The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.

1 Authentication
1 1 1 Brute Force A Brute Force attack is an automated process of trial and error used to guess a person’s username, password, credit-card number or cryptographic key.
1 2 2 Insufficient Authentication Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate.
1 3 3 Weak Password Recovery Validation Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover another user’s password.
2 Authorization
2 1 4 Credential/Session Prediction Credential/Session Prediction is a method of hijacking or impersonating a web site user.
2 3 5 Insufficient Authorization Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions.
2 4 6 Insufficient Session Expiration Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
2 5 7 Session Fixation Session Fixation is an attack technique that forces a user’s session ID to an explicit value.
3 Client-side Attacks
3 1 8 Content Spoofing Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.
3 2 9 Cross-site Scripting Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser.
4 Command Execution
4 1 10 Buffer Overflow Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of memory.
4 2 11 Format String Attack Format String Attacks alter the flow of an application by using string formatting library features to access other memory space.
4 3 12 LDAP Injection LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
4 4 13 OS Commanding OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.
4 5 14 SQL Injection SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input.
4 6 15 SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server.
4 7 16 XPath Injection XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
5 Information Disclosure
5 1 17 Directory Indexing Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is not present.
5 2 18 Information Leakage Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
5 3 19 Path Traversal The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
5 4 20 Predictable Resource Location Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality.
6 Logical Attacks
6 1 21 Abuse of Functionality Abuse of Functionality is an attack technique that uses a web site’s own features and functionality to consume, defraud, or circumvents access controls mechanisms.
6 2 22 Denial of Service Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity.
6 3 23 Insufficient Anti-automation Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.
6 4 24 Insufficient Process Validation Insufficient Process Validation is when a web site permits an attacker to bypass or circumvent the intended flow control of an application.

Back to the Coverage Chart

Download the unmodified WASC TC v1.0 PDF