The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.
Attacks
Abuse of Functionality
Brute Force
Buffer Overflow
Content Spoofing
Credential/Session Prediction
Cross-Site Scripting
Cross-Site Request Forgery
Denial of Service
Fingerprinting
Format String
HTTP Response Smuggling
HTTP Response Splitting
HTTP Request Smuggling
HTTP Request Splitting
Integer Overflows
LDAP Injection
Mail Command Injection
Null Byte Injection
OS Commanding
Path Traversal
Predictable Resource Location
Remote File Inclusion (RFI)
Routing Detour
Session Fixation
SOAP Array Abuse
SSI Injection
SQL Injection
URL Redirector Abuse
XPath Injection
SSI Injection
SQL Injection
URL Redirector Abuse
XPath Injection
XML Attribute Blowup
XML External Entities
XML Entity Expansion
XML Injection
XQuery Injection
WASC Threat Classification
XML Attribute Blowup
XML External Entities
XML Entity Expansion
XML Injection
XQuery Injection
Weaknesses
Application Misconfiguration
Directory Indexing
Improper Filesystem Permissions
Improper Input Handling
Improper Output Handling
Information Leakage
Insecure Indexing
Insufficient Anti-automation
Insufficient Authentication
Insufficient Authorization
Insufficient Password Recovery
Insufficient Process Validation
Insufficient Session Expiration
Insufficient Transport Layer Protection
Server Misconfiguration
Threat Classification „Development Phase View‟ This WASC Threat Classification view was created to loosely outline where in the development lifecycle a particular type of vulnerability is likely to be introduced. This view was created in an attempt identify common root occurrences/development phases for vulnerability introduction, and does not attempt to address improperly patched servers, or enumeration of edge cases.
This view makes use of many to many relationships. Definitions Design: Covers vulnerabilities that are likely to be introduced due to a lack of mitigations specified in the software design/requirements, or due to a poorly/improperly defined design/requirement. Implementation: Covers vulnerabilities that are likely to be introduced due to a poor choice of implementation.
Deployment: Covers vulnerabilities that are likely to be introduced due to poor deployment procedures, or bad application/server configurations.
Official WASC classification document.
Thanks for description, was looking for information about wasc classification.
Nice post. I was checking constantly this blog and I am impressed!
Extremely helpful information specifically the last part 🙂 I care for such info
a lot. I was looking for this particular info for a long time.
Thank you and best of luck.
Comments are closed.