WASSEC

Summary

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing and reporting. The version used in this section is WASSEC version 1.0.

Definitions

Definition	Requirements
1_1. Transport support	029. Cookies with security attributes 181. Transmit data using secure protocols 336. Disable insecure TLS versions 349. Include HTTP security headers
2_1. Authentication schemes	088. Request client certificates 114. Deny access with inactive credentials 228. Authenticate using standard protocols 264. Request authentication 328. Request MFA for critical systems
3_1. Session management capabilities	025. Manage concurrent sessions 028. Allow users to log out 031. Discard user session data 305. Prioritize token usage
3_2_1. HTTP cookies	029. Cookies with security attributes 030. Avoid object reutilization
3_3. Session token detection configuration	357. Use stateless session tokens
3_4. Session token refresh policy	335. Define out of band token lifespan
4_1. Web crawler configuration	237. Ascertain human interaction
4_1_5. Supporting concurrent sessions	025. Manage concurrent sessions
5_3. Parser tolerance	157. Use the strict mode 348. Use consistent encoding
5_5. Extraction of dynamic content	043. Define an explicit content type 169. Use parameterized queries
6_1_2. URL patterns	174. Transactions without a distinguishable pattern
6_1_6. HTTP headers	349. Include HTTP security headers
6_2_1_1. Authentication - Brute force	139. Set minimum OTP length 225. Proper authentication responses 327. Set a rate limit
6_2_1_2. Authentication - Insufficient authentication	096. Set user's required privileges 264. Request authentication
6_2_1_3. Authentication - Weak password recovery validation	238. Establish safe recovery
6_2_1_4. Authentication - Lack of SSL on login pages	336. Disable insecure TLS versions
6_2_2_1. Authorization - Credential/Session prediction	357. Use stateless session tokens
6_2_2_2. Authorization - Insufficient authorization	032. Avoid session ID leakages 176. Restrict system objects
6_2_2_3. Authorization - Insufficient session expiration	023. Terminate inactive user sessions
6_2_2_4. Authorization - Session fixation	030. Avoid object reutilization
6_2_2_5. Authorization - Session weaknesses	024. Transfer information using session objects 029. Cookies with security attributes 030. Avoid object reutilization 176. Restrict system objects 223. Uniform distribution in random numbers
6_2_3_1. Client-side attacks - Content spoofing	062. Define standard configurations 273. Define a fixed security suite
6_2_3_2. Client-side attacks - Cross-site scripting	029. Cookies with security attributes 173. Discard unsafe inputs
6_2_3_4. Client-side attacks - HTML injection	173. Discard unsafe inputs
6_2_3_5. Client-side attacks - Cross-site request forgery	029. Cookies with security attributes 174. Transactions without a distinguishable pattern
6_2_3_6. Client-side attacks - Flash-related attack	062. Define standard configurations 266. Disable insecure functionalities 349. Include HTTP security headers
6_2_4_1. Command execution - Format string attack	172. Encrypt connection strings
6_2_4_2. Command execution - LDAP injection	173. Discard unsafe inputs
6_2_4_3. Command execution - OS command injection	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
6_2_4_4. Command execution - SQL injection	169. Use parameterized queries 173. Discard unsafe inputs
6_2_4_6. Command execution - Xpath injection	173. Discard unsafe inputs
6_2_4_8. Command execution - Remote file includes	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
6_2_4_9. Command execution - Local file includes	173. Discard unsafe inputs 176. Restrict system objects
6_2_4_10. Command execution - Potential malicious file uploads	040. Compare file format and extension 041. Scan files for malicious code
6_2_5_2. Information disclosure - Information leakage	077. Avoid disclosing technical information 083. Avoid logging sensitive data 171. Remove commented-out code 261. Avoid exposing sensitive information 300. Mask sensitive data
6_2_5_3. Information disclosure - Path traversal	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
6_2_5_5. Information disclosure - Insecure HTTP methods enabled	266. Disable insecure functionalities
6_2_5_7. Information disclosure - Default web server files	043. Define an explicit content type
8_4_1. Compliance report	331. Guarantee legal compliance

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.