Skip to main content

WASC

logo

Summary

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a website. It outlines the attacks and weaknesses that can lead to the compromise of a website, its data or its users. The version used in this section is WASC Threat Classification v2.0.

Definitions

DefinitionRequirements
A_03. Integer overflows345. Establish protections against overflows
A_05. Remote file inclusion (RFI)173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_07. Buffer overflow072. Set maximum response time
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
A_08. Cross-site scripting029. Cookies with security attributes
173. Discard unsafe inputs
A_09. Cross-site request forgery029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
A_10. Denial of service072. Set maximum response time
327. Set a rate limit
345. Establish protections against overflows
A_11. Brute force237. Ascertain human interaction
327. Set a rate limit
A_12. Content spoofing035. Manage privilege modifications
096. Set user's required privileges
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
320. Avoid client-side control enforcement
342. Validate request parameters
A_18. Credential and session prediction030. Avoid object reutilization
173. Discard unsafe inputs
175. Protect pages from clickjacking
A_19. SQL injection169. Use parameterized queries
173. Discard unsafe inputs
A_26. HTTP request smuggling062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
345. Establish protections against overflows
A_29. LDAP injection173. Discard unsafe inputs
A_30. Mail command injection181. Transmit data using secure protocols
266. Disable insecure functionalities
A_31. OS commanding173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
A_33. Path traversal173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
A_34. Predictable resource location037. Parameters without sensitive data
237. Ascertain human interaction
261. Avoid exposing sensitive information
327. Set a rate limit
A_37. Session fixation030. Avoid object reutilization
A_38. URL redirector abuse324. Control redirects
A_39. XPath injection173. Discard unsafe inputs
A_42. Abuse of functionality258. Filter website content
266. Disable insecure functionalities
A_46. XML injection173. Discard unsafe inputs
W_01. Insufficient authentication227. Display access notification
228. Authenticate using standard protocols
229. Request access credentials
231. Implement a biometric verification component
235. Define credential interface
264. Request authentication
323. Exclude unverifiable files
W_02. Insufficient authorization035. Manage privilege modifications
096. Set user's required privileges
114. Deny access with inactive credentials
176. Restrict system objects
320. Avoid client-side control enforcement
341. Use the principle of deny by default
W_04. Insufficient transport layer protection181. Transmit data using secure protocols
336. Disable insecure TLS versions
W_13. Information leakage176. Restrict system objects
177. Avoid caching and temporary files
261. Avoid exposing sensitive information
300. Mask sensitive data
W_14. Server misconfiguration062. Define standard configurations
W_15. Application misconfiguration062. Define standard configurations
142. Change system default credentials
161. Define secure default options
W_16. Directory indexing176. Restrict system objects
266. Disable insecure functionalities
W_17. Improper filesystem permissions096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
264. Request authentication
320. Avoid client-side control enforcement
W_20. Improper input handling169. Use parameterized queries
173. Discard unsafe inputs
W_21. Insufficient anti-automation237. Ascertain human interaction
W_22. Improper output handling160. Encode system outputs
W_40. Insufficient process validation337. Make critical logic flows thread safe
W_47. Insufficient session expiration023. Terminate inactive user sessions
030. Avoid object reutilization
335. Define out of band token lifespan
369. Set a maximum lifetime in sessions
W_49. Insufficient password recovery126. Set a password regeneration mechanism
141. Force re-authentication
238. Establish safe recovery