• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Threat Classification

This version was saved 14 years, 7 months ago View current version     Page history
Saved by Robert Auger
on December 18, 2009 at 5:05:43 pm

WASC Threat Classification v2.0


"The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users."



The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.


Threat Classification Frequently Asked Questions

We have published an FAQ addressing commonly asked questions about the Threat Classification. We have also created an entry discussing the need for a new direction for the Threat Classification.


Threat Classification Terminology

Terminology is particularly important so we've created a page outlining the definitions used throughout this document.


Using the Threat Classification

Information on how the threat classification can be used may be found here


Threat Classification 'Views'

The TCv2 has introduced the concept of 'Views' allowing for various ways to represent the attacks and weaknesses listed within the TC. A list of Threat Classification Views can be found here.


Threat Classification Reference Grid

The Threat Classification Reference Grid was created to allow individuals and products to reference particular Threat Classification sections with a static identifier.


Threat Classification Team

The list of authors and contributors can be found at our Authors and Contributors page.


Contacting WASC

Questions may be directed to Robert Auger (contact @ webappsec.org).




WASC Threat Classification 'Enumeration View'

The below grid outlines the 'Threat Classification Enumeration View', WASC's core TC view. Additional views can be found at the Threat Classification Views section.


Attacks Weaknesses
Abuse of Functionality Application Misconfiguration
Brute Force Directory Indexing
Buffer Overflow Improper Filesystem Permissions
Content Spoofing Improper Input Handling
Credential/Session Prediction

Improper Output Handling

Cross-Site Scripting Information Leakage
Cross-Site Request Forgery

Insecure Indexing

Denial of Service Insufficient Anti-automation
Fingerprinting Insufficient Authentication
Format String Insufficient Authorization
HTTP Response Smuggling Insufficient Process Validation
HTTP Response Splitting Insufficient Session Expiration
HTTP Request Smuggling Insufficient Transport Layer Protection
HTTP Request Splitting Server Misconfiguration
Integer Overflows
LDAP Injection  
Mail Command Injection  
Null Byte Injection  
OS Commanding


Path Traversal  
Predictable Resource Location  
Remote File Inclusion (RFI)  
Routing Detour
Session Fixation  
SOAP Array Abuse  
SSI Injection  
SQL Injection  
URL Redirector Abuse   
XPath Injection  
XML Attribute Blowup  
XML External Entities  
XML Entity Expansion   
XML Injection  
XQuery Injection  


                            Working sections (Incomplete sections)


Improper Output Handling



WASC Threat Classification V1.0

Version 1 of the WASC Threat Classification can be found on our previous versions page.


Comments (0)

You don't have permission to comment on this page.