April 29, 2010

WASC WSTCv2 Mapping Proposal

While completing vulnerability statistics about Russian web applications in 2009 (it's issued date is too late this year) [1,2,3 in Russian], I suddenly realize that there's no comparison between WASC WSTCv2 and SANS/CWE Top 25 2010 vulnerability titles. As there's No such comparison on the official resource [4], I suggest my own version.


RankScoreCWE IDCWE/SANS NAMEWASC NAMEWASC ID
[1]346CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')Cross-Site ScriptingWASC-08
[2]330CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')SQL InjectionWASC-19
[3]273CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Buffer OverflowWASC-07
[4]261CWE-352Cross-Site Request Forgery (CSRF)Cross-site Request ForgeryWASC-09
[5]219CWE-285Improper Access Control (Authorization)Insufficient AuthorizationWASC-02
[6]202CWE-807Reliance on Untrusted Inputs in a Security DecisionInsufficient AuthorizationWASC-02
[7]197CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Path TraversalWASC-33
[8]194CWE-434Unrestricted Upload of File with Dangerous Type
[9]188CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')OS CommandingWASC-31
[10]188CWE-311Missing Encryption of Sensitive DataInsufficient Transport Layer ProtectionWASC-04
[11]176CWE-798Use of Hard-coded Credentials
[12]158CWE-805Buffer Access with Incorrect Length ValueBuffer OverflowWASC-07
[13]157CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')Path TraversalWASC-33
[14]156CWE-129Improper Validation of Array Index
[15]155CWE-754Improper Check for Unusual or Exceptional Conditions
[16]154CWE-209Information Exposure Through an Error MessageInformation LeakageWASC-13
[17]154CWE-190Integer Overflow or WraparoundInteger OverflowsWASC-03
[18]153CWE-131Incorrect Calculation of Buffer SizeBuffer OverflowWASC-07
[19]147CWE-306Missing Authentication for Critical FunctionInsufficient AuthenticationWASC-01
[20]146CWE-494Download of Code Without Integrity CheckRemote File InclusionWASC-05
[21]145CWE-732Incorrect Permission Assignment for Critical ResourceImproper Filesystem PermissionsWASC-17
[22]145CWE-770Allocation of Resources Without Limits or ThrottlingDenial of ServiceWASC-10
[23]142CWE-601URL Redirection to Untrusted Site ('Open Redirect')URl Redirector AbuseWASC-38
[24]141CWE-327Use of a Broken or Risky Cryptographic AlgorithmCredential/Session PredictionWASC-18
[25]138CWE-362Race ConditionInsufficient Process ValidationWASC-40

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete