Threat Classification 'Development Phase View'

This WASC Threat Classification view was created to loosely outline where in the development lifecycle a particular type of vulnerability is likely to be introduced. This view was created in an attempt identify common root occurrences/development phases for vulnerability introduction, and does not attempt to address improperly patched servers, or enumeration of edge cases. This view makes use of many to many relationships.

Definitions

Design: Covers vulnerabilities that are likely to be introduced due to a lack of mitigations specified in the software design/requirements, or due to a poorly/improperly defined design/requirement.

Implementation: Covers vulnerabilities that are likely to be introduced due to a poor choice of implementation.

Deployment: Covers vulnerabilities that are likely to be introduced due to poor deployment procedures, or bad application/server configurations.

Grid Representation:

Tree Representation:

Design

• Abuse of Functionality
• Brute Force
• Cross-Site Request Forgery
• Denial of Service
• Information Leakage
• Insufficient Anti-automation
• Insufficient Authentication
• Insufficient Authorization
• Insufficient Password Recovery
• Insufficient Process Validation
• Insufficient Session Expiration
• Insufficient Transport Layer Protection
• URL Redirector Abuse

Implementation

• Application Misconfiguration
• Buffer Overflow
• Content Spoofing
• Credential/Session Prediction
• Cross-Site Scripting
• Cross-Site Request Forgery
• Denial of Service
• Format String
• HTTP Request Splitting
• HTTP Request Smuggling
• HTTP Response Smuggling
• HTTP Response Splitting
• Improper Filesystem Permissions
• Improper Input Handling
• Improper Output Handling
• Information Leakage
• Insecure Indexing
• Insufficient Anti-automation
• Insufficient Authentication
• Insufficient Authorization
• Insufficient Password Recovery
• Insufficient Process Validation
• Insufficient Session Expiration
• Insufficient Transport Layer Protection
• Integer Overflows
• LDAP Injection
• Mail Command Injection
• Null Byte Injection
• OS Commanding
• Path Traversal
• Predictable Resource Location
• Remote File Inclusion (RFI)
• SOAP Array Abuse
• SSI Injection
• Session Fixation
• SQL Injection
• XPath Injection
• XML Attribute Blowup
• XML External Entities
• XML Entity Expansion
• XML Injection
• XQuery Injection
• URL Redirector Abuse

Deployment

• Application Misconfiguration
• Directory Indexing
• Improper Filesystem Permissions
• Information Leakage
• Insecure Indexing
• Insufficient Session Expiration
• Insufficient Transport Layer Protection
• Predictable Resource Location
• Remote File Inclusion (RFI)
• Routing Detour
• Server Misconfiguration
• Session Fixation