Professional Documents
Culture Documents
The Web Security Checklist is a measure to prevent vulnerabilities from being incorporated at the time of development and
building of Websites due to inadequacies or wrong settings in their building process.
Using the Web Security Checklist makes it possible to keep the security of Websites without fail.
If the structures and/or processes stated under the “large category” in Column B of this checklist are found after checking the
construction of subject website or web service, it is necessary that the corresponding security measures stated under the
“medium category” in Colum D are to be implemented and, if the structures and/or processes stated under the “large category” in
Column B are not found, select “N.A.” in the answer field in Column F.
Checks defined in this checklist shall be evaluated in three levels (: satisfied, : not satisfied or N.A. (Not Applicable)) and, for
items that do not satisfy the requirements, make modifications whenever it is possible to modify and, if not, develop corrective
actions including alternative measures and implement them without fail.
3. Remarks
If this checklist shall be provided to subcontractors and/or partners, ensure that non-disclosure agreements have been signed by
subject companies and obtain agreements not to disclose the list to third parties.
[Form] Web Security Checklist Ver1.0
Website name
URL Administrator Applicant
(Information security leader) (Website manager)
Organization name
Management/Operation department
Newly constructed or existing website
Affiliation Affiliation
Name Name
YYYY/MM/DD YYYY/MM/DD
Stated below is the state of compliance to the security checklist for the website to be published.
Is the legitimacy of each form data (format, length, Specifically, is the character allowed, is the string length allowed or isn’t
1-1
positive/negative sign for numeric values) checked? the value negative?
The format for e-mail addresses, the number of products ordered (if it is
Are the format and value checked properly within the limit allowed for one order) or parameters (values embedded in
1-3
Process texts (parameters, headers, depending on the meaning of input data? the e-mail address or cookies) that may cause problems if a line-feed is
etc.) entered by the user included.
Avoid calling external commands whenever possible and use the library
Are calls for external commands avoided whenever
or implement equivalent functions. If external commands need to be
possible?
called by embedding data into arguments for reasons such as restrictions
If it is necessary to call external commands due to a
in implementation, check the legitimacy of the data on the server.
1-6 limitation in the implementation, is it ensured that the
Specifically, limit the characters (e.g. to alphanumeric characters only)
data given by the user do not contain characters
that can be designated as arguments by referring to the manual of
(e.g. special symbols) to avoid processing on the
commands to be called and, if any other character is entered, reject
server?
everything.
Because special characters “%” and “_”, which are treated as wildcards,
Are “%” and “\%” processed as escape sequences
1-10 are not processed as normal characters in the LIKE structure even if the
to “_” and “\_” in the LIKE structure?
bind mechanism is used.
If it is necessary to use the input value from the user as a (part of)
filename for some reason, prohibit the path designation like “/etc/passwd”
Input values are used as (parts of) Isn’t a value entered by the user used as a (part of)
1-11 and ensure that character strings like “../” indicating the higher path are
filenames to manipulate files file name?
not included. In addition, check to see if the user has access to the
designated file on the server.
E-mails are sent by generating the If there is an e-mail transmission process and e-mails are sent by using
Are illegal values including the linefeed code (%0d
message dynamically based on the data passed on from external sources or e-mail address entered by the
1-13 %0A or %0A) converted (processed as escape
information entered by the user or user, convert illegal values including the linefeed code (treat them as
sequences)?
passed on from external sources escape sequences).
Aren’t encrypted communication (http) and non- If TLS is used, always use TLS communication regardless of the
2-6
encrypted communication (https) mixed? presence of critical information.
The source of connection is restricted If the source of access is restricted based on the connection source IP
by the IP address or client certification address or client certification, the attacker may obtain confidential
Is the connection denied for FQDN (domain name)
of the source (authentication is made information by using the user as a stepping stone by the use of an attack
2-8 other than those of the company’s website by
by the login function and session referred to as “DNS rebinding”. If the DNS rebinding is misused, the
checking the HOST field in the HTTP header?
management is not done by the FQDN (domain name) of malicious website can be set in the HOST field
cookie) of HTTP header.
By contaminating the session region and avoiding the input data check by
performing a series of operation of “input à check à complete” in the
Isn’t the session region updated if an input error is system controlling the session, there may be an attack of “session
3-10
detected? poisoning” in which unlawful gain could be made by settling the payment
with a fraudulent amount or confidential information could be obtained by
executing arbitrary commands.
