List of threat classes

WASC Threat Classification is a cooperative effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data, or its users. More details about the WASC Treat Classification can be found at:

In AppScan Standard not all WASC threat classifications are used, and there are additional classifications (for example Server-Side Request Forgery), that do not have a WASC classification.
Threat class Description
catAbuseOfFunctionality An attack technique that uses a website's own features and functionality to consume, defraud, or circumvents access controls mechanisms.
catApplicationMisconfiguration These attacks exploit configuration weaknesses found in web applications.
catPrivacy Sensitive information stored to disk in cleartext.
catQuality Misconfiguration or flaws in a security mechanism are likely to result in dire consequences.
catBruteForce An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key.
catBufferOverflow Attacks that alter the flow of an application by overwriting parts of memory with data that exceeds the allocated size of the buffer.
catContentSpoofing An attack technique used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source.
catCredentialSessionPrediction A method of hijacking or impersonating a website user, by deducing or guessing the unique value that identifies a particular session or user.
catCrossSiteRequestForgery An attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim.
catCrossSiteScripting An attack technique that forces a website to echo attacker-supplied executable code, which loads in a user's browser.
catDenialOfService An attack technique with the intent of preventing a website from serving normal user activity.
catDirectoryIndexing Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present. Unintended directory listings may be possible due to software vulnerabilities combined with a specific web request.
catFingerprinting The most common methodology for attackers is to first footprint the target's web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host.
catFormatStringAttack Attacks that alter the flow of an application by using string formatting library features to access other memory space.
catHTTPRequestSmuggling An attack technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices to smuggle a request to the second device "through" the first device.
catHTTPRequestSplitting HTTP Request Splitting is an attack that enables forcing the browser to send arbitrary HTTP requests, inflicting XSS and poisoning the browser's cache.
catHTTPResponseSmuggling A technique to "smuggle" 2 HTTP responses from a server to a client, through an intermediary HTTP device that expects (or allows) a single response from the server.
catHTTPResponseSplitting The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one.
catImproperFilesystemPermissions A threat to the confidentiality, integrity and availability of a web application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links.
catImproperInputHandling One of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.
catImproperOutputHandling If an application has improper output handling, the output data may be consumed leading to vulnerabilities and actions never intended by the application developer.
catInformationLeakage An application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.
catInsecureIndexing A threat to the data confidentiality of the web site. Indexing web site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine.
catInsufficientAntiAutomation When a website permits an attacker to automate a process that should only be performed manually.
catInsufficientAuthentication Website permits an attacker to access sensitive content or functionality without having to properly authenticate.
catInsufficientAuthorization When a website permits access to sensitive content or functionality that should require increased access control restrictions.
catWeakPasswordRecoveryValidation When a web site permits an attacker to illegally obtain, change or recover another user's password.
catInsufficientProcessValidation When a website permits an attacker to bypass or circumvent the intended flow control of an application.
catInsufficientSessionExpiration When a website permits an attacker to reuse old session credentials or session IDs for authorization.
catInsufficientTransLayerProtection Allows communication to be exposed to untrusted third-parties.
catIntegerOverflow The condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it.
catLDAPInjection An attack technique used to exploit websites that construct LDAP statements from user-supplied input.
catMailCommandInjection An attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized.
catMaliciousContent Application contains code that appears to be malicious.
catNullByteInjection An active exploitation technique used to bypass sanity checking filters in web infrastructure by adding URL-encoded null byte characters to the user-supplied data.
catOSCommanding An attack technique used to exploit websites by executing Operating System commands through manipulation of application input.
catPathTraversal This is a technique that forces access to files, directories, and commands that potentially reside outside the web document root directory.
catPredictableResourceLocation An attack technique used to uncover hidden website content and functionality, by making educated guesses.
catRemoteFileInclusion An attack technique used to exploit "dynamic file include" mechanisms in web applications to trick the application into including remote files with malicious code.
catRoutingDetour A type of "Man in the Middle" attack where Intermediaries can be injected or "hijacked" to route sensitive messages to an outside location.
catServerMisconfiguration Exploits configuration weaknesses found in web servers and application servers.
catServerSideRequestForgery Incorrect processing, sanitation, or validation of user input that contain elements later joined with URI.
catSessionFixation An attack technique that forces a user's session ID to an explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity.
catSOAPArrayAbuse A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine's memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation.
catSQLInjection An attack technique used to exploit websites that construct SQL statements from user-supplied input.
catSSIInjection A server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.
catURLRedirectoryAbuse URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource, and can be used in phishing attacks.
catUserDefined A test created by the user.
catXMLAttributeBlowup A denial of service attack against XML parsers.
catXMLEntityExpansion This exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions.
catXMLExternalEntities This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to.
catXMLInjection An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document.
catXPathInjection An attack technique used to exploit websites that construct XPath queries from user-supplied input.
catXQueryInjection XQuery Injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands.