WASC





WASC

The amazing knowledge base over at WASC (http://www.webappsec.org) has put together a comprehensive list of classified threats to Web apps in a project led by Jeremiah Grossman. There is some obvious overlap with OWASP’s Top Ten, but to be effective in your vulnerability analysis, you need to combine these classifications synergistically with the OWASP information. Remember that as an independent pen tester you need to utilize all resources at your disposal in order to provide the best benefit to your client base. The WASC classifications are as follows (from the WASC documentation):

  1. Authentication

    1.1  

    Brute Force

     

    1.2  

    Insufficient Authentication

     

    1.3  

    Weak Password Recovery Validation

  1. Authorization

    2.1  

    Credential/Session Prediction

     

    2.2  

    Insufficient Authorization

     

    2.3  

    Insufficient Session Expiration

     

    2.4  

    Session Fixation

  1. Client-Side Attacks

    3.1  

    Content Spoofing

     

    3.2  

    Cross-site Scripting

  1. Command Execution

    4.1  

    Buffer Overflow

     

    4.2  

    Format String Attack

     

    4.3  

    LDAP Injection

     

    4.4  

    OS Commanding

     

    4.5  

    SQL Injection

     

    4.6  

    SSI Injection

     

    4.7  

    XPath Injection

  1. Information Disclosures

    5.1  

    Directory Indexing

     

    5.2  

    Information Leakage

     

    5.3  

    Path Traversal

     

    5.4  

    Predictable Resource Location

  1. Logical Attacks

    6.1  

    Abuse of Functionality

     

    6.2  

    Denial of Service

     

    6.3  

    Insufficient Anti-automation

     

    6.4  

    Insufficient Process Validation

The WASC items are intertwined with the OWASP threats wherever possible; comments are included in the relevant sections bringing this to your attention. Those that don’t fit cleanly into any of the OWASP threats are discussed in the section entitled “Other Areas.”

Previous Section
Next Section


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows