Description

Goals

Documentation Uses

Overview

Background

Contributors

Classes of Attack

Contact

Appendix

License



TCv1 Contributors
Robert Auger
Ryan Barnett
Yuval Ben-Itzhak
Erik Caso
Cesar Cerrudo
Sacha Faust
JD Glaser
Jeremiah Grossman*
Sverre H. Huseby
Amit Klein
Mitja Kolsek
Aaron C. Newman
Steve Orrin
Bill Pennington
Ray Pompon
Mike Shema
Ory Segal
Caleb Sima
Satoru Takahashi
Bedirhan Urgun
Emilio Casbas
Vicente Aguilera Díaz
Sergey V. Gordeychik
Achim Hoffmann
Albert Caruana
Stefan Strobel
Daniela Strobel


*Project Leader



Last update: November 29, 2005

Threat Classification V2 (Currently In Progress)
Our peer review teams are currently working hard on the next version of the TC. You can get a sneak peek at the new TC on our working WIKI page.


Threat Classification V1

Description
The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.

Complete Document

English
[TEXT] size: 128k (MD5 SUM: 71a846da8ad5c8d4f051c2340114b530)
[PDF] size: 456k (MD5 SUM: 73dd79528022bfdaba92727f94f700ab)

Japanese
[PDF] size: 1MB (MD5 SUM: 9d7d4dd092f2c01d255ca21362c6feba)
[DOC] size: 548k (MD5 SUM: 2f6cde45b12183fd3598d4435d3bed5d)

Russian
[DOC] size: 452k (MD5 SUM: 48c2ee2bd727aa3ba4fce4ad778bb0b3)
[TEXT] size: 100k (MD5 SUM: 2bcbfba117ad7c5df253a13739c80132)

Spanish
[PDF] size: 307k (MD5 SUM: fc0e9ca1576792351fca280150d1f8b3)
[DOC] size: 465k (MD5 SUM: 741a69b5cc0400a1bfe208a646614cab)

German
[DOC] size: 432k (MD5 SUM: 66fd0bb191b43b7fae1edb65afa45589)
[PDF] size: 544k (MD5 SUM: f03dc47724f37c1d83e88bbd697e84a4)

Turkish
[PDF] size: 637k (MD5 SUM: ef1e8f1e581dcc4a191effa091804894)
[DOC] size: 482k (MD5 SUM: 8f915e770997185131d972391bb080c3)


Classes of Attack

Abuse of Functionality Brute Force Buffer Overflow
Content Spoofing Credential/Session Prediction Cross-site Scripting
Denial of Service Directory Indexing Format String Attack
Information Leakage Insufficient Anti-automation Insufficient Authentication
Insufficient Authorization Insufficient Process Validation Insufficient Session Expiration
LDAP Injection OS Commanding Path Traversal
Predictable Resource Location Session Fixation SQL Injection
SSI Injection Weak Password Recovery Validation XPath Injection
* Fingerprinting * HTTP Response Splitting  

Search this site
Home :: About Us :: Projects :: Mailing Lists :: Library :: News :: Links :: Contact Us
© Copyright 2005, Web Application Security Consortium. All rights reserved.