[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Steven M. Christey coley at linus.mitre.org
Wed Jul 15 13:05:04 EDT 2009

On Wed, 15 Jul 2009, Arian J. Evans wrote:

> Session Fixation and HTTP Response Splitting are two more slippery
> one. Both terms contain *multiple* attack types under their
> definitions, but at least in the case of HTTP/RS describing the
> weakness usually does nothing to explain the attack and implications.

These slippery notions have given us some difficulty in CWE, but we're
starting to make some sense of them.  First is the need to recognize that
many types of weaknesses are actually combinations of multiple issues all
at once ("composites") or sequences of multiple issues ("chains").
Second is our attempts to make many CWE entries more weakness-focused
instead of using the common terminology for the attack - much more
difficult than you'd expect unless you're of the camp that everything is
just an input validation problem.  These are some reasons why XSS/CWE-79
is called "failure to preserve web page structure."

Also, there's a difficult context switch when you start to think about
what an underlying weakness is for a complex type of attack.  Composites
and chains help, but aren't the whole picture.  For example, CSRF
(CWE-352) still has an attack-style name.  There's no real weakness term
available, which isn't a surprise because our current (very faulty) view
is that "the weakness that is exploited by the CSRF attack" is actually a
composite of an "origin validation error," "unintended proxy," and
"external control of critical state data" - yet we're still not fully
capturing how HTTP's stateless design is a major factor.

For the two or three people who are *really* interested, see:


and maybe this:


- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list