List of threat classes
A summary of the WASC Threat Classification, a cooperative effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data, or its users.
http://projects.webappsec.org/w/page/13246978/Threat%20Classification
Attacks
Name |
Short description |
|---|---|
| Abuse of Functionality | An attack technique that uses a website's own features and functionality to consume, defraud, or circumvents access controls mechanisms. |
| Brute Force | An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. |
| Buffer Overflow | Attacks that alter the flow of an application by overwriting parts of memory with data that exceeds the allocated size of the buffer. |
| Content Spoofing | An attack technique used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source. |
| Credential/Session Prediction | A method of hijacking or impersonating a website user, by deducing or guessing the unique value that identifies a particular session or user. |
| Cross-site Scripting | An attack technique that forces a website to echo attacker-supplied executable code, which loads in a user's browser. |
| Cross-site Request Forgery | An attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. |
| Denial of Service | An attack technique with the intent of preventing a website from serving normal user activity. |
| Fingerprinting | The most common methodology for attackers is to first footprint the target's web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host. |
| Format String | Attacks that alter the flow of an application by using string formatting library features to access other memory space. |
| HTTP Response Smuggling | A technique to "smuggle" 2 HTTP responses from a server to a client, through an intermediary HTTP device that expects (or allows) a single response from the server. |
| HTTP Response Splitting | The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one. |
| HTTP Request Smuggling | An attack technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices to smuggle a request to the second device "through" the first device. |
| HTTP Request Splitting | HTTP Request Splitting is an attack that enables forcing the browser to send arbitrary HTTP requests, inflicting XSS and poisoning the browser's cache. |
| Integer Overflows | The condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. |
| LDAP Injection | An attack technique used to exploit websites that construct LDAP statements from user-supplied input. |
| Mail Command Injection | An attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. |
| Null Byte Injection | An active exploitation technique used to bypass sanity checking filters in web infrastructure by adding URL-encoded null byte characters to the user-supplied data. |
| OS Commanding | An attack technique used to exploit websites by executing Operating System commands through manipulation of application input. |
| Path Traversal | This is a technique that forces access to files, directories, and commands that potentially reside outside the web document root directory. |
| Predictable Resource Location | An attack technique used to uncover hidden website content and functionality, by making educated guesses. |
| Remote File Inclusion | An attack technique used to exploit "dynamic file include" mechanisms in web applications to trick the application into including remote files with malicious code. |
| Routing Detour | A type of "Man in the Middle" attack where Intermediaries can be injected or "hijacked" to route sensitive messages to an outside location. |
| Session Fixation | An attack technique that forces a user's session ID to an explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity. |
| Weak Password Recovery Validation | When a website permits an attacker to illegally obtain, change or recover another user's password. |
| SOAP Array Abuse | A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine's memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation. |
| SSI Injection | A server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. |
| SQL Injection | An attack technique used to exploit websites that construct SQL statements from user-supplied input. |
| URL Redirector Abuse | URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource, and can be used in phishing attacks. |
| XPath Injection | An attack technique used to exploit websites that construct XPath queries from user-supplied input. |
| XML Attribute Blowup | A denial of service attack against XML parsers. |
| XML External Entities | This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. |
| XML Entity Expansion | This exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. |
| XML Injection | An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document. |
| XQuery Injection | XQuery Injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands. |
Weaknesses
Name |
Short description |
|---|---|
| Application Misconfiguration | These attacks exploit configuration weaknesses found in web applications. |
| Directory Indexing | Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present. Unintended directory listings may be possible due to software vulnerabilities combined with a specific web request. |
| Improper Filesystem Permissions | A threat to the confidentiality, integrity and availability of a web application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. |
| Improper Input Handling | One of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications. |
| Improper Output Handling | If an application has improper output handling, the output data may be consumed leading to vulnerabilities and actions never intended by the application developer. |
| Information Leakage | An application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. |
| Insecure Indexing | A threat to the data confidentiality of the web site. Indexing web site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine. |
| Insufficient Anti-automation | When a website permits an attacker to automate a process that should only be performed manually. |
| Insufficient Authentication | Website permits an attacker to access sensitive content or functionality without having to properly authenticate. |
| Insufficient Authorization | When a website permits access to sensitive content or functionality that should require increased access control restrictions. |
| Insufficient Password Recovery | When a web site permits an attacker to illegally obtain, change or recover another user's password. |
| Insufficient Process Validation | When a website permits an attacker to bypass or circumvent the intended flow control of an application. |
| Insufficient Session Expiration | When a website permits an attacker to reuse old session credentials or session IDs for authorization. |
| Insufficient Transport Layer Protection | Allows communication to be exposed to untrusted third-parties. |
| Server Misconfiguration | Exploits configuration weaknesses found in web servers and application servers. |