-
WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven…
-
Updating the WASC Threat Classification
I've been pretty busy the past few months which has resulted in zero site updates. The good news is I've kicked off the next phase of the WASC Threat Classification and our first update is the completion of the TC's missing crypto section.
-
WASC Announcement: ‘Static Analysis Tool Evaluation Criteria’ Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics, vendors, software developers…
-
Announcing WASC Web Hacking Incident Database (WHID) Mail-list
Ryan Barnett (Leader of the WASC Web Hacking Incidents Database Project) has announced a new mailing list where users can subscribe to hear about the latest hacking incidents. From his email to The Web Security Mailing List "Greetings everyone,I wanted to let everyone know that we have setup a mail-list for those of you who…
-
WASC Party at RSA
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon. Take a…
-
WASC Web Hacking Incident Database Semi-Annual Report for 2010
Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 – http://projects.webappsec.org/Web-Hacking-Incident-Database-2010-Semi-Annual-Report A…
-
WASC RSA Meet-Up 2010!
The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch served: 12:00 PM…
-
WASC Threat Classification to OWASP Top Ten RC1 Mapping
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Experimenting With WASC Threat Classification Views: Vulnerability Root Cause Mapping
I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec concepts. After months…
-
WASC Announcement: 2008 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool togethersanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application security assessment projects which…
-
WASC TC v2 – Improper Input Handling Section Completed
I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level of detail. We've…
-
Announcing the Web Application Security Scanner Evaluation Criteria v1
“The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list of features that…
-
WASC Honeypots – Apache Tomcat Admin Interface Probes
The WASC Distributed Open Proxy Honeypots project has published an entry on people performing brute force attacks against tomcat administrative interfaces through WASC's open relay proxies. Tomcat Brute Forcing: http://tacticalwebappsec.blogspot.com/2009/10/wasc-honeypots-apache-tomcat-admin.html
-
WASC Distributed Open Proxy Honeypot Shows Brute Force Attacks Against Yahoo
Fellow WASC officer Ryan Barnett has published findings pertaining to a distributed brute force attack against Yahoo's login pages as part of his findings for the WASC Distributed Open Proxy Honeypot Project . For those not aware of this project, Ryan leads an initiative where people run open relay proxies and centrally upload the logs…
-
WASC Distributed Open Proxy Honeypot Update – XSS in User-Agent Field
"In case you missed it, the WASC Distributed Open Proxy Honeypot Project launched Phase III at the end of July. We have a few sensors online and as we start gathering data, we are starting our analysis. Our goal is to be able to release "events of interest" to the community to try and raise…
-
WASC Threat Classification v2 updates
We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL Injection (added SQL Injection…
-
Next Phase of WASC’s Distributed Open Proxy Honeypot Project Begins
Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each proxy node (shown below).…
-
Threat Classification v2 and the need for change
As I recently posted the WASC Threat Classification v2 is currently in a public working state and there's been a buzz on the mailing lists about it compared to other related projects. Vishal Garg posed a question I was expecting for awhile which is why does the TCv2 look so much different than TCv1? I've…
-
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We’ve been working on this for more than a year and it’s been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement “The Threat Classification v2.0 outlines the attacks…
-
Web Application Security Consortium (WASC) RSA Meetup 2009
If you like talking about website and application security and will be in San Francisco in April I highly recommend attending the Web Application Security Consortium's RSA Meet-up. We've been doing this for the past 3-4 years and always get a great crowd. He's the formal announcement. Take a Break @ RSA and Meet-up with…
-
A run down of the major security mailing lists
Here's a run down of the main mailing lists that I follow. While most of these are known in the security industry, many people who frequent this site are from various backgrounds and may find this list useful. Bugtraq: "BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer…
-
WASC Threat Classification v2 Project – Call for Participants
In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I’m sending this email to the list seeking people to contribute towards The Threat ClassificationVersion 2.0.…
-
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent…
-
OWASP/WASC Party at Blackhat in Las Vegas
WASC and OWASP are throwing a party this year during blackhat at the shadow bar which is being sponsored by Breach. This will be the 3rd party at the shadow bar, and 2nd joint WASC/OWASP conference. If you want to chat appsec this is where everyone in appsec will be.
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack