[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: [Owasp-dotnet] Web Security Threat Classification
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2005-10-15 20:25:56
Message-ID: 384be4a22a844528884dad407359e63e () ddplus ! net
[Download RAW message or body]
FYI, http://www.webappsec.org/projects/threat/
"...The Web Security Threat Classification is a cooperative effort to clarify and \
organize the threats to the security of a web site. The members of the Web \
Application Security Consortium have created this project to develop and promote \
industry standard terminology for describing these issues. Application developers, \
security professionals, software vendors, and compliance auditors will have the \
ability to access a consistent language for web security related issues..."
"...
Classes of Attack
Abuse of Functionality
Brute Force
Buffer Overflow
Content Spoofing
Credential/Session Prediction
Cross-site Scripting
Denial of Service
Directory Indexing
Format String Attack
Information Leakage
Insufficient Anti-automation
Insufficient Authentication
Insufficient Authorization
Insufficient Process Validation
Insufficient Session Expiration
LDAP Injection OS Commanding
Path Traversal
Predictable Resource Location
Session Fixation
SQL Injection
SSI Injection
Weak Password
Recovery Validation
XPath Injection
* Fingerprinting
* HTTP Response Splitting
..."
[Dinis again]
Where is 'Insecure RunTime environment' or 'poor sandboox'?
80% to 90% of these 'classes of attack' would be 'simple' bugs if the malicious \
request was executed in a 'secure run-time environemnt'
Dinis Cruz
Owasp-dotNet
[Attachment #3 (text/html)]
FYI, http://www.webappsec.org/projects/threat/<br /> <br />"...The Web Secu=
rity Threat Classification is a cooperative effort to clarify and organize =
the threats to the security of a web site. The members of the Web Applicati=
on Security Consortium have created this project to develop and promote ind=
ustry standard terminology for describing these issues. Application develop=
ers, security professionals, software vendors, and compliance auditors will=
have the ability to access a consistent language for web security related =
issues..."<br /> <br /> "...<br /> Classes of Attack<br /> <br /> Abuse of =
Functionality <br /> Brute Force <br =
/> Buffer Overflow<br /> Content Spoofing <br /> Credent=
ial/Session Prediction <br /> Cross-site Scripting<br />=
Denial of Service <br /> Directory Indexing  =
; <br /> Format String Attack<br /> Information Leakage &=
nbsp; <br /> Insufficient Anti-automation <br /> Insuffi=
cient Authentication<br /> Insufficient Authorization <b=
r /> Insufficient Process Validation <br /> Insufficient=
Session Expiration<br /> LDAP Injection OS Commanding &=
nbsp; <br /> Path Traversal<br /> Predictable Resource Location=
<br /> Session Fixation <br /> SQL I=
njection<br /> SSI Injection <br /> Weak Password<br /> =
Recovery Validation <br /> XPath Injection<br /> * Finge=
rprinting <br /> * HTTP Response Splitting <br /> =
..."<br /> <br /> <br /> [Dinis again]<br /> <br /> Where is 'Insecure RunT=
ime environment' or 'poor sandboox'?<br /> <br /> 80% to 90% of these 'clas=
ses of attack' would be 'simple' bugs if the malicious request was executed=
in a 'secure run-time environemnt'<br /> <br /> Dinis Cruz<br /> Owasp-dot=
Net<br />
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic