• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Using the Threat Classification

Page history last edited by Robert Auger 13 years, 3 months ago


The Threat Classification v2.0 outlines the attacks and weaknesses that can lead to the compromise of a website, its data, or its users. This document primarily serves as a reference guide for each given attack or weakness and provides examples of each issue as well as helpful reference material. This document is utilized by many organizations and is typically used in the following ways.


Reference material

The TC is created and reviewed by industry experts with years of experience. The primary use is as a reference guide that can be included in security reports, security defects, presentations, and more. The TC content appears is numerous books, security products, and 3rd party security classification systems. The following is a partial list of companies and products utilizing the Threat Classification


  • IBM (AppScan)
  • HP (Webinspect)
  • WhiteHat Security (Sentinel)
  • Positive Technologies (MaxPatrol) and Services
  • Qualys (QualysGuard Web Application Scanning)
  • F5 (Application Security Manager)
  • HoneyApps (Conduit)
  • OWASP Code Crawler 2.5
  • OWASP ModSecurity Core Rule Set Project
  • OWASP Appsensor Project
  • Verizon (Verizon Incidents Metrics Framework)
  • Mitre (CAPEC and CWE Projects)
  • Andiparos
  • Zaproxy



Security Assessment Checklist:

If you are performing a security review against an application the TC serves as an enumeration of the threats which can be used to build a security focus/test plan.


Bug tracking:

One way people use this document is to gather metrics on the security defects affecting their organization. When filing security defects into your bug tracking system you can assign the weakness or attack to a given bug to identify the frequency of specific threats to your organization.


If you have another use for the TC not outlined here please contact us (contact @ webappsec.org) with the subject ‘WASC Threat Classification Inquiry’, we'd love to hear from you.


Comments (0)

You don't have permission to comment on this page.