If the serialization is adopted, is an action taken to It is necessary to take actions so that the application will reject whenever
3-12
prevent restoration & falsification of serialized data? it receives serialized data that have been falsified.
Is the user ID, which is difficult to guess, issued by By trying out common combinations of user IDs and passwords, accounts
4-1 the server (service provider) without letting the user available for login in could be searched and an attacker may assume the
specify it? username using the inferred password to use the service unlawfully.
Is the number of failures in authenticating the Establish a limit for the number of failures in validating the current
4-7
current password limited? password in anticipation of a play-all attack.
In case the authentication is made based only on the cellphone data (so-
called “easy login”), the security level of the system would drop
significantly in the following perspectives.
Data inherent to the cellphone is used
4-9 Is the user required to enter his/her password? • It is possible to modify the “terminal specific ID” or add a “user specific
as an authentication element
ID” in the ID inherent to the cellphone.
• A system in which a password is used for the authentication would
complete the authentication without the password.
An attacker who has sniffed an e-mail could access the URL containing
URL and token for authentication are
4-10 Are the reuse and validity restricted? the token and complete operations like creation of new account and the
used
setup of ID/password reminders under an assumed username.
Aren’t pieces of critical information (credit card Although Active X, Java applets and Flash are provided as binary files, it
numbers, personal information, authentication data, is possible to obtain critical information contained in the binary file by
6-1
etc.) or system data embedded in the client browsing it directly. It is also possible to reverse-compile a Java applet to
program? browse the source code.
Client programs (ActiveX, Java, Flash,
etc.) linked to the web application are
used
In using a client program, do not embed critical information (credit card
Aren’t important objects like the session data stored numbers, personal information, authentication data, etc.) or system data
6-2
in a local file? in the program or its property file. Also, do not save the important object
like the session data as a local file.
It is possible that an attacker who has obtained the card verification code
Aren’t sensitive authentication data like credit cards’
Credit card payment function is and PIN, together with a credit card number and its expiry date, in an SQL
7-1 magnetic stripe data, card validation codes
provided injection attack would assume the identity of the person to make illegal
(CAV2/CID/CVC2/CVV2) and PIN stored?
credit card payments.
Isn’t the HTTP (80/tcp) communication used on Representing data in plain texts creates a possibility that critical
9-3 screens where the authentication data are information on the communication path (user IDs, passwords, personal
processed? data, etc.) would be leaked by packet sniffing.
Aren’t users’ signature certifications and/or expired Because the reliability of the site cannot be certified, there is a risk to
A certification service is used 9-5
certifications used in web services? expose the site users to a danger.
Is the necessity of publishing the DB port on the Because most databases handle critical information, if the security
A database (DB) is used 9-7 Internet verified and, if it is not necessary, is the certification is breached, it is possible that the system configuration would
access controlled by the network or the server? be modified or confidential information would be stolen.
Isn’t the SMB service (port) used for sharing files There is a possibility that a damage would be caused by a cyber attack
The SMB service (port) is used 9-9
published on the Internet? targeting the port 445 used for sharing files in SMB.
Is the legitimacy of each form data (format, length, Specifically, is the character allowed, is the string length allowed or isn’t
1-1 〇
positive/negative sign for numeric values) checked? the value negative?
The format for e-mail addresses, the number of products ordered (if it is
Are the format and value checked properly within the limit allowed for one order) or parameters (values embedded in
1-3 〇
Process texts (parameters, headers, depending on the meaning of input data? the e-mail address or cookies) that may cause problems if a line-feed is
etc.) entered by the user included.
Because special characters “%” and “_”, which are treated as wildcards,
Are “%” and “\%” processed as escape sequences
1-10 are not processed as normal characters in the LIKE structure even if the N.A.
to “_” and “\_” in the LIKE structure?
bind mechanism is used.
If it is necessary to use the input value from the user as a (part of)
filename for some reason, prohibit the path designation like “/etc/passwd”
Input values are used as (parts of) Isn’t a value entered by the user used as a (part of)
1-11 and ensure that character strings like “../” indicating the higher path are N.A.
filenames to manipulate files file name?
not included. In addition, check to see if the user has access to the
designated file on the server.
