[Owasp-leaders] Common web application vulnerability naming standard
daniel.cuthbert at owasp.org
Wed Nov 17 05:44:38 EST 2010
Yes and no. Whilst the WASC Threat Classification is indeed a step in the
right direction, it's still incredibly high-level.
Take WASC-01: Insufficient Authentication.
Now this is great, it gives the viewer a better understanding of the initial
high-level issue with authentication but falls short of explaining the vulns
normally found such as:
- user enumeration via the authentication mechanism
- information leakage via the forgotten password function
- DoS attacks aimed at account lockout procedure
and so on.
I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said
On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>wrote:
> WASC Threat Classification?
> On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
> > hey Leaders,
> > I'm busy with potentially a new project for OWASP that tries to create a
> standard set of web app vulnerability names to be used during the reporting
> phase. In most cases, we all find the same issues but differ when it comes
> to the approach taken when reporting them. I feel that this sometimes has
> the ability to confuse clients, especially those using multiple vendors to
> perform assessments.
> > With this in mind, can anyone share links of common web application
> vulnerability lists they know of? I'm trying to build up as many sources
> before I try and build up an OWASP document.
> > Merce,
> > Daniel
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders