Skip to main content

WASSEC

logo

Summary

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing and reporting. The version used in this section is WASSEC version 1.0.

Definitions

DefinitionRequirements
1_1. Transport support
029. Cookies with security attributes
181. Transmit data using secure protocols
336. Disable insecure TLS versions
349. Include HTTP security headers
2_1. Authentication schemes
088. Request client certificates
114. Deny access with inactive credentials
228. Authenticate using standard protocols
264. Request authentication
328. Request MFA for critical systems
3_1. Session management capabilities
025. Manage concurrent sessions
028. Allow users to log out
031. Discard user session data
305. Prioritize token usage
3_2_1. HTTP cookies
029. Cookies with security attributes
030. Avoid object reutilization
3_3. Session token detection configuration
357. Use stateless session tokens
3_4. Session token refresh policy
335. Define out of band token lifespan
4_1. Web crawler configuration
237. Ascertain human interaction
4_1_5. Supporting concurrent sessions
025. Manage concurrent sessions
5_3. Parser tolerance
157. Use the strict mode
348. Use consistent encoding
5_5. Extraction of dynamic content
043. Define an explicit content type
169. Use parameterized queries
6_1_2. URL patterns
174. Transactions without a distinguishable pattern
6_1_6. HTTP headers
349. Include HTTP security headers
6_2_1_1. Authentication - Brute force
139. Set minimum OTP length
225. Proper authentication responses
327. Set a rate limit
6_2_1_2. Authentication - Insufficient authentication
096. Set user's required privileges
264. Request authentication
6_2_1_3. Authentication - Weak password recovery validation
238. Establish safe recovery
6_2_1_4. Authentication - Lack of SSL on login pages
336. Disable insecure TLS versions
6_2_2_1. Authorization - Credential/Session prediction
357. Use stateless session tokens
6_2_2_2. Authorization - Insufficient authorization
032. Avoid session ID leakages
176. Restrict system objects
6_2_2_3. Authorization - Insufficient session expiration
023. Terminate inactive user sessions
6_2_2_4. Authorization - Session fixation
030. Avoid object reutilization
6_2_2_5. Authorization - Session weaknesses
024. Transfer information using session objects
029. Cookies with security attributes
030. Avoid object reutilization
176. Restrict system objects
223. Uniform distribution in random numbers
6_2_3_1. Client-side attacks - Content spoofing
062. Define standard configurations
273. Define a fixed security suite
6_2_3_2. Client-side attacks - Cross-site scripting
029. Cookies with security attributes
173. Discard unsafe inputs
6_2_3_4. Client-side attacks - HTML injection
173. Discard unsafe inputs
6_2_3_5. Client-side attacks - Cross-site request forgery
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
6_2_3_6. Client-side attacks - Flash-related attack
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
6_2_4_1. Command execution - Format string attack
172. Encrypt connection strings
6_2_4_2. Command execution - LDAP injection
173. Discard unsafe inputs
6_2_4_3. Command execution - OS command injection
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_4. Command execution - SQL injection
169. Use parameterized queries
173. Discard unsafe inputs
6_2_4_6. Command execution - Xpath injection
173. Discard unsafe inputs
6_2_4_8. Command execution - Remote file includes
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_9. Command execution - Local file includes
173. Discard unsafe inputs
176. Restrict system objects
6_2_4_10. Command execution - Potential malicious file uploads
040. Compare file format and extension
041. Scan files for malicious code
6_2_5_2. Information disclosure - Information leakage
077. Avoid disclosing technical information
083. Avoid logging sensitive data
171. Remove commented-out code
261. Avoid exposing sensitive information
300. Mask sensitive data
6_2_5_3. Information disclosure - Path traversal
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
6_2_5_5. Information disclosure - Insecure HTTP methods enabled
266. Disable insecure functionalities
6_2_5_7. Information disclosure - Default web server files
043. Define an explicit content type
8_4_1. Compliance report
331. Guarantee legal compliance
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on