WASC

Summary

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version used in this section is WASC Threat Classification v2.0.

Definitions

Definition	Requirements
A_42. Abuse of functionality	258. Filter website content 266. Disable insecure functionalities
A_11. Brute force	237. Ascertain human interaction 327. Set a rate limit
A_07. Buffer overflow	072. Set maximum response time 158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs
A_12. Content spoofing	035. Manage privilege modifications 096. Set user's required privileges 173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 320. Avoid client-side control enforcement 342. Validate request parameters
A_18. Credential and session prediction	030. Avoid object reutilization 173. Discard unsafe inputs 175. Protect pages from clickjacking
A_08. Cross-site scripting	029. Cookies with security attributes 173. Discard unsafe inputs
A_09. Cross-site request forgery	029. Cookies with security attributes 174. Transactions without a distinguishable pattern 349. Include HTTP security headers
A_10. Denial of service	072. Set maximum response time 327. Set a rate limit 345. Establish protections against overflows
A_26. HTTP request smuggling	062. Define standard configurations 173. Discard unsafe inputs 266. Disable insecure functionalities 345. Establish protections against overflows
A_03. Integer overflows	345. Establish protections against overflows
A_29. LDAP injection	173. Discard unsafe inputs
A_30. Mail command injection	181. Transmit data using secure protocols 266. Disable insecure functionalities
A_31. OS commanding	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
A_33. Path traversal	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
A_34. Predictable resource location	037. Parameters without sensitive data 237. Ascertain human interaction 261. Avoid exposing sensitive information 327. Set a rate limit
A_05. Remote file inclusion (RFI)	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
A_37. Session fixation	030. Avoid object reutilization
A_19. SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
A_38. URL redirector abuse	324. Control redirects
A_39. XPath injection	173. Discard unsafe inputs
A_46. XML injection	173. Discard unsafe inputs
W_15. Application misconfiguration	062. Define standard configurations 142. Change system default credentials 161. Define secure default options
W_16. Directory indexing	176. Restrict system objects 266. Disable insecure functionalities
W_17. Improper filesystem permissions	096. Set user's required privileges 176. Restrict system objects 186. Use the principle of least privilege 264. Request authentication 320. Avoid client-side control enforcement
W_20. Improper input handling	169. Use parameterized queries 173. Discard unsafe inputs
W_22. Improper output handling	160. Encode system outputs
W_13. Information leakage	176. Restrict system objects 177. Avoid caching and temporary files 261. Avoid exposing sensitive information 300. Mask sensitive data
W_21. Insufficient anti-automation	237. Ascertain human interaction
W_01. Insufficient authentication	227. Display access notification 228. Authenticate using standard protocols 229. Request access credentials 231. Implement a biometric verification component 235. Define credential interface 264. Request authentication 323. Exclude unverifiable files
W_02. Insufficient authorization	035. Manage privilege modifications 096. Set user's required privileges 114. Deny access with inactive credentials 176. Restrict system objects 320. Avoid client-side control enforcement 341. Use the principle of deny by default
W_49. Insufficient password recovery	126. Set a password regeneration mechanism 141. Force re-authentication 238. Establish safe recovery
W_40. Insufficient process validation	337. Make critical logic flows thread safe
W_47. Insufficient session expiration	023. Terminate inactive user sessions 030. Avoid object reutilization 335. Define out of band token lifespan 369. Set a maximum lifetime in sessions
W_04. Insufficient transport layer protection	181. Transmit data using secure protocols 336. Disable insecure TLS versions
W_14. Server misconfiguration	062. Define standard configurations

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

WASC | Compliance | Fluid Attacks Help

WASC

Summary

Definitions