WASC applies a selective process to assigning project leaders, with
the key goal of qualified expertise throughout the project with timely
Web Application Security Scanner Evaluation Criteria
The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness.
Web Security Articles
The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security.
The Web Hacking Incidents Database
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to
maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for
raising awareness of the web application security problem and provide the information for statistical
analysis of web applications security incidents.
The Script Mapping Project
The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page
without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filte
rs, for those wishing to build an html white list system, as well as other uses.
Distributed Open Proxy Honeypots
This project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.
Web Security Glossary
The Web Security Glossary is an alphabetical index of terms and terminology relating to web applications security. The purpose of the Glossary is to further clarify the language used within the community.
Web Security Threat Classification
The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.
Web Application Firewall Evaluation Criteria
The goal of this project is to develop a detailed web application
firewall (WAF) evaluation criteria; a testing methodology that can be used by
any reasonably skilled technician to independently assess the quality
of a WAF solution.
Web Application Security Statistics
The WASC Statistics Project is the first attempt at an industry wide collection of application vulnerability statistics in order to identify the existence and proliferation of application security issues on enterprise websites. Anonymous data correlating vulnerability numbers and trends across organization size, industry vertical and geographic area are being collected and analyzed to identify the prevalence of threats facing today's online businesses. Such empirical data aims to provide the first true statistics on application layer vulnerabilities. Using the Web Security Threat Classification as a baseline, data is currently being collected and contributed by more than a half dozen major security vendors with the list of contributors growing regularly. We are actively seeking others to contribute data.