 About Web Security Checklist

Internal Use Only

1. Purpose of this checklist

The Web Security Checklist is a measure to prevent vulnerabilities from being incorporated at the time of development and
building of Websites due to inadequacies or wrong settings in their building process.
Using the Web Security Checklist makes it possible to keep the security of Websites without fail.

2. Management of this sheet

If a Website to be checked is already open to the public, immediately check the compliance with the checklist. If the Website is
scheduled to become open to the public in the future, check it before production.
However, for a Website to be released to the public in the future, it is desirable to define the items in the checklist as part of the
requirements at upper processes (e.g. planning or requirement definition) to prevent rework at subsequent processes (e.g. at the
stage just before production).

If the structures and/or processes stated under the “large category” in Column B of this checklist are found after checking the
construction of subject website or web service, it is necessary that the corresponding security measures stated under the
“medium category” in Colum D are to be implemented and, if the structures and/or processes stated under the “large category” in
Column B are not found, select “N.A.” in the answer field in Column F.

Checks defined in this checklist shall be evaluated in three levels (: satisfied, : not satisfied or N.A. (Not Applicable)) and, for
items that do not satisfy the requirements, make modifications whenever it is possible to modify and, if not, develop corrective
actions including alternative measures and implement them without fail.

3. Remarks

If this checklist shall be provided to subcontractors and/or partners, ensure that non-disclosure agreements have been signed by
subject companies and obtain agreements not to disclose the list to third parties.
 [Form] Web Security Checklist Ver1.0
Website name
URL
Organization name
Management/Operation department
Newly constructed or existing website
Stated below is the state of compliance to the security checklist for the website to be published.
Section
Chapter Large category
Chapter 0 Checklist concerning the web security guideline
All websites/web services
Chapter 1 Checklist concerning inputs/outputs
Process texts (parameters, headers,
etc.) entered by the user
The filename returned in the argument
is embedded to call an external
command
Administrator Applicant
(Information security leader) (Website manager)
Affiliation Affiliation
Name Name
YYYY/MM/DD YYYY/MM/DD
To be entered if the answer is “X“
No.
Medium category Supplemental information Answer Remarks
Current condition Action & plan
Is a significance evaluation for the website
0-1 -
performed?
Are the results of significance evaluation reported to
0-2 the information security leader of relevant -
department/division?
Are actions implemented depending on the results
0-3 -
of significance evaluation recognized?
Is the legitimacy of each form data (format, length, Specifically, is the character allowed, is the string length allowed or isn’t
1-1
positive/negative sign for numeric values) checked? the value negative?
Likewise, is the legitimacy (format, length,
In addition to various forms (including hidden parameters, drop-down lists
positive/negative sign for numeric values) checked
1-2 and checklists), the same applies to the datas containing URLs, cookies,
even if the data has been sent/received using URLs,
http headers (HTTP_REFERER) and XML.
http headers or XML?
The format for e-mail addresses, the number of products ordered (if it is
Are the format and value checked properly within the limit allowed for one order) or parameters (values embedded in
1-3
depending on the meaning of input data? the e-mail address or cookies) that may cause problems if a line-feed is
included.
Are special characters contained in the input data
In generating a dynamic web page by embedding data, such as user-
converted to HTML properly (escape processing) in
1-4 entered values or results of database searches, in the HTML code,
outputting html so that they will be interpreted
convert special characters (escape processing) contained in the data.
correctly?
The reason is because it is possible to avoid the replacement process by
Are special characters contained in the input data
inserting a value that is neglected by web applications in between specific
converted to HTML properly (escape processing) in
1-5 character strings. To prevent different interpretations of character
outputting html so that they will be interpreted
encoding, specify the correct charset in the HTTP response header
correctly?
responding to the browser like “content-Type: text/html; charset=UTF-8.”
Avoid calling external commands whenever possible and use the library
Are calls for external commands avoided whenever
or implement equivalent functions. If external commands need to be
possible?
called by embedding data into arguments for reasons such as restrictions
If it is necessary to call external commands due to a
in implementation, check the legitimacy of the data on the server.
1-6 limitation in the implementation, is it ensured that the
Specifically, limit the characters (e.g. to alphanumeric characters only)
data given by the user do not contain characters
that can be designated as arguments by referring to the manual of
(e.g. special symbols) to avoid processing on the
commands to be called and, if any other character is entered, reject
server?
everything.
 The filename returned in the argument
is embedded to call an external
command
1-7
1-8
1-9
Database is manipulated based on
input data
1-10
Input values are used as (parts of)
1-11
filenames to manipulate files
Output for HTTP request
The field value of HTTP response
header (Location, Set-Cookie, etc.) is
dynamically generated based on the
1-12 %0a or %0a) converted (processed as escape
information passed on from external
sources (entries made by the user,
URL argument, HTTP request header
information, etc.)
E-mails are sent by generating the
message dynamically based on the
1-13 %0A or %0A) converted (processed as escape
information entered by the user or
passed on from external sources
Chapter 2 Checklist for data transmission/reception
2-1
Critical information (credit card
numbers, personal information,
authentication data, etc.) is processed
2-2
To prevent leaks and destruction of files kept on the server, do not allow
To designate a file as an argument, is it checked if absolute path designation (e.g. /etc/passwd) but use relative designation
the designated file exists? from the reference path. However, do not allow the designation of higher
path (e.g. ../../etc/passwd).
If the implementation is made to pass the e-mail address entered by the
Is there a restriction to prevent characters that are user directly to an external command (e.g. send mail command) in
not allowed to use in arguments (e.g. special handling e-mail transmission from an web-application, limit the characters
symbols) to be included? available for entering to alphanumeric characters, “@”, “.”, “-” and “_” only
and check the entered data for the legitimacy as an e-mail address.
Is a bind mechanism used for the manipulation of
In generating commands to manipulate the database dynamically by
database or are special characters contained in the
embedding data in SQL, convert (escape process) the special characters
input data processed as escape sequences in the
contained so that they will be interpreted properly as SQL.
SQL output?
Because special characters “%” and “_”, which are treated as wildcards,
Are “%” and “\%” processed as escape sequences
are not processed as normal characters in the LIKE structure even if the
to “_” and “\_” in the LIKE structure?
bind mechanism is used.
If it is necessary to use the input value from the user as a (part of)
filename for some reason, prohibit the path designation like “/etc/passwd”
Isn’t a value entered by the user used as a (part of)
and ensure that character strings like “../” indicating the higher path are
file name?
not included. In addition, check to see if the user has access to the
designated file on the server.
If the HTTP response header is generated and output by using data
Are illegal values including the linefeed code (%0d passed on from external sources (data entered by the user, URL
arguments, HTTP request header, etc.), convert illegal values, including
sequences)? the linefeed code (CRLF or LF) contained (treat them as escape
sequences).
If there is an e-mail transmission process and e-mails are sent by using
Are illegal values including the linefeed code (%0d
data passed on from external sources or e-mail address entered by the
user, convert illegal values including the linefeed code (treat them as
sequences)?
escape sequences).
At a website where frames are used, multiple screens are displayed on
the browser simultaneously. But each sub-frame is used to display
independent URL, of which URL cannot be checked on the address bar.
For this reason, if the user is led to a screen, in which a false page is
Isn’t a frame used?
embedded to steal critical information (credit card numbers, personal
information, authentication data, etc.), in the sub-frame (possible by the
misuse of cross-site scripting vulnerability), it is likely that the user would
enter critical information.
In sending and receiving critical information, encrypt the communication
between the server and client using TLS. It is desirable to use a server
certification issued by a reliable organization for TLS. In order to enable
Is the communication path encrypted using TLS? the user to check the website’s authenticity by checking the server
certification, take sufficient precautions to protect entry screens for critical
information (credit card numbers, personal information, authentication
data, etc.) with TLS.

Is the server certificate issued by a reliable
2-3
organization?
Is it configured to prohibit accesses using non-
encrypted communication?
2-4 Alternatively, are accesses using non-encrypted
communication (http) redirected to a URL for
encrypted communication (https)?
TLS communication is used
Is Strict-Transport-Security set in the HTTP header
2-5 to force the HTTPS connection to the web browser
constantly?
Aren’t encrypted communication (http) and non-
2-6
encrypted communication (https) mixed?
Session management is done by the Is the Secure attribute set in the cookie in using
2-7
cookie TLS?
The source of connection is restricted
by the IP address or client certification
Is the connection denied for FQDN (domain name)
of the source (authentication is made
2-8 other than those of the company’s website by
by the login function and session
checking the HOST field in the HTTP header?
management is not done by the
cookie)
Chapter 3 Checklist for session management
Are sessions generated by using functions provided
3-1
in the middle-ware like application servers?
Is a research made if there is a report on a security
3-2
hole like a regularity in session IDs generated?
Is the session ID constructed with a sufficient
3-3
number of digits?
3-4 Is the uniqueness of session IDs ensured?
In a system where critical information (credit card numbers, personal
information, authentication data, etc.) is processed, it is desirable to use
the EV SSL (Extended Validation SSL) certification issued after verifying
identification data for the user more strictly.
The reason is because it is possible that the communication data may not
be encrypted by posting an erroneous link even for a website using TLS
only.
The reason is because, even at a website using TLS only, the
communication before redirecting could be sniffed by the attacker by
leading the target user to make an http connection.
If TLS is used, always use TLS communication regardless of the
presence of critical information.
If a cookie is issued, it is possible to set the “secure” flag. A cookie with
this flag shall be transmitted to the server only if an access is made to a
page using TLS. Therefore, a cookie with the secure attribute will only be
transmitted in the encrypted form.
If the source of access is restricted based on the connection source IP
address or client certification, the attacker may obtain confidential
information by using the user as a stepping stone by the use of an attack
referred to as “DNS rebinding”. If the DNS rebinding is misused, the
FQDN (domain name) of malicious website can be set in the HOST field
of HTTP header.
Generate the session ID using the feature available in the middle-ware
like the application server whenever possible. In doing so, ensure that the
session ID generated has sufficient strength.
By assuming the next session ID issued based on the one issued
immediately before, the session of other user using the service could be
hijacked to use the service under an assumed username.
If the session ID is generated by a web application, use a secure random
number generation function to prevent the next session ID to be figured
out based on the previous session IDs. In addition to generating session
IDs with sufficient strength, initialize the random number generation
function using a value that changes all the time, such as the current time
down to the millisecond order, as a seed at the startup of web application.
Ensure the uniqueness of the session ID with a comparison with session
IDs issued in the past or by adding an attribute to assure the uniqueness
(e.g. successive number) to each random number issued.
 If a session ID that has been authenticated became idle (a condition in
which no request is issued by the user operation) for a certain time, force
the user to log out by discarding the session on the server rendering the
3-5 Is a validity period limited for the session ID?
session to have timed out. Limit the time in which the session ID is
effective by using the feature of the middle-ware like a web server
(Apache, IIS, etc.) and application server.

A session ID of other user could be obtained by sniffing communication or

Is the session ID managed by the server invalidated exploiting the vulnerability of cross-site scripting. Using this session ID,
3-6
after the logout? the session may be hijacked and the web application may be used under
an assumed username.

Session management is done

Is a session ID generated anew issued upon
3-7
completion of authentication?
If the attacker could obtain the session ID used by an authentic user, the
session could be hijacked and the service may be used under an
assumed username.

By sending successive requests to the URL of the screen in which the

Is there an upper limit for the number of session IDs
3-8 session ID is issued, the server resource may be wasted to render the
issued?
service unavailable.

If the session ID is sent by embedding it in the URL, there is a risk that

the ID would be leaked through the paths listed below.
Is the session ID transmitted by issuing a cookie
(1) Web server, access log in the proxy server
3-9 without embedding it in the URL or using the POST
(2) History and cached data of web browser
method?
(3) The HTTP referrer header
(4) Cached data of search engines

By contaminating the session region and avoiding the input data check by
performing a series of operation of “input à check à complete” in the
Isn’t the session region updated if an input error is system controlling the session, there may be an attack of “session
3-10
detected? poisoning” in which unlawful gain could be made by settling the payment
with a fraudulent amount or confidential information could be obtained by
executing arbitrary commands.

In an implementation with parameters containing serialized data (byte

Aren’t important objects like session data serialized sequence format) and if the serialized data is not encrypted, it may be
3-11
and included in the hidden field? possible for the user to restore the serialized data. If that happens, critical
information of the system contained in the object would be leaked.

If the serialization is adopted, is an action taken to It is necessary to take actions so that the application will reject whenever
3-12
prevent restoration & falsification of serialized data? it receives serialized data that have been falsified.

If the user ID or IDs of data belonging to a particular user (e.g. contract

If an access is made to the screen after a login, is it
ID, order ID, etc.) are contained in the input parameter, there is a
3-13 confirmed if the access is made by the user who has
possibility that data belonging to another user (contract and order
logged in based on the session ID?
information) would be referenced or modified by falsifying those IDs.

For a screen to which access is allowed only for

particular users, is the user who has made an
3-14 - ditto -
User authentication is done access identified based on the session ID and the
access right of the same person verified?

Is the user ID identified based on the session ID

3-15 - ditto -
without including the user ID in the input parameter?

Session IDs are generated using a
random number generation function
Session IDs generated by the system
like a contents conversion server are
used
Session management is done by the
cookie
Chapter 4 Checklist for user authentication
User authentication is done
Is the access right to the displayed screen (function)
3-16 - ditto -
verified based on the session ID?
If the session ID is generated by a web application, use a secure random
number generation function to prevent the next session ID to be figured
Is a research made if there is a report on a security out based on the previous session IDs. In addition to generating session
3-17
hole like a regularity in session IDs generated? IDs with sufficient strength, initialize the random number generation
function using a value that changes all the time, such as the current time
down to the millisecond order, as a seed at the startup of web application.
At the startup of an web application, is the random
3-18 number generation initialized by using a random - ditto -
number as a seed?
Aren’t values other than those generated on the
3-19 - ditto -
server used as session IDs?
Generate the session ID using the feature available in the middle-ware
Is the random number generation function secure
like the application server whenever possible. If the session ID is
without any regularity in the session IDs generated
3-20 generated by a web application, ensure the use of a secure random
and are the integrity and strength of generated
number generation function and the uniqueness of generated random
random numbers verified?
numbers.
The cookie could be stolen by exploiting the cross-site scripting
Is the number of domains and paths, for which the
vulnerability to obtain the session ID recorded in it. Using this session ID,
3-21 cookie is effective, limited to the minimum extent
the session may be hijacked and the web application may be used under
required?
an assumed username.
Is the user ID, which is difficult to guess, issued by By trying out common combinations of user IDs and passwords, accounts
4-1 the server (service provider) without letting the user available for login in could be searched and an attacker may assume the
specify it? username using the inferred password to use the service unlawfully.
If the password is set/changing by the user, check the entered password
In issuing the initial password from the server, isn’t
4-2 and rejected if it is vulnerable. Also, if the initial password is issued by the
there a vulnerability in the issued initial password?
application, do not issue vulnerable passwords.
In setting/changing the password by the user, is the
4-3 entered password tested and rejected if it is - ditto -
vulnerable?
There is a possibility that the initial password issued at the time an
account has been created would be leaked to a third party in the process
it is generated and transmitted. If the password is leaked to a third party, it
Is the user forced to change the initial password at
4-4 would be used for an extended period if there is no expiry set. Even if the
the first login?
expiration date is set, the user can circumvent the restriction of expiration
date by setting the same password if the registration of same password is
allowed.
Is the number of attempts for the authentification
An attacker may try to find the password by trying out different passwords
made for the login, password change, password
that a user would use using the personal information of the user and a
4-5 reminder, etc. limited and, if the number of
dictionary for cracking passwords. It is possible that the service would be
successive attempts have failed, is the account
used unlawfully under an assumed username this way.
locked out?

Critical information (credit card
numbers, personal information,
authentication data, etc.) is displayed
and updated
Data inherent to the cellphone is used
as an authentication element
URL and token for authentication are
used
Chapter 5 Checklist for data storage
Critical information (credit card
numbers, personal information,
authentication data, etc.) is processed
Chapter 6 Checklist for client program development
Client programs (ActiveX, Java, Flash,
etc.) linked to the web application are
used
Chapter 7 Checklist for credit card payment
Credit card payment function is
provided
Chapter 8 Checklist for screen display
In changing the password, is the user required to
4-6
enter the current password?
Is the number of failures in authenticating the
4-7
current password limited?
Is there any feature where the user is requested to
4-8 re-enter the password and/or PIN beside the
authentication at the login?
4-9 Is the user required to enter his/her password?
4-10 Are the reuse and validity restricted?
Is critical information (e.g. credit card numbers)
5-1
stored in encrypted?
Aren’t pieces of critical information (credit card
numbers, personal information, authentication data,
6-1
etc.) or system data embedded in the client
program?
Aren’t important objects like the session data stored numbers, personal information, authentication data, etc.) or system data
6-2
in a local file?
Aren’t sensitive authentication data like credit cards’
7-1 magnetic stripe data, card validation codes
(CAV2/CID/CVC2/CVV2) and PIN stored?
Provide a feature for the user to change his/her password. In doing so,
request the user to enter the current password to prevent the password
being changed by a third party when the session is hijacked or the user
terminal is operated fraudulently.
Establish a limit for the number of failures in validating the current
password in anticipation of a play-all attack.
If no feature is provided to reference/change the personal data registered
in a shopping site with a membership or repeated authentication before
an important operation like a transaction on a financial instrument, an
extensive damage will result by an important operation once the identity
of a member is stolen in a session hijack.
In case the authentication is made based only on the cellphone data (so-
called “easy login”), the security level of the system would drop
significantly in the following perspectives.
• It is possible to modify the “terminal specific ID” or add a “user specific
ID” in the ID inherent to the cellphone.
• A system in which a password is used for the authentication would
complete the authentication without the password.
An attacker who has sniffed an e-mail could access the URL containing
the token and complete operations like creation of new account and the
setup of ID/password reminders under an assumed username.
If the password is stored in plain text, there is a risk of unauthorized
access and the leak of password by the system administrator. For this
reason, save the hash value instead of saving the password itself.
If critical information is stored in plain text, there is a vulnerability of SQL
injection in the web application leading to an extensive damage if this
vulnerability is exploited to leak critical information.
Although Active X, Java applets and Flash are provided as binary files, it
is possible to obtain critical information contained in the binary file by
browsing it directly. It is also possible to reverse-compile a Java applet to
browse the source code.
In using a client program, do not embed critical information (credit card
in the program or its property file. Also, do not save the important object
like the session data as a local file.
It is possible that an attacker who has obtained the card verification code
and PIN, together with a credit card number and its expiry date, in an SQL
injection attack would assume the identity of the person to make illegal
credit card payments.

Critical information (credit card
numbers, personal information,
authentication data, etc.) is displayed
and updated
Error screens are displayed
Chapter 9 Checklist for the website management
All websites and web services
The FTP service is used
A certification service is used
A development environment is
constructed
A database (DB) is used
The RDP service (port) is used
The SMB service (port) is used
The SSH (22/tcp) service is used
Confidential information like the user ID, password
and credit number shall not be displayed on the web
8-1
page. If they are displayed, are they partially
replaced with a special character like “*”?
Is the information to be displayed on the error
screen limited to the minimum, without displaying
8-2
messages giving out system configuration like the
system paths?
Isn’t the login console for the website administrator
9-1
published on the Internet?
Aren’t FTP (21/tcp) communication services
9-2
published on the Internet without encryption?
Isn’t the HTTP (80/tcp) communication used on
9-3 screens where the authentication data are
processed?
Isn’t anonymous login allowed for FTP services on
9-4
the Internet?
Aren’t users’ signature certifications and/or expired
9-5
certifications used in web services?
Isn’t the website development environment
9-6
published on the Internet?
Is the necessity of publishing the DB port on the
9-7 Internet verified and, if it is not necessary, is the
access controlled by the network or the server?
Isn’t the RDP service (port) used for the remote
9-8
desktop published on the Internet?
Isn’t the SMB service (port) used for sharing files
9-9
published on the Internet?
Isn’t the SSH (22/tcp) service published on the
9-10
Internet?
Confidential information may be obtained by taking a peek of the screen
from the back of the user or by browsing the source code (HTML) of the
screen during the absence of the user. If TLS is not used, it is also
possible to obtain confidential information by sniffing communication over
the network.
The system configuration data (e.g. the OS used, product names of web
server/middle-ware/database, system path, etc.) may be obtained from
error messages and used as clues for an attack.
Once the security certification using ID and password is breached, there
is a possibility that the system configuration would be modified or
confidential information would be leaked.
Representing data in plain texts creates a possibility that critical
information on the communication path (user IDs, passwords, personal
data, etc.) would be leaked by packet sniffing.
Representing data in plain texts creates a possibility that critical
information on the communication path (user IDs, passwords, personal
data, etc.) would be leaked by packet sniffing.
A flaw in the directory permissions may lead to a possibility of malicious
script files to be uploaded and executed to cause negative impacts to the
system.
Because the reliability of the site cannot be certified, there is a risk to
expose the site users to a danger.
It is possible that the development environment does not address its
vulnerabilities or contains information that can be used to start an attack
on the published websites.
Because most databases handle critical information, if the security
certification is breached, it is possible that the system configuration would
be modified or confidential information would be stolen.
If the authentication process is breached, unauthorized remote
connection would be established, causing the system configuration to be
modified and/or confidential information to be stolen.
There is a possibility that a damage would be caused by a cyber attack
targeting the port 445 used for sharing files in SMB.
If the security certification is breached, there is a possibility that the
system configuration to be modified and/or confidential information to be
leaked.
 [Form] Web Security Checklist Ver1.0
Website name
URL
Organization name
Management/Operation department
Newly constructed or existing website
Stated below is the state of compliance to the security checklist for the website to be published.
Section
Chapter Large category
Chapter 0 Checklist concerning the web security guideline
All websites/web services
Chapter 1 Checklist concerning inputs/outputs
Process texts (parameters, headers,
etc.) entered by the user
Site ABC
www-org.abc.example.com Administrator Applicant
(Information security leader) (Website manager)
DIL
IT Promotion Department
An example for Daikin affiliates
Provision to outsiders prohibited
Existing website
IT Promotion Department IT Promotion
John Ringmaster Department
2021/04/05 John Rich
2021/04/01
To be entered if the answer is “X“
No.
Medium category Supplemental information Answer Remarks
Current condition Action & plan
Is a significance evaluation for the website
0-1 - 〇
performed?
Are the results of significance evaluation reported to
0-2 the information security leader of relevant - 〇
department/division?
Are actions implemented depending on the results
0-3 - 〇
of significance evaluation recognized?
Is the legitimacy of each form data (format, length, Specifically, is the character allowed, is the string length allowed or isn’t
1-1 〇
positive/negative sign for numeric values) checked? the value negative?
Likewise, is the legitimacy (format, length,
In addition to various forms (including hidden parameters, drop-down lists
positive/negative sign for numeric values) checked
1-2 and checklists), the same applies to the datas containing URLs, cookies, 〇
even if the data has been sent/received using URLs,
http headers (HTTP_REFERER) and XML.
http headers or XML?
The format for e-mail addresses, the number of products ordered (if it is
Are the format and value checked properly within the limit allowed for one order) or parameters (values embedded in
1-3 〇
depending on the meaning of input data? the e-mail address or cookies) that may cause problems if a line-feed is
included.
Are special characters contained in the input data
In generating a dynamic web page by embedding data, such as user-
converted to HTML properly (escape processing) in
1-4 entered values or results of database searches, in the HTML code, 〇
outputting html so that they will be interpreted
convert special characters (escape processing) contained in the data.
correctly?
The reason is because it is possible to avoid the replacement process by
Are special characters contained in the input data
inserting a value that is neglected by web applications in between specific
converted to HTML properly (escape processing) in
1-5 character strings. To prevent different interpretations of character 〇
outputting html so that they will be interpreted
encoding, specify the correct charset in the HTTP response header
correctly?
responding to the browser like “content-Type: text/html; charset=UTF-8.”

