« Fuzzware 1.5 released | Main | Hacker Extradited For Stock Market Manipulation Via Stolen Accounts »

WASC Threat Classification 2.0 Sneak Peek

Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed.

Mission statement

"The Threat Classification v2.0 outlines the attacks and weaknesses that can lead to the compromise of a website, its data, or its users. This document primarily serves as a reference guide for each given attack or weakness and provides examples of each issue as well as helpful reference material."

Authors and Contributors
Using the Threat Classification
Glossary of terms

Attacks Weaknesses
Abuse of Functionality Application Misconfiguration
Brute Force Directory Indexing
Buffer Overflow Improper Parsing 
Content Spoofing Improper Filesystem Permissions
Credential/Session Prediction Improper Input Handling
Cross-Site Scripting Improper Output Handling
Cross-Site Request Forgery Information Leakage
Denial of Service Insecure Indexing 
Fingerprinting Insufficient Anti-automation
Format String Insufficient Authentication
HTTP Request Splitting Insufficient Authorization
HTTP Response Splitting Insufficient Process Validation
HTTP Request Smuggling Insufficient Session Expiration
HTTP Response Smuggling Insufficient Transport Layer Protection
Integer Overflow Server Misconfiguration
LDAP Injection  
Mail Command Injection  
Null Byte Injection  
OS Commanding
Path Traversal  
Predictable Resource Location  
Remote File Inclusion (RFI)  
Routing Detour
SOAP Array Abuse
SSI Injection
Session Fixation
SQL Injection
URL Redirector Abuse   
XPath Injection  
XML Attribute Blowup  
XML External Entities  
XML Entity Expansion   
XML Injection  
XQuery Injection  


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!