List of threat classes
WASC Threat Classification is a cooperative effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data, or its users. More details about the WASC Treat Classification can be found at:http://projects.webappsec.org/w/page/13246978/Threat%20Classification
In AppScan Standard not all WASC threat classifications are used, and there are additional
classifications (for example Server-Side Request Forgery), that do not have a WASC
classification.
Threat class | Description |
---|---|
catAbuseOfFunctionality | An attack technique that uses a website's own features and functionality to consume, defraud, or circumvents access controls mechanisms. |
catApplicationMisconfiguration | These attacks exploit configuration weaknesses found in web applications. |
catPrivacy | Sensitive information stored to disk in cleartext. |
catQuality | Misconfiguration or flaws in a security mechanism are likely to result in dire consequences. |
catBruteForce | An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. |
catBufferOverflow | Attacks that alter the flow of an application by overwriting parts of memory with data that exceeds the allocated size of the buffer. |
catContentSpoofing | An attack technique used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source. |
catCredentialSessionPrediction | A method of hijacking or impersonating a website user, by deducing or guessing the unique value that identifies a particular session or user. |
catCrossSiteRequestForgery | An attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. |
catCrossSiteScripting | An attack technique that forces a website to echo attacker-supplied executable code, which loads in a user's browser. |
catDenialOfService | An attack technique with the intent of preventing a website from serving normal user activity. |
catDirectoryIndexing | Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present. Unintended directory listings may be possible due to software vulnerabilities combined with a specific web request. |
catFingerprinting | The most common methodology for attackers is to first footprint the target's web presence and enumerate as much information as possible. With this information, the attacker may develop an accurate attack scenario, which will effectively exploit a vulnerability in the software type/version being utilized by the target host. |
catFormatStringAttack | Attacks that alter the flow of an application by using string formatting library features to access other memory space. |
catHTTPRequestSmuggling | An attack technique that abuses the discrepancy in parsing of non RFC compliant HTTP requests between two HTTP devices to smuggle a request to the second device "through" the first device. |
catHTTPRequestSplitting | HTTP Request Splitting is an attack that enables forcing the browser to send arbitrary HTTP requests, inflicting XSS and poisoning the browser's cache. |
catHTTPResponseSmuggling | A technique to "smuggle" 2 HTTP responses from a server to a client, through an intermediary HTTP device that expects (or allows) a single response from the server. |
catHTTPResponseSplitting | The essence of HTTP Response Splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one. |
catImproperFilesystemPermissions | A threat to the confidentiality, integrity and availability of a web application. The problem arises when incorrect filesystem permissions are set on files, folders, and symbolic links. |
catImproperInputHandling | One of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications. |
catImproperOutputHandling | If an application has improper output handling, the output data may be consumed leading to vulnerabilities and actions never intended by the application developer. |
catInformationLeakage | An application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. |
catInsecureIndexing | A threat to the data confidentiality of the web site. Indexing web site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved by a determined attacker, typically through a series of queries to the search engine. |
catInsufficientAntiAutomation | When a website permits an attacker to automate a process that should only be performed manually. |
catInsufficientAuthentication | Website permits an attacker to access sensitive content or functionality without having to properly authenticate. |
catInsufficientAuthorization | When a website permits access to sensitive content or functionality that should require increased access control restrictions. |
catWeakPasswordRecoveryValidation | When a web site permits an attacker to illegally obtain, change or recover another user's password. |
catInsufficientProcessValidation | When a website permits an attacker to bypass or circumvent the intended flow control of an application. |
catInsufficientSessionExpiration | When a website permits an attacker to reuse old session credentials or session IDs for authorization. |
catInsufficientTransLayerProtection | Allows communication to be exposed to untrusted third-parties. |
catIntegerOverflow | The condition that occurs when the result of an arithmetic operation, such as multiplication or addition, exceeds the maximum size of the integer type used to store it. |
catLDAPInjection | An attack technique used to exploit websites that construct LDAP statements from user-supplied input. |
catMailCommandInjection | An attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. |
catMaliciousContent | Application contains code that appears to be malicious. |
catNullByteInjection | An active exploitation technique used to bypass sanity checking filters in web infrastructure by adding URL-encoded null byte characters to the user-supplied data. |
catOSCommanding | An attack technique used to exploit websites by executing Operating System commands through manipulation of application input. |
catPathTraversal | This is a technique that forces access to files, directories, and commands that potentially reside outside the web document root directory. |
catPredictableResourceLocation | An attack technique used to uncover hidden website content and functionality, by making educated guesses. |
catRemoteFileInclusion | An attack technique used to exploit "dynamic file include" mechanisms in web applications to trick the application into including remote files with malicious code. |
catRoutingDetour | A type of "Man in the Middle" attack where Intermediaries can be injected or "hijacked" to route sensitive messages to an outside location. |
catServerMisconfiguration | Exploits configuration weaknesses found in web servers and application servers. |
catServerSideRequestForgery | Incorrect processing, sanitation, or validation of user input that contain elements later joined with URI. |
catSessionFixation | An attack technique that forces a user's session ID to an explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity. |
catSOAPArrayAbuse | A web-service that expects an array can be the target of a XML DoS attack by forcing the SOAP server to build a huge array in the machine's memory, thus inflicting a DoS condition on the machine due to the memory pre-allocation. |
catSQLInjection | An attack technique used to exploit websites that construct SQL statements from user-supplied input. |
catSSIInjection | A server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. |
catURLRedirectoryAbuse | URL redirectors represent common functionality employed by web sites to forward an incoming request to an alternate resource, and can be used in phishing attacks. |
catUserDefined | A test created by the user. |
catXMLAttributeBlowup | A denial of service attack against XML parsers. |
catXMLEntityExpansion | This exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. |
catXMLExternalEntities | This technique takes advantage of a feature of XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to an URI where the data exists. In the attack technique, external entities may replace the entity value with malicious data, alternate referrals or may compromise the security of the data the server/XML application has access to. |
catXMLInjection | An attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intend logic of the application. Further, XML injection can cause the insertion of malicious content into the resulting message/document. |
catXPathInjection | An attack technique used to exploit websites that construct XPath queries from user-supplied input. |
catXQueryInjection | XQuery Injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands. |