E-mails are sent by generating the If there is an e-mail transmission process and e-mails are sent by using
Are illegal values including the linefeed code (%0d
message dynamically based on the data passed on from external sources or e-mail address entered by the
1-13 %0A or %0A) converted (processed as escape N.A.
information entered by the user or user, convert illegal values including the linefeed code (treat them as
sequences)?
passed on from external sources escape sequences).
Aren’t encrypted communication (http) and non- If TLS is used, always use TLS communication regardless of the
2-6 〇
encrypted communication (https) mixed? presence of critical information.
The source of connection is restricted If the source of access is restricted based on the connection source IP
by the IP address or client certification address or client certification, the attacker may obtain confidential
Is the connection denied for FQDN (domain name)
of the source (authentication is made information by using the user as a stepping stone by the use of an attack
2-8 other than those of the company’s website by 〇
by the login function and session referred to as “DNS rebinding”. If the DNS rebinding is misused, the
checking the HOST field in the HTTP header?
management is not done by the FQDN (domain name) of malicious website can be set in the HOST field
cookie) of HTTP header.
By contaminating the session region and avoiding the input data check by
performing a series of operation of “input à check à complete” in the
Isn’t the session region updated if an input error is system controlling the session, there may be an attack of “session
3-10 〇
detected? poisoning” in which unlawful gain could be made by settling the payment
with a fraudulent amount or confidential information could be obtained by
executing arbitrary commands.
If the serialization is adopted, is an action taken to It is necessary to take actions so that the application will reject whenever
3-12 〇
prevent restoration & falsification of serialized data? it receives serialized data that have been falsified.
Is the user ID, which is difficult to guess, issued by By trying out common combinations of user IDs and passwords, accounts
4-1 the server (service provider) without letting the user available for login in could be searched and an attacker may assume the N.A.
specify it? username using the inferred password to use the service unlawfully.
Provide a feature for the user to change his/her password. In doing so,
In changing the password, is the user required to request the user to enter the current password to prevent the password
4-6 N.A.
enter the current password? being changed by a third party when the session is hijacked or the user
terminal is operated fraudulently.
Is the number of failures in authenticating the Establish a limit for the number of failures in validating the current
4-7 N.A.
current password limited? password in anticipation of a play-all attack.
In case the authentication is made based only on the cellphone data (so-
called “easy login”), the security level of the system would drop
significantly in the following perspectives.
Data inherent to the cellphone is used
4-9 Is the user required to enter his/her password? • It is possible to modify the “terminal specific ID” or add a “user specific N.A.
as an authentication element
ID” in the ID inherent to the cellphone.
• A system in which a password is used for the authentication would
complete the authentication without the password.
An attacker who has sniffed an e-mail could access the URL containing
URL and token for authentication are
4-10 Are the reuse and validity restricted? the token and complete operations like creation of new account and the N.A.
used
setup of ID/password reminders under an assumed username.
Aren’t pieces of critical information (credit card Although Active X, Java applets and Flash are provided as binary files, it
numbers, personal information, authentication data, is possible to obtain critical information contained in the binary file by
6-1 N.A.
etc.) or system data embedded in the client browsing it directly. It is also possible to reverse-compile a Java applet to
program? browse the source code.
Client programs (ActiveX, Java, Flash,
etc.) linked to the web application are
used
In using a client program, do not embed critical information (credit card
Aren’t important objects like the session data stored numbers, personal information, authentication data, etc.) or system data
6-2 N.A.
in a local file? in the program or its property file. Also, do not save the important object
like the session data as a local file.
Isn’t the HTTP (80/tcp) communication used on Representing data in plain texts creates a possibility that critical
9-3 screens where the authentication data are information on the communication path (user IDs, passwords, personal 〇
processed? data, etc.) would be leaked by packet sniffing.
Aren’t users’ signature certifications and/or expired Because the reliability of the site cannot be certified, there is a risk to
A certification service is used 9-5 〇
certifications used in web services? expose the site users to a danger.
Is the necessity of publishing the DB port on the Because most databases handle critical information, if the security
A database (DB) is used 9-7 Internet verified and, if it is not necessary, is the certification is breached, it is possible that the system configuration would 〇
access controlled by the network or the server? be modified or confidential information would be stolen.
Isn’t the SMB service (port) used for sharing files There is a possibility that a damage would be caused by a cyber attack
The SMB service (port) is used 9-9 〇
published on the Internet? targeting the port 445 used for sharing files in SMB.