Skip to main content




The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing and reporting. The version used in this section is WASSEC version 1.0.


1_1. Transport support029. Cookies with security attributes
181. Transmit data using secure protocols
336. Disable insecure TLS versions
349. Include HTTP security headers
2_1. Authentication schemes088. Request client certificates
114. Deny access with inactive credentials
228. Authenticate using standard protocols
264. Request authentication
328. Request MFA for critical systems
3_1. Session management capabilities025. Manage concurrent sessions
028. Allow users to log out
031. Discard user session data
305. Prioritize token usage
3_2_1. HTTP cookies029. Cookies with security attributes
030. Avoid object reutilization
3_3. Session token detection configuration357. Use stateless session tokens
3_4. Session token refresh policy335. Define out of band token lifespan
4_1. Web crawler configuration237. Ascertain human interaction
4_1_5. Supporting concurrent sessions025. Manage concurrent sessions
5_3. Parser tolerance157. Use the strict mode
348. Use consistent encoding
5_5. Extraction of dynamic content043. Define an explicit content type
169. Use parameterized queries
6_1_2. URL patterns174. Transactions without a distinguishable pattern
6_1_6. HTTP headers349. Include HTTP security headers
6_2_1_1. Authentication - Brute force139. Set minimum OTP length
225. Proper authentication responses
327. Set a rate limit
6_2_1_2. Authentication - Insufficient authentication096. Set user's required privileges
264. Request authentication
6_2_1_3. Authentication - Weak password recovery validation238. Establish safe recovery
6_2_1_4. Authentication - Lack of SSL on login pages336. Disable insecure TLS versions
6_2_2_1. Authorization - Credential/Session prediction357. Use stateless session tokens
6_2_2_2. Authorization - Insufficient authorization032. Avoid session ID leakages
176. Restrict system objects
6_2_2_3. Authorization - Insufficient session expiration023. Terminate inactive user sessions
6_2_2_4. Authorization - Session fixation030. Avoid object reutilization
6_2_2_5. Authorization - Session weaknesses024. Transfer information using session objects
029. Cookies with security attributes
030. Avoid object reutilization
176. Restrict system objects
223. Uniform distribution in random numbers
6_2_3_1. Client-side attacks - Content spoofing062. Define standard configurations
273. Define a fixed security suite
6_2_3_2. Client-side attacks - Cross-site scripting029. Cookies with security attributes
173. Discard unsafe inputs
6_2_3_4. Client-side attacks - HTML injection173. Discard unsafe inputs
6_2_3_5. Client-side attacks - Cross-site request forgery029. Cookies with security attributes
174. Transactions without a distinguishable pattern
6_2_3_6. Client-side attacks - Flash-related attack062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
6_2_4_1. Command execution - Format string attack172. Encrypt connection strings
6_2_4_2. Command execution - LDAP injection173. Discard unsafe inputs
6_2_4_3. Command execution - OS command injection173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_4. Command execution - SQL injection169. Use parameterized queries
173. Discard unsafe inputs
6_2_4_6. Command execution - Xpath injection173. Discard unsafe inputs
6_2_4_8. Command execution - Remote file includes173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
6_2_4_9. Command execution - Local file includes173. Discard unsafe inputs
176. Restrict system objects
6_2_4_10. Command execution - Potential malicious file uploads040. Compare file format and extension
041. Scan files for malicious code
6_2_5_2. Information disclosure - Information leakage077. Avoid disclosing technical information
083. Avoid logging sensitive data
171. Remove commented-out code
261. Avoid exposing sensitive information
300. Mask sensitive data
6_2_5_3. Information disclosure - Path traversal173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
6_2_5_5. Information disclosure - Insecure HTTP methods enabled266. Disable insecure functionalities
6_2_5_7. Information disclosure - Default web server files043. Define an explicit content type
8_4_1. Compliance report331. Guarantee legal compliance