Overview

For many organizations, web sites serve as mission critical systems

that must operate smoothly to process millions of dollars in daily

online transactions. However, the actual value of a web site needs to

be appraised on a case by case basis for each organization. Tangible

and intangible value of anything is difficult to measure in monetary

figures alone.

Web security vulnerabilities continually impact the risk of a web site.

When any web security vulnerability is identified, performing the

attack requires using at least one of several application attack

techniques. These techniques are commonly referred to as the class

of attack (the way a security vulnerability is taken advantage of).

Many of these types of attack have recognizable names such as

Buffer Overflows, SQL Injection, and Cross site Scripting. As a

baseline, the class of attack is the method the Web Security Threat

Classification will use to explain and organize the threats to a web

site.

The Web Security Threat Classification will compile and distill the

known unique classes of attack, which have presented a threat to

web sites in the past. Each class of attack will be given a standard

name and explained with thorough documentation discussing the key

points. Each class will also be organized in a flexible structure.

The formation of a Web Security Threat Classification will be of

exceptional value to application developers, security professionals,

software vendors or anyone else with an interest in web security.

Independent security review methodologies, secure development

guidelines, and product/service capability requirements will all benefit

from the effort.

4

Copyright 2004, Web Application Security Consortium. All rights reserved.