log inhelp

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Threat Classification Taxonomy Cross Reference View (redirected from Threat Classification Taxo)

Page history last edited by Robert Auger 11 years, 7 months ago

Threat Classification 'Taxonomy Cross Reference View'

 

This view contains a mapping of the WASC Threat Classification's Attacks and Weaknesses with MITRE's Common Weakness Enumeration, MITRE's Common Attack Pattern Enumeration and ClassificationOWASP Top Ten 2010 RC1 (original mapping with OWASP Top Ten from Jeremiah Grossman & Bill Corry) and SANS/CWE and OWASP Top Ten 2007 and 2004 (original mapping from Dan Cornell, Denim Group)

 
WASC ID Name CWE ID CAPEC ID SANS/CWE Top 25 2009 OWASP Top Ten 2010 OWASP Top Ten 2007 OWASP Top Ten 2004
WASC-01 Insufficient Authentication 287    642 A3 - Broken Authentication and Session Management, A4 - Insecure Direct Object References A7 - Broken Authentication and Session Management, A4 - Insecure Direct Object Reference A3 - Broken Authentication and Session management, A2 - Broken Access Control
WASC-02 Insufficient Authorization 284    285 A4 - Insecure Direct Object References, A8 - Failure to Restrict URL Access A10 - Failure to Restrict URL Access, A4 - Insecure Direct Object Reference A2 - Broken Access Control
WASC-03 Integer Overflows 190  128  682      
WASC-04 Insufficient Transport Layer Protection 311 523    319 A9 - Insufficient Transport Layer Protection A9 - Insecure Communications  
WASC-05 Remote File Inclusion 98  193 253  426   A3 - Malicious File Execution  
WASC-06 Format String 134  67         
WASC-07 Buffer Overflow 119 120  10 100  119     A5 - Buffer Overflows
WASC-08 Cross-site Scripting 79  18 19 63  79 A2 - Cross-Site Scripting A1 - Cross Site Scripting (XSS) A4 - Cross Site Scripting (XSS)
WASC-09 Cross-site Request Forgery 352  62  352 A5 - Cross-Site Request Forgery A5 - Cross Site Request Forgery (CSRF)  
WASC-10 Denial of Service 400  119  404 A8 - Failure to Restrict URL Access A10 - Failure to Restrict URL Access A9 - Denial of Service
WASC-11 Brute Force 330 331 340  112    A8 - Failure to Restrict URL Access A10 - Failure to Restrict URL Access A2 - Broken Access Control
WASC-12 Content Spoofing 345  148         
WASC-13 Information Leakage 200  118  209   A6 - Information Leakage and Improper Error Handling A7 - Improper Error Handling
WASC-14 Server Misconfiguration 16      A6 - Security Misconfiguration   A10 - Insecure configuration Management
WASC-15 Application Misconfiguration 16      A6 - Security Misconfiguration   A10 - Insecure configuration Management
WASC-16 Directory Indexing 548  127         
WASC-17 Improper Filesystem Permissions 280  17  732 250      
WASC-18 Credential/Session Prediction 330  59  330 A3 - Broken Authentication and Session Management A7 - Broken Authentication and Session Management A3 - Broken Authentication and Session Management
WASC-19 SQL Injection 89  66  89 A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-20 Improper Input Handling 20    20 73     A1 - Unvalidated Input
WASC-21 Insufficient Anti-Automation 799 804      A8 - Failure to Restrict URL Access A10 - Failure to Restrict URL Access A2 - Broken Access Control
WASC-22 Improper Output Handling 116    116      
WASC-23 XML Injection 91  250    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-24 HTTP Request Splitting 93  105         
WASC-25 HTTP Response Splitting 113  34         
WASC-26 HTTP Request Smuggling 444  33         
WASC-27 HTTP Response Smuggling 436  273         
WASC-28 Null Byte Injection 158  52    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-29 LDAP Injection 90  136    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-30 Mail Command Injection 88  134    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-31 OS Commanding 78  88  78 A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-32 Routing Detour 300 441  219         
WASC-33 Path Traversal 22  126  73 426 A4 - Insecure Direct Object References A4 - Insecure Direct Object Reference A2 - Broken Access Control
WASC-34 Predictable Resource Location 425  87    A8 - Failure to Restrict URL Access A10 - Failure to Restrict URL Access A2 - Broken Access Control
WASC-35 SOAP Array Abuse 789  256        A9 - Denial of Service
WASC-36 SSI Injection 97  101    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-37 Session Fixation 384  61  732 A3 - Broken Authentication and Session Management A7 - Broken Authentication and Session Management A3 - Broken Authentication and Session Management
WASC-38 URl Redirector Abuse 601      A10 - Unvalidated Redirects and Forwards    
WASC-39 XPath Injection 643  83    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-40 Insufficient Process Validation 691           
WASC-41 XML Attribute Blowup 400 405  229        A9 - Denial of Service
WASC-42 Abuse of Functionality 227  210         
WASC-43 XML External Entities 611  221         
WASC-44 XML Entity Expansion 776  197        A9 - Denial of Service
WASC-45 Fingerprinting 205  224         
WASC-46 XQuery Injection 652  84    A1 - Injection A2 - Injection Flaws A6 - Injection Flaws
WASC-47 Insufficient Session Expiration 613  60  732 A3 - Broken Authentication and Session Management A7 - Broken Authentication and Session Management A3 - Broken Authentication and Session Management
WASC-48 Insecure Indexing 612           
WASC-49 Insufficient Password Recovery 640  50         
 

Note: Not all CWE IDs and CAPEC IDs have been included in this mapping table but, when possible, only the parents were kept. 

Comments (0)

You don't have permission to comment on this page.

Printable version