WASC Web Vulnerabilities classification schema

I came across another effort to systematically organize web application vulnerabilities, include six categories published by the Web Application Security Consortium (www.webappsec.org). They are very clearly and neatly organized.The following descriptions of web vulnerabilities are modeled on the WASC schema.

Authentication – stealing user account identities
-> Brute Force attack
-> Insufficient Authentication
-> Weak Password Recovery Validation

Authorization – illegal access to applications
-> Credential / Session Prediction
-> Insufficient Authorization
-> Insufficient Session Expiration
-> Session Fixation attacks

Client-side Attacks – illegal execution of foreign code
-> Content Spoofing
-> Cross-site Scripting

Command Execution – hijacks control of web application
-> Buffer Overflow attacks
-> Format String Attack
-> LDAP Injection attacks
-> OS Commanding
-> SQL Injection
-> SSI Injection
-> XPath Injection

Information Disclosure – shows sensitive data to attackers
-> Directory Indexing
-> Information Leakage
-> Path Traversal
-> Predictable Resource Location

Logical Attacks – interfere with application usage
-> Abuse of Functionality
-> Denial of Service
-> Insufficient Anti-automation
-> Insufficient Process Validation permits an attacker to


Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection