WASC WSTCv2 Mapping Proposal

While completing vulnerability statistics about Russian web applications in 2009 (it\’s issued date is too late this year) [1,2,3 in Russian], I suddenly realize that there\’s no comparison between WASC WSTCv2 and SANS/CWE Top 25 2010 vulnerability titles. As there\’s No such comparison on the official resource [4], I suggest my own version.

[1] 346 CWE-79 Failure to Preserve Web Page Structure (\’Cross-site Scripting\’) Cross-Site Scripting WASC-08
[2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command (\’SQL Injection\’) SQL Injection WASC-19
[3] 273 CWE-120 Buffer Copy without Checking Size of Input (\’Classic Buffer Overflow\’) Buffer Overflow WASC-07
[4] 261 CWE-352 Cross-Site Request Forgery (CSRF) Cross-site Request Forgery WASC-09
[5] 219 CWE-285 Improper Access Control (Authorization) Insufficient Authorization WASC-02
[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision Insufficient Authorization WASC-02
[7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\’Path Traversal\’) Path Traversal WASC-33
[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type
[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command (\’OS Command Injection\’) OS Commanding WASC-31
[10] 188 CWE-311 Missing Encryption of Sensitive Data Insufficient Transport Layer Protection WASC-04
[11] 176 CWE-798 Use of Hard-coded Credentials
[12] 158 CWE-805 Buffer Access with Incorrect Length Value Buffer Overflow WASC-07
[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\’PHP File Inclusion\’) Path Traversal WASC-33
[14] 156 CWE-129 Improper Validation of Array Index
[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] 154 CWE-209 Information Exposure Through an Error Message Information Leakage WASC-13
[17] 154 CWE-190 Integer Overflow or Wraparound Integer Overflows WASC-03
[18] 153 CWE-131 Incorrect Calculation of Buffer Size Buffer Overflow WASC-07
[19] 147 CWE-306 Missing Authentication for Critical Function Insufficient Authentication WASC-01
[20] 146 CWE-494 Download of Code Without Integrity Check Remote File Inclusion WASC-05
[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource Improper Filesystem Permissions WASC-17
[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling Denial of Service WASC-10
[23] 142 CWE-601 URL Redirection to Untrusted Site (\’Open Redirect\’) URl Redirector Abuse WASC-38
[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm Credential/Session Prediction WASC-18
[25] 138 CWE-362 Race Condition Insufficient Process Validation WASC-40

One thought on “WASC WSTCv2 Mapping Proposal

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.