WASC | Compliance | Fluid Attacks Help

WASC

logo

Summary

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version used in this section is WASC Threat Classification v2.0.

Definitions

Definition Requirements
A_42. Abuse of functionality 258. Filter website content
266. Disable insecure functionalities
A_11. Brute force 237. Ascertain human interaction
327. Set a rate limit
A_07. Buffer overflow 072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
A_12. Content spoofing 035. Manage privilege modifications
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
320. Avoid client-side control enforcement
342. Validate request parameters
A_18. Credential and session prediction 030. Avoid object reutilization
173. Discard unsafe inputs
175. Protect pages from clickjacking
A_08. Cross-site scripting 029. Cookies with security attributes
173. Discard unsafe inputs
A_09. Cross-site request forgery 029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
A_10. Denial of service 072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
A_26. HTTP request smuggling 062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
345. Establish protections against overflows
A_03. Integer overflows 345. Establish protections against overflows
A_29. LDAP injection 173. Discard unsafe inputs
A_30. Mail command injection 181. Transmit data using secure protocols
266. Disable insecure functionalities
A_31. OS commanding 173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_33. Path traversal 173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
A_34. Predictable resource location 037. Parameters without sensitive data
237. Ascertain human interaction
261. Avoid exposing sensitive information
327. Set a rate limit
A_05. Remote file inclusion (RFI) 173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_37. Session fixation 030. Avoid object reutilization
A_19. SQL injection 169. Use parameterized queries
173. Discard unsafe inputs
A_38. URL redirector abuse 324. Control redirects
A_39. XPath injection 173. Discard unsafe inputs
A_46. XML injection 173. Discard unsafe inputs
W_15. Application misconfiguration 062. Define standard configurations
142. Change system default credentials
161. Define secure default options
W_16. Directory indexing 176. Restrict system objects
266. Disable insecure functionalities
W_17. Improper filesystem permissions 096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
264. Request authentication
320. Avoid client-side control enforcement
W_20. Improper input handling 169. Use parameterized queries
173. Discard unsafe inputs
W_22. Improper output handling 160. Encode system outputs
W_13. Information leakage 176. Restrict system objects
177. Avoid caching and temporary files
261. Avoid exposing sensitive information
300. Mask sensitive data
W_21. Insufficient anti-automation 237. Ascertain human interaction
W_01. Insufficient authentication 227. Display access notification
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
235. Define credential interface
264. Request authentication
323. Exclude unverifiable files
W_02. Insufficient authorization 035. Manage privilege modifications
096. Set user's required privileges
114. Deny access with inactive credentials
176. Restrict system objects
320. Avoid client-side control enforcement
341. Use the principle of deny by default
W_49. Insufficient password recovery 126. Set a password regeneration mechanism
141. Force re-authentication
238. Establish safe recovery
W_40. Insufficient process validation 337. Make critical logic flows thread safe
W_47. Insufficient session expiration 023. Terminate inactive user sessions
030. Avoid object reutilization
335. Define out of band token lifespan
369. Set a maximum lifetime in sessions
W_04. Insufficient transport layer protection 181. Transmit data using secure protocols
336. Disable insecure TLS versions
W_14. Server misconfiguration 062. Define standard configurations
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.