Thursday, July 22, 2010

Threat Classification

The WASC Threat Classification v2.0

"The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users."

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues.


The WASC Threat Classification Online
The below grid outlines the 'Threat Classification Enumeration View', the core WASC TC view. Additional views can be found at the Threat Classification Views section.

Abuse of FunctionalityApplication Misconfiguration
Brute ForceDirectory Indexing
Buffer OverflowImproper Filesystem Permissions
Content SpoofingImproper Input Handling
Credential/Session Prediction
Cross-Site ScriptingInformation Leakage
Cross-Site Request Forgery
Denial of ServiceInsufficient Anti-automation
FingerprintingInsufficient Authentication
Format StringInsufficient Authorization
HTTP Response SmugglingInsufficient Password Recovery
HTTP Response SplittingInsufficient Process Validation
HTTP Request SmugglingInsufficient Session Expiration
HTTP Request SplittingInsufficient Transport Layer Protection
Integer OverflowsServer Misconfiguration
LDAP Injection
Mail Command Injection
Null Byte Injection
OS Commanding

Path Traversal
Predictable Resource Location
Remote File Inclusion (RFI)
Routing Detour
Session Fixation
SOAP Array Abuse
SSI Injection
SQL Injection
URL Redirector Abuse 
XPath Injection
XML Attribute Blowup
XML External Entities
XML Entity Expansion 
XML Injection
XQuery Injection
Threat Classification Frequently Asked Questions
We have published an FAQ addressing commonly asked questions about the Threat Classification. We have also created an entry discussing the need for a new direction for the Threat Classification.
Threat Classification Terminology
Terminology is particularly important so we've created a page outlining the definitions used throughout this document.
Using the Threat Classification
Information on how the threat classification can be used may be found here.
Threat Classification 'Views'
The TCv2 has introduced the concept of 'Views' allowing for various ways to represent the attacks and weaknesses listed within the TC. A list of Threat Classification Views can be found here.
Threat Classification Reference Grid
The Threat Classification Reference Grid was created to allow individuals and products to reference particular Threat Classification sections with a static identifier.
Threat Classification Team
The list of authors and contributors can be found at our Authors and Contributors page.
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit or send a letter to: Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Contacting WASC
Questions may be directed to Robert Auger (contact @ with the subject 'WASC Threat Classification Inquiry'.