Difference between revisions of "SpoC 007 - Attacks Reference Guide - Progress Page"

Revision as of 19:12, 23 July 2007

The Attack reference guide is being developed by NSRAV Security Research group and Przemyslaw 'Rezos' Skowron. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:

1. Attack list revision and description
2. Attacks categorization
3. Research and describe new attacks

CheckPoints and Decision

Phase 1

• Attack List Revision: Done!
• Attacks Description: 0 of 84 items done!

Phase 2

The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.

The categories defined are:

• Abuse of Functionality
• Spoofing
• Probabilistic Techniques
• Exploitation of Authentication
• Resource Depletion
• Exploitation of Privilege/Trust
• Injection (Injecting Control Plane content through the Data Plane)
• Data Structure Attacks
• Data Leakage Attacks
• Resource Manipulation
• Protocol Manipulation
• Time and State Attacks

It was also defined the threats categorization based on WASC Threat Classification v2, under development.

Phase 3

• Research new attacks
• New attacks description