Skip to main content

WASC

logo

Summary

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version used in this section is WASC Threat Classification v2.0.

Definitions

DefinitionRequirements
A_42. Abuse of functionality
258. Filter website content
266. Disable insecure functionalities
A_11. Brute force
237. Ascertain human interaction
327. Set a rate limit
A_07. Buffer overflow
072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
A_12. Content spoofing
035. Manage privilege modifications
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
320. Avoid client-side control enforcement
342. Validate request parameters
A_18. Credential and session prediction
030. Avoid object reutilization
173. Discard unsafe inputs
175. Protect pages from clickjacking
A_08. Cross-site scripting
029. Cookies with security attributes
173. Discard unsafe inputs
A_09. Cross-site request forgery
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
A_10. Denial of service
072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
A_26. HTTP request smuggling
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
345. Establish protections against overflows
A_03. Integer overflows
345. Establish protections against overflows
A_29. LDAP injection
173. Discard unsafe inputs
A_30. Mail command injection
181. Transmit data using secure protocols
266. Disable insecure functionalities
A_31. OS commanding
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_33. Path traversal
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
A_34. Predictable resource location
037. Parameters without sensitive data
237. Ascertain human interaction
261. Avoid exposing sensitive information
327. Set a rate limit
A_05. Remote file inclusion (RFI)
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_37. Session fixation
030. Avoid object reutilization
A_19. SQL injection
169. Use parameterized queries
173. Discard unsafe inputs
A_38. URL redirector abuse
324. Control redirects
A_39. XPath injection
173. Discard unsafe inputs
A_46. XML injection
173. Discard unsafe inputs
W_15. Application misconfiguration
062. Define standard configurations
142. Change system default credentials
161. Define secure default options
W_16. Directory indexing
176. Restrict system objects
266. Disable insecure functionalities
W_17. Improper filesystem permissions
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
264. Request authentication
320. Avoid client-side control enforcement
W_20. Improper input handling
169. Use parameterized queries
173. Discard unsafe inputs
W_22. Improper output handling
160. Encode system outputs
W_13. Information leakage
176. Restrict system objects
177. Avoid caching and temporary files
261. Avoid exposing sensitive information
300. Mask sensitive data
W_21. Insufficient anti-automation
237. Ascertain human interaction
W_01. Insufficient authentication
227. Display access notification
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
235. Define credential interface
264. Request authentication
323. Exclude unverifiable files
W_02. Insufficient authorization
035. Manage privilege modifications
096. Set user's required privileges
114. Deny access with inactive credentials
176. Restrict system objects
320. Avoid client-side control enforcement
341. Use the principle of deny by default
W_49. Insufficient password recovery
126. Set a password regeneration mechanism
141. Force re-authentication
238. Establish safe recovery
W_40. Insufficient process validation
337. Make critical logic flows thread safe
W_47. Insufficient session expiration
023. Terminate inactive user sessions
030. Avoid object reutilization
335. Define out of band token lifespan
369. Set a maximum lifetime in sessions
W_04. Insufficient transport layer protection
181. Transmit data using secure protocols
336. Disable insecure TLS versions
W_14. Server misconfiguration
062. Define standard configurations
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on