SAMMY works best on screens 1024px wide or larger.
ASVS
Browse ASVS
V13.4: Unintended Information Leakage
V13.4.1
V13.4.1: Verify that the application is deployed either without any source control metadata, including the .git or .svn folders, or in a way that these folders are inaccessible both externally and to the application itself.

Verify that the application is deployed either without any source control metadata, including the .git or .svn folders, or in a way that these folders are inaccessible both externally and to the application itself.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that the application is deployed either without any source control metadata, including the .git or .svn folders, or in a way that these folders are inaccessible both externally and to the application itself.

V13.4.2
V13.4.2: Verify that debug modes are disabled for all components in production environments to prevent exposure of debugging features and information leakage.

Verify that debug modes are disabled for all components in production environments to prevent exposure of debugging features and information leakage.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that debug modes are disabled for all components in production environments to prevent exposure of debugging features and information leakage.

V13.4.3
V13.4.3: Verify that web servers do not expose directory listings to clients unless explicitly intended.

Verify that web servers do not expose directory listings to clients unless explicitly intended.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that web servers do not expose directory listings to clients unless explicitly intended.

V13.4.4
V13.4.4: Verify that using the HTTP TRACE method is not supported in production environments, to avoid potential information leakage.

Verify that using the HTTP TRACE method is not supported in production environments, to avoid potential information leakage.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that using the HTTP TRACE method is not supported in production environments, to avoid potential information leakage.

V13.4.5
V13.4.5: Verify that documentation (such as for internal APIs) and monitoring endpoints are not exposed unless explicitly intended.

Verify that documentation (such as for internal APIs) and monitoring endpoints are not exposed unless explicitly intended.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that documentation (such as for internal APIs) and monitoring endpoints are not exposed unless explicitly intended.

V13.4.6
V13.4.6: Verify that the application does not expose detailed version information of backend components.

Verify that the application does not expose detailed version information of backend components.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that the application does not expose detailed version information of backend components.

V13.4.7
V13.4.7: Verify that the web tier is configured to only serve files with specific file extensions to prevent unintentional information, configuration, and source code leakage.

Verify that the web tier is configured to only serve files with specific file extensions to prevent unintentional information, configuration, and source code leakage.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that the web tier is configured to only serve files with specific file extensions to prevent unintentional information, configuration, and source code leakage.