This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SpoC 007 - Attacks Reference Guide - Progress Page"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
  
 
===Phase 1 ===
 
===Phase 1 ===
* Attack List Revision: 0 Attacks '''Done! '''
+
* Attack List Revision: '''Done!'''
 
* Attacks Description: 0 of 84 items done!
 
* Attacks Description: 0 of 84 items done!
  
 
===Phase 2 ===
 
===Phase 2 ===
The attacks categorization was based on [http://capec.mitre.org ‘’ Common Attack Pattern Enumeration and Classification - CAPEC´´], since it is maintained by a respected entity and wide enough to fit all web application attacks.  
+
The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks.  
  
 
The categories defined are:
 
The categories defined are:
Line 28: Line 28:
 
* Time and State Attacks
 
* Time and State Attacks
  
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 Threat Classification v2], under development.
+
It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development.
  
 
===Phase 3 ===
 
===Phase 3 ===
 
* Research new attacks
 
* Research new attacks
 
* New attacks description
 
* New attacks description

Revision as of 19:10, 23 July 2007

The Attack reference guide is being developed by SpoC_007_-_Attacks_Reference_Guide NSRAV Security Research group and SpoC_007_-_Refresh_Attacks_list Przemyslaw 'Rezos' Skowron. In order to avoid work superposition it was divided into 3 phases comprising the following activities:

  1. Attack list revision and description
  2. Attacks categorization
  3. Research and describe new attacks

CheckPoints and Decision

Phase 1

  • Attack List Revision: Done!
  • Attacks Description: 0 of 84 items done!

Phase 2

The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.

The categories defined are:

  • Abuse of Functionality
  • Spoofing
  • Probabilistic Techniques
  • Exploitation of Authentication
  • Resource Depletion
  • Exploitation of Privilege/Trust
  • Injection (Injecting Control Plane content through the Data Plane)
  • Data Structure Attacks
  • Data Leakage Attacks
  • Resource Manipulation
  • Protocol Manipulation
  • Time and State Attacks

It was also defined the threats categorization based on WASC Threat Classification v2, under development.

Phase 3

  • Research new attacks
  • New attacks description