1-6
The filename returned in the argument
is embedded to call an external
command
1-7
1-8
1-9
Database is manipulated based on
input data
1-10
Input values are used as (parts of)
1-11
filenames to manipulate files
Output for HTTP request
The field value of HTTP response
header (Location, Set-Cookie, etc.) is
dynamically generated based on the
1-12 %0a or %0a) converted (processed as escape
information passed on from external
sources (entries made by the user,
URL argument, HTTP request header
information, etc.)
E-mails are sent by generating the
message dynamically based on the
1-13 %0A or %0A) converted (processed as escape
information entered by the user or
passed on from external sources
Chapter 2 Checklist for data transmission/reception
2-1
Critical information (credit card
numbers, personal information,
authentication data, etc.) is processed
Avoid calling external commands whenever possible and use the library
Are calls for external commands avoided whenever
or implement equivalent functions. If external commands need to be
possible?
called by embedding data into arguments for reasons such as restrictions
If it is necessary to call external commands due to a
in implementation, check the legitimacy of the data on the server.
limitation in the implementation, is it ensured that the N.A.
Specifically, limit the characters (e.g. to alphanumeric characters only)
data given by the user do not contain characters
that can be designated as arguments by referring to the manual of
(e.g. special symbols) to avoid processing on the
commands to be called and, if any other character is entered, reject
server?
everything.
To prevent leaks and destruction of files kept on the server, do not allow
To designate a file as an argument, is it checked if absolute path designation (e.g. /etc/passwd) but use relative designation
N.A.
the designated file exists? from the reference path. However, do not allow the designation of higher
path (e.g. ../../etc/passwd).
If the implementation is made to pass the e-mail address entered by the
Is there a restriction to prevent characters that are user directly to an external command (e.g. send mail command) in
not allowed to use in arguments (e.g. special handling e-mail transmission from an web-application, limit the characters N.A.
symbols) to be included? available for entering to alphanumeric characters, “@”, “.”, “-” and “_” only
and check the entered data for the legitimacy as an e-mail address.
Is a bind mechanism used for the manipulation of
In generating commands to manipulate the database dynamically by
database or are special characters contained in the
embedding data in SQL, convert (escape process) the special characters N.A.
input data processed as escape sequences in the
contained so that they will be interpreted properly as SQL.
SQL output?
Because special characters “%” and “_”, which are treated as wildcards,
Are “%” and “\%” processed as escape sequences
are not processed as normal characters in the LIKE structure even if the N.A.
to “_” and “\_” in the LIKE structure?
bind mechanism is used.
If it is necessary to use the input value from the user as a (part of)
filename for some reason, prohibit the path designation like “/etc/passwd”
Isn’t a value entered by the user used as a (part of)
and ensure that character strings like “../” indicating the higher path are N.A.
file name?
not included. In addition, check to see if the user has access to the
designated file on the server.
If the HTTP response header is generated and output by using data
Are illegal values including the linefeed code (%0d passed on from external sources (data entered by the user, URL
arguments, HTTP request header, etc.), convert illegal values, including N.A.
sequences)? the linefeed code (CRLF or LF) contained (treat them as escape
sequences).
If there is an e-mail transmission process and e-mails are sent by using
Are illegal values including the linefeed code (%0d
data passed on from external sources or e-mail address entered by the
N.A.
user, convert illegal values including the linefeed code (treat them as
sequences)?
escape sequences).
At a website where frames are used, multiple screens are displayed on
the browser simultaneously. But each sub-frame is used to display
independent URL, of which URL cannot be checked on the address bar.
For this reason, if the user is led to a screen, in which a false page is
Isn’t a frame used? 〇
embedded to steal critical information (credit card numbers, personal
information, authentication data, etc.), in the sub-frame (possible by the
misuse of cross-site scripting vulnerability), it is likely that the user would
enter critical information.
 Critical information (credit card
numbers, personal information,
authentication data, etc.) is processed
2-2 Is the communication path encrypted using TLS?
Is the server certificate issued by a reliable
2-3
organization?
Is it configured to prohibit accesses using non-
encrypted communication?
2-4 Alternatively, are accesses using non-encrypted
communication (http) redirected to a URL for
encrypted communication (https)?
TLS communication is used
Is Strict-Transport-Security set in the HTTP header
2-5 to force the HTTPS connection to the web browser
constantly?
Aren’t encrypted communication (http) and non-
2-6
encrypted communication (https) mixed?
Session management is done by the Is the Secure attribute set in the cookie in using
2-7
cookie TLS?
The source of connection is restricted
by the IP address or client certification
Is the connection denied for FQDN (domain name)
of the source (authentication is made
2-8 other than those of the company’s website by
by the login function and session
checking the HOST field in the HTTP header?
management is not done by the
cookie)
Chapter 3 Checklist for session management
Are sessions generated by using functions provided
3-1
in the middle-ware like application servers?
Is a research made if there is a report on a security
3-2
hole like a regularity in session IDs generated?
Is the session ID constructed with a sufficient
3-3
number of digits?
In sending and receiving critical information, encrypt the communication
between the server and client using TLS. It is desirable to use a server
certification issued by a reliable organization for TLS. In order to enable
the user to check the website’s authenticity by checking the server 〇
certification, take sufficient precautions to protect entry screens for critical
information (credit card numbers, personal information, authentication
data, etc.) with TLS.
In a system where critical information (credit card numbers, personal
information, authentication data, etc.) is processed, it is desirable to use
〇
the EV SSL (Extended Validation SSL) certification issued after verifying
identification data for the user more strictly.
The reason is because it is possible that the communication data may not
be encrypted by posting an erroneous link even for a website using TLS 〇
only.
The reason is because, even at a website using TLS only, the
communication before redirecting could be sniffed by the attacker by 〇
leading the target user to make an http connection.
If TLS is used, always use TLS communication regardless of the
〇
presence of critical information.
If a cookie is issued, it is possible to set the “secure” flag. A cookie with
this flag shall be transmitted to the server only if an access is made to a
〇
page using TLS. Therefore, a cookie with the secure attribute will only be
transmitted in the encrypted form.
If the source of access is restricted based on the connection source IP
address or client certification, the attacker may obtain confidential
information by using the user as a stepping stone by the use of an attack
〇
referred to as “DNS rebinding”. If the DNS rebinding is misused, the
FQDN (domain name) of malicious website can be set in the HOST field
of HTTP header.
Generate the session ID using the feature available in the middle-ware
like the application server whenever possible. In doing so, ensure that the 〇
session ID generated has sufficient strength.
By assuming the next session ID issued based on the one issued
immediately before, the session of other user using the service could be 〇
hijacked to use the service under an assumed username.
If the session ID is generated by a web application, use a secure random
number generation function to prevent the next session ID to be figured
out based on the previous session IDs. In addition to generating session
〇
IDs with sufficient strength, initialize the random number generation
function using a value that changes all the time, such as the current time
down to the millisecond order, as a seed at the startup of web application.
 Ensure the uniqueness of the session ID with a comparison with session
3-4 Is the uniqueness of session IDs ensured? IDs issued in the past or by adding an attribute to assure the uniqueness 〇
(e.g. successive number) to each random number issued.

If a session ID that has been authenticated became idle (a condition in

which no request is issued by the user operation) for a certain time, force
the user to log out by discarding the session on the server rendering the
3-5 Is a validity period limited for the session ID? 〇
session to have timed out. Limit the time in which the session ID is
effective by using the feature of the middle-ware like a web server
(Apache, IIS, etc.) and application server.

A session ID of other user could be obtained by sniffing communication or

Is the session ID managed by the server invalidated exploiting the vulnerability of cross-site scripting. Using this session ID,
3-6 〇
after the logout? the session may be hijacked and the web application may be used under
an assumed username.

Session management is done

Is a session ID generated anew issued upon
3-7
completion of authentication?
If the attacker could obtain the session ID used by an authentic user, the
session could be hijacked and the service may be used under an 〇
assumed username.

By sending successive requests to the URL of the screen in which the

Is there an upper limit for the number of session IDs
3-8 session ID is issued, the server resource may be wasted to render the 〇
issued?
service unavailable.

If the session ID is sent by embedding it in the URL, there is a risk that

the ID would be leaked through the paths listed below.
Is the session ID transmitted by issuing a cookie
(1) Web server, access log in the proxy server
3-9 without embedding it in the URL or using the POST 〇
(2) History and cached data of web browser
method?
(3) The HTTP referrer header
(4) Cached data of search engines

By contaminating the session region and avoiding the input data check by
performing a series of operation of “input à check à complete” in the
Isn’t the session region updated if an input error is system controlling the session, there may be an attack of “session
3-10 〇
detected? poisoning” in which unlawful gain could be made by settling the payment
with a fraudulent amount or confidential information could be obtained by
executing arbitrary commands.

In an implementation with parameters containing serialized data (byte

Aren’t important objects like session data serialized sequence format) and if the serialized data is not encrypted, it may be
3-11 〇
and included in the hidden field? possible for the user to restore the serialized data. If that happens, critical
information of the system contained in the object would be leaked.

If the serialization is adopted, is an action taken to It is necessary to take actions so that the application will reject whenever
3-12 〇
prevent restoration & falsification of serialized data? it receives serialized data that have been falsified.

If the user ID or IDs of data belonging to a particular user (e.g. contract

If an access is made to the screen after a login, is it
ID, order ID, etc.) are contained in the input parameter, there is a
3-13 confirmed if the access is made by the user who has 〇
possibility that data belonging to another user (contract and order
logged in based on the session ID?
information) would be referenced or modified by falsifying those IDs.

For a screen to which access is allowed only for

particular users, is the user who has made an
3-14 - ditto - 〇
User authentication is done access identified based on the session ID and the
access right of the same person verified?
 User authentication is done
Session IDs are generated using a
random number generation function
Session IDs generated by the system
like a contents conversion server are
used
Session management is done by the
cookie
Chapter 4 Checklist for user authentication
User authentication is done
Is the user ID identified based on the session ID
3-15 - ditto - 〇
without including the user ID in the input parameter?
Is the access right to the displayed screen (function)
3-16 - ditto - 〇
verified based on the session ID?
If the session ID is generated by a web application, use a secure random
number generation function to prevent the next session ID to be figured
Is a research made if there is a report on a security out based on the previous session IDs. In addition to generating session
3-17 〇
hole like a regularity in session IDs generated? IDs with sufficient strength, initialize the random number generation
function using a value that changes all the time, such as the current time
down to the millisecond order, as a seed at the startup of web application.
At the startup of an web application, is the random
3-18 number generation initialized by using a random - ditto - 〇
number as a seed?
Aren’t values other than those generated on the
3-19 - ditto - 〇
server used as session IDs?
Generate the session ID using the feature available in the middle-ware
Is the random number generation function secure
like the application server whenever possible. If the session ID is
without any regularity in the session IDs generated
3-20 generated by a web application, ensure the use of a secure random 〇
and are the integrity and strength of generated
number generation function and the uniqueness of generated random
random numbers verified?
numbers.
The cookie could be stolen by exploiting the cross-site scripting
Is the number of domains and paths, for which the
vulnerability to obtain the session ID recorded in it. Using this session ID,
3-21 cookie is effective, limited to the minimum extent 〇
the session may be hijacked and the web application may be used under
required?
an assumed username.
Is the user ID, which is difficult to guess, issued by By trying out common combinations of user IDs and passwords, accounts
4-1 the server (service provider) without letting the user available for login in could be searched and an attacker may assume the N.A.
specify it? username using the inferred password to use the service unlawfully.
If the password is set/changing by the user, check the entered password
In issuing the initial password from the server, isn’t
4-2 and rejected if it is vulnerable. Also, if the initial password is issued by the N.A.
there a vulnerability in the issued initial password?
application, do not issue vulnerable passwords.
In setting/changing the password by the user, is the
4-3 entered password tested and rejected if it is - ditto - N.A.
vulnerable?
There is a possibility that the initial password issued at the time an
account has been created would be leaked to a third party in the process
it is generated and transmitted. If the password is leaked to a third party, it
Is the user forced to change the initial password at
4-4 would be used for an extended period if there is no expiry set. Even if the N.A.
the first login?
expiration date is set, the user can circumvent the restriction of expiration
date by setting the same password if the registration of same password is
allowed.
 User authentication is done
Critical information (credit card
numbers, personal information,
authentication data, etc.) is displayed
and updated
Data inherent to the cellphone is used
as an authentication element
URL and token for authentication are
used
Chapter 5 Checklist for data storage
Critical information (credit card
numbers, personal information,
authentication data, etc.) is processed
Chapter 6 Checklist for client program development
Client programs (ActiveX, Java, Flash,
etc.) linked to the web application are
used
Chapter 7 Checklist for credit card payment
Is the number of attempts for the authentification
made for the login, password change, password
4-5 reminder, etc. limited and, if the number of
successive attempts have failed, is the account
locked out?
In changing the password, is the user required to
4-6
enter the current password?
Is the number of failures in authenticating the
4-7
current password limited?
Is there any feature where the user is requested to
4-8 re-enter the password and/or PIN beside the
authentication at the login?
4-9 Is the user required to enter his/her password?
4-10 Are the reuse and validity restricted?
Is critical information (e.g. credit card numbers)
5-1
stored in encrypted?
Aren’t pieces of critical information (credit card
numbers, personal information, authentication data,
6-1
etc.) or system data embedded in the client
program?
Aren’t important objects like the session data stored numbers, personal information, authentication data, etc.) or system data
6-2
in a local file?
An attacker may try to find the password by trying out different passwords
that a user would use using the personal information of the user and a
N.A.
dictionary for cracking passwords. It is possible that the service would be
used unlawfully under an assumed username this way.
Provide a feature for the user to change his/her password. In doing so,
request the user to enter the current password to prevent the password
N.A.
being changed by a third party when the session is hijacked or the user
terminal is operated fraudulently.
Establish a limit for the number of failures in validating the current
N.A.
password in anticipation of a play-all attack.
If no feature is provided to reference/change the personal data registered
in a shopping site with a membership or repeated authentication before
an important operation like a transaction on a financial instrument, an N.A.
extensive damage will result by an important operation once the identity
of a member is stolen in a session hijack.
In case the authentication is made based only on the cellphone data (so-
called “easy login”), the security level of the system would drop
significantly in the following perspectives.
• It is possible to modify the “terminal specific ID” or add a “user specific N.A.
ID” in the ID inherent to the cellphone.
• A system in which a password is used for the authentication would
complete the authentication without the password.
An attacker who has sniffed an e-mail could access the URL containing
the token and complete operations like creation of new account and the N.A.
setup of ID/password reminders under an assumed username.
If the password is stored in plain text, there is a risk of unauthorized
access and the leak of password by the system administrator. For this
reason, save the hash value instead of saving the password itself.
N.A.
If critical information is stored in plain text, there is a vulnerability of SQL
injection in the web application leading to an extensive damage if this
vulnerability is exploited to leak critical information.
Although Active X, Java applets and Flash are provided as binary files, it
is possible to obtain critical information contained in the binary file by
N.A.
browsing it directly. It is also possible to reverse-compile a Java applet to
browse the source code.
In using a client program, do not embed critical information (credit card
N.A.
in the program or its property file. Also, do not save the important object
like the session data as a local file.

