[Owasp-leaders] Common web application vulnerability namingstandard

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 17 08:48:25 EST 2010

Check out MITRE's CWE (Common Weakness Enumeration)
(http://cwe.mitre.org/). That's much more detailed but not web focused.
It 'may' have stuff you can use/extract, or maybe you could work with
them to get CWE to provide what you want without creating yet another


I have cc'd Steve Christey who is heavily involved in that project at


I also wonder how this list of 'vulnerabilities' would correlate to the
'requirements' listed in the OWASP ASVS? I wonder if OWASP could use
that as a guide for such a taxonomy.




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel
Sent: Wednesday, November 17, 2010 5:45 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Common web application vulnerability


Yes and no. Whilst the WASC Threat Classification is indeed a step in
the right direction, it's still incredibly high-level. 


Take WASC-01: Insufficient Authentication.


Now this is great, it gives the viewer a better understanding of the
initial high-level issue with authentication but falls short of
explaining the vulns normally found such as:


- user enumeration via the authentication mechanism

- information leakage via the forgotten password function

- DoS attacks aimed at account lockout procedure

 and so on.


I guess what I want doesn't currently exist in the public domain. I know
many have a private one, so this seems like a great time to start said



On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>

WASC Threat Classification?


On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:

> hey Leaders,
> I'm busy with potentially a new project for OWASP that tries to create
a standard set of web app vulnerability names to be used during the
reporting phase. In most cases, we all find the same issues but differ
when it comes to the approach taken when reporting them. I feel that
this sometimes has the ability to confuse clients, especially those
using multiple vendors to perform assessments.
> With this in mind, can anyone share links of common web application
vulnerability lists they know of? I'm trying to build up as many sources
before I try and build up an OWASP document.
> Merce,
> Daniel

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101117/b0d44d4f/attachment-0001.html 

More information about the OWASP-Leaders mailing list