Web Application Security Consortium
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.

Volunteering to participate in WASC related activities is free and open to all. more...

WASC Projects

Interested in application security and want to help? For starters consider subscribing to The Web Security Mailing List the most popular application security related mailing list on the web. You can also help us by contributing to one of the projects below. Simply go to the project you wish to help on, and contact the project leader. Joining WASC costs you nothing. Do you want to work on a new project not listed here? Please contact us using our contact form and let us know what is on your mind.



Web Security Articles
The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security. more...


The Web Hacking Incidents Database
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide the information for statistical analysis of web applications security incidents. more...


Web Application Security Scanner Evaluation Criteria
The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. more...


Distributed Open Proxy Honeypots
This project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location. more...


The Script Mapping Project
The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.


Web Security Glossary
The Web Security Glossary is an alphabetical index of terms and terminology relating to web applications security. The purpose of the Glossary is to further clarify the language used within the community. more...


Web Security Threat Classification
The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues. more...


Web Application Firewall Evaluation Criteria
The goal of this project is to develop a detailed web application firewall (WAF) evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution. more...


Web Application Security Statistics
The WASC Statistics Project is the first attempt at an industry wide collection of application vulnerability statistics in order to identify the existence and proliferation of application security issues on enterprise websites. Anonymous data correlating vulnerability numbers and trends across organization size, industry vertical and geographic area are being collected and analyzed to identify the prevalence of threats facing today's online businesses. Such empirical data aims to provide the first true statistics on application layer vulnerabilities. Using the Web Security Threat Classification as a baseline, data is currently being collected and contributed by more than a half dozen major security vendors with the list of contributors growing regularly. We are actively seeking others to contribute data. more...

WASC Announcements and News

WASC Web Application Security Statistics Project 2007 Publishes Report
September 8th, 2008

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications. more...

Web Application Security Summit
April 15th, 2008

SANS and WASC have organized a Web Application Security Summit in Vegas.

Web Application Security Summit
Jeremiah Grossman, Summit Chair
with Robert “RSnake” Hansen, Gary McGraw, and Caleb Sima
June 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NV


On June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case studies in application security initiatives will be presented and dozens of questions will be answered. In the last few years, there has been a huge surge in web application attacks since that around 70% of all web applications had security flaws...and now 80% of new malware is focused on the application layer.

Applications have become the easier attack target. With that change, the criminals added a new security challenge—not only must corporations and schools and governments ensure secure configuration and effective patch management, now they must also ensure the applications they deploy have no security flaws. The WhatWorks in Application Security Summit 2008 brings together the pioneers who have already faced the application security problem. If you are spending or about to spend a lot of money and want to make sure the investment actually improves security these are real users who can tell you what works and what doesn’t.


Agenda

• Is this a developer problem or a security problem? What is the role of each and how do they work together?
• What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?
• How can we ensure our programmers know the common security flaws and can consistently eliminate them from the code we are deploying? Training? Testing? Hiring? And how can we make sure our outsourced programmers and suppliers also have those skills?
• How do you architect security into the development lifecycle? How do you implement a layered approach to application security? What is SDLC and is it enough?
• In addition to the Credit Card Industry (PCI) Standard, what other standards demand improved application security and what do they specifically require?
• Which application security software tools work best? Do we need a combination of these tools or will one suffice?
• Black-box: web application scanners
• White box: code reviewers
• Application security firewalls
• How often do the tools create false positives and what are the best practices for dealing with false positives? And much more…

Announcement: The Unexpected SQL Injection" by Alexander "Mordred" Andonov
September, 2007

This article surveys several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.

Announcement: OWASP & WASC AppSec 2007
September, 2007

OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on the latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with others that are down in the trenches. AppSec 2007 expects to exceed all attendance records from the previously years, making space extremely limited. There's only room for approximately 300 attendees. So if you're planning to come, please register soon.

For more details and registration:
http://www.owasp.org/index.php/OWASP_&_WASC_AppSec_2007_Conference

The conference also features:
1) Two full days of tutorials on a wide variety of web application security topics.
http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training
2) A web services security track
3) Vendor technology expo

Conference Location:
The AppSec 2007 Conference will be held at eBay at their facility at:
2211 North First Street in San Jose, CA Nov 12th-15th.

Training Days: November 12th-13th
Main Conference: November 14th-15th

Announcement: The business case for security frameworks
April 23rd, 2007

In this article Robert describes the advantages of using input validation frameworks during development to reduce risks such as Cross-site Scripting. more...

Announcement: The Importance of Application Classification in Secure Application Development
April 16th, 2007

In this article Rohit Sethi describes the importance of Application Classification during the secure development process. more...

Announcement: MX Injection : Capturing and Exploiting Hidden Mail Servers
December 11th, 2006

In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. more...

Chat on Irc with us!
June, 23rd 2006

Come chat with us on irc.freenode.net in channel #webappsec.

'The Web Security Mailing List' RSS Feed Now Available
June, 19th 2006

You can now subscribe to 'The Web Security Mailing List' using RSS. Download Feed Here

Announcement: Domain Contamination By Amit Klein
February, 6th 2006

In this article Amit discusses how an attacker who's hijacked a domain for a short peroid of time can still retain control of its audience long after the domain is returned to its rightful owner.

Announcement: The Web Application Firewall Evaluation Criteria v1 Released
January, 14th 2006

The Web Application Security Consortium (WASC), an international group of information security experts that produce open application security guidelines for the World Wide Web, today announced that it has released version 1.0 of The Web Application Firewall Evaluation Criteria (WAFEC). WAFEC is a collaborative effort by a team of security experts, industry practitioners, and vendors designed to provide an independent and vendor-neutral set of criteria for evaluating Web Application Firewall products.

Preventing Log Evasion in IIS
August 29th, 2005

In this paper Robert describes an issue which allows an attacker to evade multiple aspects of logging within an IIS server environment, as well as how to remediate the problem. more...

Articles: DOM Based Cross Site Scripting or XSS of the Third Kind
July 11, 2005

Amit Klein has released an article focusing on a little known variant of Cross Site Scripting which attacks a user's client without sending malicious content to the web server. more...