WASSEC | Compliance | Fluid Attacks Help

WASSEC

logo

Summary

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing and reporting. The version used in this section is WASSEC version 1.0.

Definitions

Definition Requirements
1_1. Transport support 029. Cookies with security attributes
181. Transmit data using secure protocols
336. Disable insecure TLS versions
349. Include HTTP security headers
2_1. Authentication schemes 088. Request client certificates
114. Deny access with inactive credentials
228. Authenticate using standard protocols
264. Request authentication
328. Request MFA for critical systems
3_1. Session management capabilities 025. Manage concurrent sessions
028. Allow users to log out
031. Discard user session data
305. Prioritize token usage
3_2_1. HTTP cookies 029. Cookies with security attributes
030. Avoid object reutilization
3_3. Session token detection configuration 357. Use stateless session tokens
3_4. Session token refresh policy 335. Define out of band token lifespan
4_1. Web crawler configuration 237. Ascertain human interaction
4_1_5. Supporting concurrent sessions 025. Manage concurrent sessions
5_3. Parser tolerance 157. Use the strict mode
348. Use consistent encoding
5_5. Extraction of dynamic content 043. Define an explicit content type
169. Use parameterized queries
6_1_2. URL patterns 174. Transactions without a distinguishable pattern
6_1_6. HTTP headers 349. Include HTTP security headers
6_2_1_1. Authentication - Brute force 139. Set minimum OTP length
225. Proper authentication responses
327. Set a rate limit
6_2_1_2. Authentication - Insufficient authentication 096. Set user's required privileges
264. Request authentication
6_2_1_3. Authentication - Weak password recovery validation 238. Establish safe recovery
6_2_1_4. Authentication - Lack of SSL on login pages 336. Disable insecure TLS versions
6_2_2_1. Authorization - Credential/Session prediction 357. Use stateless session tokens
6_2_2_2. Authorization - Insufficient authorization 032. Avoid session ID leakages
176. Restrict system objects
6_2_2_3. Authorization - Insufficient session expiration 023. Terminate inactive user sessions
6_2_2_4. Authorization - Session fixation 030. Avoid object reutilization
6_2_2_5. Authorization - Session weaknesses 024. Transfer information using session objects
029. Cookies with security attributes
030. Avoid object reutilization
176. Restrict system objects
223. Uniform distribution in random numbers
6_2_3_1. Client-side attacks - Content spoofing 062. Define standard configurations
273. Define a fixed security suite
6_2_3_2. Client-side attacks - Cross-site scripting 029. Cookies with security attributes
173. Discard unsafe inputs
6_2_3_4. Client-side attacks - HTML injection 173. Discard unsafe inputs
6_2_3_5. Client-side attacks - Cross-site request forgery 029. Cookies with security attributes
174. Transactions without a distinguishable pattern
6_2_3_6. Client-side attacks - Flash-related attack 062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
6_2_4_1. Command execution - Format string attack 172. Encrypt connection strings
6_2_4_2. Command execution - LDAP injection 173. Discard unsafe inputs
6_2_4_3. Command execution - OS command injection 173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_4. Command execution - SQL injection 169. Use parameterized queries
173. Discard unsafe inputs
6_2_4_6. Command execution - Xpath injection 173. Discard unsafe inputs
6_2_4_8. Command execution - Remote file includes 173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_9. Command execution - Local file includes 173. Discard unsafe inputs
176. Restrict system objects
6_2_4_10. Command execution - Potential malicious file uploads 040. Compare file format and extension
041. Scan files for malicious code
6_2_5_2. Information disclosure - Information leakage 077. Avoid disclosing technical information
083. Avoid logging sensitive data
171. Remove commented-out code
261. Avoid exposing sensitive information
300. Mask sensitive data
6_2_5_3. Information disclosure - Path traversal 173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
6_2_5_5. Information disclosure - Insecure HTTP methods enabled 266. Disable insecure functionalities
6_2_5_7. Information disclosure - Default web server files 043. Define an explicit content type
8_4_1. Compliance report 331. Guarantee legal compliance
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.