests or similar methods?

Yes

Unit Testing🔗

How would you describe the code coverage of your unit tests?

Robust: The vast majority of our code is tested through unit tests; code coverage is at least >80%.

Weak: We have some unit testing, but much of the code is not tested.

Nonexistent: We have no (or almost no) unit tests.

Warning — possible medium-risk issue

Unit tests have become quasi-standard for testing the functionality of software at a low level. Although this questionnaire focuses on security, the functional correctness of the application is also important. Particularly for web applications, where it is difficult (often impossible) to fall back to a previous version, functional bugs can cause problems with both integrity and availability. Consider implementing unit tests.

Do you have special unit tests in place for testing the security of your code? For example, unit tests can be used to do the following:

Verify that XSRF tokens are required for all state-changing actions
Confirm that user input is correctly escaped and/or sanitized
Check that the application enforces access control (e.g., user A doesn't have access to user B's data)

Yes

Warning — possible medium-risk issue

Scalable security depends on engineers doing their part — and common-sense, low-overhead unit tests are one of the most cost-efficient defenses available. Unit tests can help validate security parameters and avoid regressions that reintroduce security bugs. We strongly recommend including security checks in your unit tests.

Do your engineers and your QA team look for potential security issues during release testing, and have they been trained to do so?

Yes, our QA process explicitly includes testing for security issues that might have been introduced in the new version.

This is an area where we have some room for improvement.

Warning — possible medium-risk issue

Your engineering and QA teams are in the best position to understand how all parts of the application work, what has changed since the previous iteration, and how the changes might introduce security vulnerabilities. Release testing is typically done under considerable time pressure, but it's the last chance to catch security vulnerabilities internally. When your teams are already focused on testing, adding a few security tests won't increase the effort by much.

Engineers and testers who have been trained to look for security issues can make all the difference between a secure product and a serious vulnerability.

Post-Launch Monitoring🔗

How would you describe your post-launch monitoring?

Robust: We have procedures in place to log and monitor for unexpected crashes, exceptions, and other error conditions. If something looks suspicious, a security-conscious engineer evaluates it.

Weak: If something goes terribly wrong, such as massive spikes in crash rates or other large-scale anomalies, we will probably notice. But our monitoring is fairly coarse, and there is room for improvement.

Nonexistent: At the moment, we are not doing any kind of post-release monitoring that looks for signs of exploitation or increases in crashes/exceptions.

Tip

Thank you for putting effort into post-launch monitoring. Exceptions often indicate an underlying security problem, and close monitoring goes a long way toward quickly identifying and subsequently fixing vulnerabilities.

Warning — possible medium-risk issue

Exceptions and crashes often indicate an underlying security problem. Monitoring the deployed application can go a long way toward quickly identifying and subsequently fixing vulnerabilities. In carefully designed software products, exceptions should be a fairly rare occurrence; it therefore usually does not introduce significant overhead to monitor for them.

Additional Notes🔗

Provide any additional information about the security of your application:

Security Contacts🔗

List the email addresses of people we should contact about any security issues in the application:

Feedback🔗

Congratulations! You've made it to the end of this questionnaire. If you can spare another minute, please let us know how we can improve it. Your feedback is highly appreciated.

Status: No changes
Download Answers Reset Questionnaire

VSAQ

Vendor Security Assessment Questionnaires