RE: [WEB SECURITY] WASC Announcement: WASC Threat Classification v2.0 Published

[Shlomi Narkolayev <S.Narkolayev@xxxxxx>]

I think it important also adding attacks like: Buffer Overflow, 
HPP ( HTTP Parameter Pollution ), RFI ( Remote File Inclusion ), 
SSI ( Server Side Inclusion ), and also maybe ClickJacking.

I also recommend splitting Cross Site Scripting (WASC-08 XSS) to:
Reflected Cross Site Scripting, Stored Cross Site Scripting, Cross Site Tracing ( XST ).
And SQL Injection to: Numeric SQL Injection, String SQL Injection, Blind SQL Injection.

Kind Regards,
Narkolayev Shlomi



-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx] 
Sent: Tuesday, January 05, 2010 11:44 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] WASC Announcement: WASC Threat Classification v2.0 Published

For those interested, a WASC Threat Classification v2 to OWASP Top Ten  
2009 RC1 Mapping
http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html

Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/


On Jan 1, 2010, at 4:56 PM, robert@xxxxxxxxxxxxx wrote:

> The Web Application Security Consortium (WASC) is pleased to  
> announce the long awaited release of the WASC
> Threat Classification v2.0. The Threat Classification is an effort  
> to classify the weaknesses, and attacks
> that can lead to the compromise of a website, its data, or its  
> users. This document's primarily purpose is
> to serve as a reference guide for common attacks and weaknesses.
>
> Main goals
> - Refine document scope, terminology, and purpose
> - Update existing sections when applicable
> - Add missing attacks and weaknesses
> - Creation of a firm, scalable base foundation allowing for the  
> introduction of data views allowing for various
>  forms of data representation
> - Addition of attack and weakness reference identifiers (WASC-<xx>)
> - Publication of two data views
>
>
> WASC Threat Classification v2.0 Online
> http://projects.webappsec.org/Threat-Classification
>
> Using the Threat Classification
> http://projects.webappsec.org/Using-the-Threat-Classification
>
> Threat Classification Authors and Contributors
> http://projects.webappsec.org/Threat-Classification-Authors
>
> WASC Threat Classification FAQ
> http://projects.webappsec.org/Threat-Classification-FAQ
>
> WASC Reference Identifier Grid
> http://projects.webappsec.org/Threat-Classification-Reference-Grid
>
> Threat Classification Data Views
> http://projects.webappsec.org/Threat-Classification-Views
>
>
> We have already started scoping the next minor release of the Threat  
> Classification, and are seeking contributors.
> If you are interested in participating in the next release of the  
> WASC Threat Classification please contact us at
> contact_at_@xxxxxxxxxxxxx with the subject 'WASC Threat  
> Classification Contribution Inquiry'.
>
> Questions can be directed to Robert Auger (contact_at_webappsec.org)  
> with the subject 'WASC TC Inquiry'.
>
>
> Regards,
> - Robert Auger
> WASC Threat Classification Project leader/WASC Co Founder
> http://projects.webappsec.org/Threat-Classification
> http://www.webappsec.org/ The Web Application Security Consortium
>




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA