[Owasp-leaders] Common web application vulnerability naming standard

daniel cuthbert daniel.cuthbert at owasp.org
Wed Nov 17 05:44:38 EST 2010


Yes and no. Whilst the WASC Threat Classification is indeed a step in the
right direction, it's still incredibly high-level.

Take WASC-01: Insufficient Authentication.

Now this is great, it gives the viewer a better understanding of the initial
high-level issue with authentication but falls short of explaining the vulns
normally found such as:

- user enumeration via the authentication mechanism
- information leakage via the forgotten password function
- DoS attacks aimed at account lockout procedure
 and so on.

I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said
project.



On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>wrote:

>
> WASC Threat Classification?
>
> http://projects.webappsec.org/w/page/13246978/Threat-Classification
>
> On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
>
> > hey Leaders,
> >
> > I'm busy with potentially a new project for OWASP that tries to create a
> standard set of web app vulnerability names to be used during the reporting
> phase. In most cases, we all find the same issues but differ when it comes
> to the approach taken when reporting them. I feel that this sometimes has
> the ability to confuse clients, especially those using multiple vendors to
> perform assessments.
> >
> > With this in mind, can anyone share links of common web application
> vulnerability lists they know of? I'm trying to build up as many sources
> before I try and build up an OWASP document.
> >
> > Merce,
> >
> > Daniel
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/df5ba4c3/attachment.html 


More information about the OWASP-Leaders mailing list