Credit card payment function is
provided
Chapter 8 Checklist for screen display
Critical information (credit card
numbers, personal information,
authentication data, etc.) is displayed
and updated
Error screens are displayed
Chapter 9 Checklist for the website management
All websites and web services
The FTP service is used
A certification service is used
A development environment is
constructed
A database (DB) is used
The RDP service (port) is used
The SMB service (port) is used
The SSH (22/tcp) service is used
Aren’t sensitive authentication data like credit cards’
7-1 magnetic stripe data, card validation codes
(CAV2/CID/CVC2/CVV2) and PIN stored?
Confidential information like the user ID, password
and credit number shall not be displayed on the web
8-1
page. If they are displayed, are they partially
replaced with a special character like “*”?
Is the information to be displayed on the error
screen limited to the minimum, without displaying
8-2
messages giving out system configuration like the
system paths?
Isn’t the login console for the website administrator
9-1
published on the Internet?
Aren’t FTP (21/tcp) communication services
9-2
published on the Internet without encryption?
Isn’t the HTTP (80/tcp) communication used on
9-3 screens where the authentication data are
processed?
Isn’t anonymous login allowed for FTP services on
9-4
the Internet?
Aren’t users’ signature certifications and/or expired
9-5
certifications used in web services?
Isn’t the website development environment
9-6
published on the Internet?
Is the necessity of publishing the DB port on the
9-7 Internet verified and, if it is not necessary, is the
access controlled by the network or the server?
Isn’t the RDP service (port) used for the remote
9-8
desktop published on the Internet?
Isn’t the SMB service (port) used for sharing files
9-9
published on the Internet?
Isn’t the SSH (22/tcp) service published on the
9-10
Internet?
It is possible that an attacker who has obtained the card verification code
and PIN, together with a credit card number and its expiry date, in an SQL
N.A.
injection attack would assume the identity of the person to make illegal
credit card payments.
Confidential information may be obtained by taking a peek of the screen
from the back of the user or by browsing the source code (HTML) of the
screen during the absence of the user. If TLS is not used, it is also N.A.
possible to obtain confidential information by sniffing communication over
the network.
A correction shall be made to display a
Information to indicate the erroneous data, message “the entered data is wrong”
The system configuration data (e.g. the OS used, product names of web such as a message “the ID is wrong” if a whenever a wrong ID or password is
server/middle-ware/database, system path, etc.) may be obtained from ✕ wrong ID is entered or “the PW is wrong” if entered. The plan is to complete the
a wrong password is entered, is presented correction within a month although the
error messages and used as clues for an attack.
on the web page. release may need to be coordinated with
other features.
Once the security certification using ID and password is breached, there
is a possibility that the system configuration would be modified or 〇
confidential information would be leaked.
Representing data in plain texts creates a possibility that critical
information on the communication path (user IDs, passwords, personal 〇
data, etc.) would be leaked by packet sniffing.
Representing data in plain texts creates a possibility that critical
information on the communication path (user IDs, passwords, personal 〇
data, etc.) would be leaked by packet sniffing.
A flaw in the directory permissions may lead to a possibility of malicious
script files to be uploaded and executed to cause negative impacts to the 〇
system.
Because the reliability of the site cannot be certified, there is a risk to
〇
expose the site users to a danger.
It is possible that the development environment does not address its
vulnerabilities or contains information that can be used to start an attack 〇
on the published websites.
Because most databases handle critical information, if the security
certification is breached, it is possible that the system configuration would 〇
be modified or confidential information would be stolen.
If the authentication process is breached, unauthorized remote
connection would be established, causing the system configuration to be 〇
modified and/or confidential information to be stolen.
There is a possibility that a damage would be caused by a cyber attack
〇
targeting the port 445 used for sharing files in SMB.
If the security certification is breached, there is a possibility that the
system configuration to be modified and/or confidential information to be 〇
leaked.