WASC ID |
Name |
CWE ID |
CAPEC ID |
SANS/CWE Top 25 2009 |
OWASP Top Ten 2010 |
OWASP Top Ten 2007 |
OWASP Top Ten 2004 |
WASC-01 |
Insufficient Authentication |
287 |
|
642 |
A3 - Broken Authentication and Session Management, A4 - Insecure Direct Object References |
A7 - Broken Authentication and Session Management, A4 - Insecure Direct Object Reference |
A3 - Broken Authentication and Session management, A2 - Broken Access Control |
WASC-02 |
Insufficient Authorization |
284 |
|
285 |
A4 - Insecure Direct Object References, A8 - Failure to Restrict URL Access |
A10 - Failure to Restrict URL Access, A4 - Insecure Direct Object Reference |
A2 - Broken Access Control |
WASC-03 |
Integer Overflows |
190 |
128 |
682 |
|
|
|
WASC-04 |
Insufficient Transport Layer Protection |
311 523 |
|
319 |
A9 - Insufficient Transport Layer Protection |
A9 - Insecure Communications |
|
WASC-05 |
Remote File Inclusion |
98 |
193 253 |
426 |
|
A3 - Malicious File Execution |
|
WASC-06 |
Format String |
134 |
67 |
|
|
|
|
WASC-07 |
Buffer Overflow |
119 120 |
10 100 |
119 |
|
|
A5 - Buffer Overflows |
WASC-08 |
Cross-site Scripting |
79 |
18 19 63 |
79 |
A2 - Cross-Site Scripting |
A1 - Cross Site Scripting (XSS) |
A4 - Cross Site Scripting (XSS) |
WASC-09 |
Cross-site Request Forgery |
352 |
62 |
352 |
A5 - Cross-Site Request Forgery |
A5 - Cross Site Request Forgery (CSRF) |
|
WASC-10 |
Denial of Service |
400 |
119 |
404 |
A8 - Failure to Restrict URL Access |
A10 - Failure to Restrict URL Access |
A9 - Denial of Service |
WASC-11 |
Brute Force |
330 331 340 |
112 |
|
A8 - Failure to Restrict URL Access |
A10 - Failure to Restrict URL Access |
A2 - Broken Access Control |
WASC-12 |
Content Spoofing |
345 |
148 |
|
|
|
|
WASC-13 |
Information Leakage |
200 |
118 |
209 |
|
A6 - Information Leakage and Improper Error Handling |
A7 - Improper Error Handling |
WASC-14 |
Server Misconfiguration |
16 |
|
|
A6 - Security Misconfiguration |
|
A10 - Insecure configuration Management |
WASC-15 |
Application Misconfiguration |
16 |
|
|
A6 - Security Misconfiguration |
|
A10 - Insecure configuration Management |
WASC-16 |
Directory Indexing |
548 |
127 |
|
|
|
|
WASC-17 |
Improper Filesystem Permissions |
280 |
17 |
732 250 |
|
|
|
WASC-18 |
Credential/Session Prediction |
330 |
59 |
330 |
A3 - Broken Authentication and Session Management |
A7 - Broken Authentication and Session Management |
A3 - Broken Authentication and Session Management |
WASC-19 |
SQL Injection |
89 |
66 |
89 |
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-20 |
Improper Input Handling |
20 |
|
20 73 |
|
|
A1 - Unvalidated Input |
WASC-21 |
Insufficient Anti-Automation |
799 804 |
|
|
A8 - Failure to Restrict URL Access |
A10 - Failure to Restrict URL Access |
A2 - Broken Access Control |
WASC-22 |
Improper Output Handling |
116 |
|
116 |
|
|
|
WASC-23 |
XML Injection |
91 |
250 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-24 |
HTTP Request Splitting |
93 |
105 |
|
|
|
|
WASC-25 |
HTTP Response Splitting |
113 |
34 |
|
|
|
|
WASC-26 |
HTTP Request Smuggling |
444 |
33 |
|
|
|
|
WASC-27 |
HTTP Response Smuggling |
436 |
273 |
|
|
|
|
WASC-28 |
Null Byte Injection |
158 |
52 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-29 |
LDAP Injection |
90 |
136 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-30 |
Mail Command Injection |
88 |
134 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-31 |
OS Commanding |
78 |
88 |
78 |
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-32 |
Routing Detour |
300 441 |
219 |
|
|
|
|
WASC-33 |
Path Traversal |
22 |
126 |
73 426 |
A4 - Insecure Direct Object References |
A4 - Insecure Direct Object Reference |
A2 - Broken Access Control |
WASC-34 |
Predictable Resource Location |
425 |
87 |
|
A8 - Failure to Restrict URL Access |
A10 - Failure to Restrict URL Access |
A2 - Broken Access Control |
WASC-35 |
SOAP Array Abuse |
789 |
256 |
|
|
|
A9 - Denial of Service |
WASC-36 |
SSI Injection |
97 |
101 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-37 |
Session Fixation |
384 |
61 |
732 |
A3 - Broken Authentication and Session Management |
A7 - Broken Authentication and Session Management |
A3 - Broken Authentication and Session Management |
WASC-38 |
URl Redirector Abuse |
601 |
|
|
A10 - Unvalidated Redirects and Forwards |
|
|
WASC-39 |
XPath Injection |
643 |
83 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-40 |
Insufficient Process Validation |
691 |
|
|
|
|
|
WASC-41 |
XML Attribute Blowup |
400 405 |
229 |
|
|
|
A9 - Denial of Service |
WASC-42 |
Abuse of Functionality |
227 |
210 |
|
|
|
|
WASC-43 |
XML External Entities |
611 |
221 |
|
|
|
|
WASC-44 |
XML Entity Expansion |
776 |
197 |
|
|
|
A9 - Denial of Service |
WASC-45 |
Fingerprinting |
205 |
224 |
|
|
|
|
WASC-46 |
XQuery Injection |
652 |
84 |
|
A1 - Injection |
A2 - Injection Flaws |
A6 - Injection Flaws |
WASC-47 |
Insufficient Session Expiration |
613 |
60 |
732 |
A3 - Broken Authentication and Session Management |
A7 - Broken Authentication and Session Management |
A3 - Broken Authentication and Session Management |
WASC-48 |
Insecure Indexing |
612 |
|
|
|
|
|
WASC-49 |
Insufficient Password Recovery |
640 |
50 |
|
|
|
|
Comments (0)
You don't have permission to comment on this page.