Skip to main content

WASC

logo

Summary

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version used in this section is WASC Threat Classification v2.0.

Definitions

DefinitionRequirements
A_42. Abuse of functionality
258. Filter website content
266. Disable insecure functionalities
A_11. Brute force
237. Ascertain human interaction
327. Set a rate limit
A_07. Buffer overflow
072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
A_12. Content spoofing
035. Manage privilege modifications
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
320. Avoid client-side control enforcement
342. Validate request parameters
A_18. Credential and session prediction
030. Avoid object reutilization
173. Discard unsafe inputs
175. Protect pages from clickjacking
A_08. Cross-site scripting
029. Cookies with security attributes
173. Discard unsafe inputs
A_09. Cross-site request forgery
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
A_10. Denial of service
072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
A_26. HTTP request smuggling
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
345. Establish protections against overflows
A_03. Integer overflows
345. Establish protections against overflows
A_29. LDAP injection
173. Discard unsafe inputs
A_30. Mail command injection
181. Transmit data using secure protocols
266. Disable insecure functionalities
A_31. OS commanding
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_33. Path traversal
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
A_34. Predictable resource location
037. Parameters without sensitive data
237. Ascertain human interaction
261. Avoid exposing sensitive information
327. Set a rate limit
A_05. Remote file inclusion (RFI)
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_37. Session fixation
030. Avoid object reutilization
A_19. SQL injection
169. Use parameterized queries
173. Discard unsafe inputs
A_38. URL redirector abuse
324. Control redirects
A_39. XPath injection
173. Discard unsafe inputs
A_46. XML injection
173. Discard unsafe inputs
W_15. Application misconfiguration
062. Define standard configurations
142. Change system default credentials
161. Define secure default options
W_16. Directory indexing
176. Restrict system objects
266. Disable insecure functionalities
W_17. Improper filesystem permissions
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
264. Request authentication
320. Avoid client-side control enforcement
W_20. Improper input handling
169. Use parameterized queries
173. Discard unsafe inputs
W_22. Improper output handling
160. Encode system outputs
W_13. Information leakage
176. Restrict system objects
177. Avoid caching and temporary files
261. Avoid exposing sensitive information
300. Mask sensitive data
W_21. Insufficient anti-automation
237. Ascertain human interaction
W_01. Insufficient authentication
227. Display access notification
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
235. Define credential interface
264. Request authentication
323. Exclude unverifiable files
W_02. Insufficient authorization
035. Manage privilege modifications
096. Set user's required privileges
114. Deny access with inactive credentials
176. Restrict system objects
320. Avoid client-side control enforcement
341. Use the principle of deny by default
W_49. Insufficient password recovery
126. Set a password regeneration mechanism
141. Force re-authentication
238. Establish safe recovery
W_40. Insufficient process validation
337. Make critical logic flows thread safe
W_47. Insufficient session expiration
023. Terminate inactive user sessions
030. Avoid object reutilization
335. Define out of band token lifespan
369. Set a maximum lifetime in sessions
W_04. Insufficient transport layer protection
181. Transmit data using secure protocols
336. Disable insecure TLS versions
W_14. Server misconfiguration
062. Define standard configurations
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.