• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Buried in cloud files? We can help with Spring cleaning!

    Whether you use Dropbox, Drive, G-Suite, OneDrive, Gmail, Slack, Notion, or all of the above, Dokkio will organize your files for you. Try Dokkio (from the makers of PBworks) for free today.

  • Dokkio (from the makers of PBworks) was #2 on Product Hunt! Check out what people are saying by clicking here.


Using the Threat Classification

Page history last edited by Robert Auger 11 years, 4 months ago


The Threat Classification v2.0 outlines the attacks and weaknesses that can lead to the compromise of a website, its data, or its users. This document primarily serves as a reference guide for each given attack or weakness and provides examples of each issue as well as helpful reference material. This document is utilized by many organizations and is typically used in the following ways.


Reference material

The TC is created and reviewed by industry experts with years of experience. The primary use is as a reference guide that can be included in security reports, security defects, presentations, and more. The TC content appears is numerous books, security products, and 3rd party security classification systems. The following is a partial list of companies and products utilizing the Threat Classification


  • IBM (AppScan)
  • HP (Webinspect)
  • WhiteHat Security (Sentinel)
  • Positive Technologies (MaxPatrol) and Services
  • Qualys (QualysGuard Web Application Scanning)
  • F5 (Application Security Manager)
  • HoneyApps (Conduit)
  • OWASP Code Crawler 2.5
  • OWASP ModSecurity Core Rule Set Project
  • OWASP Appsensor Project
  • Verizon (Verizon Incidents Metrics Framework)
  • Mitre (CAPEC and CWE Projects)
  • Andiparos
  • Zaproxy



Security Assessment Checklist:

If you are performing a security review against an application the TC serves as an enumeration of the threats which can be used to build a security focus/test plan.


Bug tracking:

One way people use this document is to gather metrics on the security defects affecting their organization. When filing security defects into your bug tracking system you can assign the weakness or attack to a given bug to identify the frequency of specific threats to your organization.


If you have another use for the TC not outlined here please contact us (contact @ webappsec.org) with the subject ‘WASC Threat Classification Inquiry’, we'd love to hear from you.


Comments (0)

You don't have permission to comment on this page.