This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SpoC 007 - Attacks Reference Guide - Progress Page"
Line 8: | Line 8: | ||
===Phase 1 === | ===Phase 1 === | ||
− | * Attack List Revision: | + | * Attack List Revision: '''Done!''' |
* Attacks Description: 0 of 84 items done! | * Attacks Description: 0 of 84 items done! | ||
===Phase 2 === | ===Phase 2 === | ||
− | The attacks categorization was based on [http://capec.mitre.org | + | The attacks categorization was based on [http://capec.mitre.org Common Attack Pattern Enumeration and Classification - CAPEC], since it is maintained by a respected entity and wide enough to fit all web application attacks. |
The categories defined are: | The categories defined are: | ||
Line 28: | Line 28: | ||
* Time and State Attacks | * Time and State Attacks | ||
− | It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 Threat Classification v2], under development. | + | It was also defined the threats categorization based on [http://wasc.ptsecurity.ru/wasc/index.php?title=TCv2 WASC Threat Classification v2], under development. |
===Phase 3 === | ===Phase 3 === | ||
* Research new attacks | * Research new attacks | ||
* New attacks description | * New attacks description |
Revision as of 19:10, 23 July 2007
The Attack reference guide is being developed by SpoC_007_-_Attacks_Reference_Guide NSRAV Security Research group and SpoC_007_-_Refresh_Attacks_list Przemyslaw 'Rezos' Skowron. In order to avoid work superposition it was divided into 3 phases comprising the following activities:
- Attack list revision and description
- Attacks categorization
- Research and describe new attacks
CheckPoints and Decision
Phase 1
- Attack List Revision: Done!
- Attacks Description: 0 of 84 items done!
Phase 2
The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.
The categories defined are:
- Abuse of Functionality
- Spoofing
- Probabilistic Techniques
- Exploitation of Authentication
- Resource Depletion
- Exploitation of Privilege/Trust
- Injection (Injecting Control Plane content through the Data Plane)
- Data Structure Attacks
- Data Leakage Attacks
- Resource Manipulation
- Protocol Manipulation
- Time and State Attacks
It was also defined the threats categorization based on WASC Threat Classification v2, under development.
Phase 3
- Research new attacks
- New attacks description