[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] WASC Announcement: WASC Threat Classification
- From: robert@xxxxxxxxxxxxx
- Subject: Re: [WEB SECURITY] WASC Announcement: WASC Threat Classification
- Date: Wed, 6 Jan 2010 13:13:34 -0500 (EST)
> I think it important also adding attacks like: Buffer Overflow,=20
> HPP ( HTTP Parameter Pollution ), RFI ( Remote File Inclusion ),=20
> SSI ( Server Side Inclusion ), and also maybe ClickJacking.
Buffer overflow is included
http://projects.webappsec.org/Buffer-Overflow
as well as integer overflows
http://projects.webappsec.org/Integer-Overflows
As well as RFI
http://projects.webappsec.org/Remote-File-Inclusion
as well as SSI
http://projects.webappsec.org/SSI-Injection
The TCv2 was already scoped hence things like clickjacking and HPP were not included. These
will be debated for inclusion in future releases. Truthfully there are more important sections
needing to be authored (like insufficient data protection, and data transformation based attacks/weaknesses)
and likely will not be included in the next micro update (hopefully out in the next 4 months).
> I also recommend splitting Cross Site Scripting (WASC-08 XSS) to:
> Reflected Cross Site Scripting, Stored Cross Site Scripting, Cross Site Tra=
> cing ( XST ).
> And SQL Injection to: Numeric SQL Injection, String SQL Injection, Blind SQ=
> L Injection.
Rather than splitting each attack and weakness into reflected/persistent we opted for grouping
the issues under the core concept instead. You can have persistent or reflective injections for most
injection types.
If you're seeking this type of breakdown I suggest looking at CAPEC/CWE by mitre.
Regards,
- Robert
>
> Kind Regards,
> Narkolayev Shlomi
>
>
>
> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx]=20
> Sent: Tuesday, January 05, 2010 11:44 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] WASC Announcement: WASC Threat Classification v=
> 2.0 Published
>
> For those interested, a WASC Threat Classification v2 to OWASP Top Ten =20
> 2009 RC1 Mapping
> http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-=
> owasp-top.html
>
> Regards,
>
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
>
>
> On Jan 1, 2010, at 4:56 PM, robert@xxxxxxxxxxxxx wrote:
>
> > The Web Application Security Consortium (WASC) is pleased to =20
> > announce the long awaited release of the WASC
> > Threat Classification v2.0. The Threat Classification is an effort =20
> > to classify the weaknesses, and attacks
> > that can lead to the compromise of a website, its data, or its =20
> > users. This document's primarily purpose is
> > to serve as a reference guide for common attacks and weaknesses.
> >
> > Main goals
> > - Refine document scope, terminology, and purpose
> > - Update existing sections when applicable
> > - Add missing attacks and weaknesses
> > - Creation of a firm, scalable base foundation allowing for the =20
> > introduction of data views allowing for various
> > forms of data representation
> > - Addition of attack and weakness reference identifiers (WASC-<xx>)
> > - Publication of two data views
> >
> >
> > WASC Threat Classification v2.0 Online
> > http://projects.webappsec.org/Threat-Classification
> >
> > Using the Threat Classification
> > http://projects.webappsec.org/Using-the-Threat-Classification
> >
> > Threat Classification Authors and Contributors
> > http://projects.webappsec.org/Threat-Classification-Authors
> >
> > WASC Threat Classification FAQ
> > http://projects.webappsec.org/Threat-Classification-FAQ
> >
> > WASC Reference Identifier Grid
> > http://projects.webappsec.org/Threat-Classification-Reference-Grid
> >
> > Threat Classification Data Views
> > http://projects.webappsec.org/Threat-Classification-Views
> >
> >
> > We have already started scoping the next minor release of the Threat =20
> > Classification, and are seeking contributors.
> > If you are interested in participating in the next release of the =20
> > WASC Threat Classification please contact us at
> > contact_at_@xxxxxxxxxxxxx with the subject 'WASC Threat =20
> > Classification Contribution Inquiry'.
> >
> > Questions can be directed to Robert Auger (contact_at_webappsec.org) =20
> > with the subject 'WASC TC Inquiry'.
> >
> >
> > Regards,
> > - Robert Auger
> > WASC Threat Classification Project leader/WASC Co Founder
> > http://projects.webappsec.org/Threat-Classification
> > http://www.webappsec.org/ The Web Application Security Consortium
> >
>
>
>
>
> ---------------------------------------------------------------------------=
> -
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:=20
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|