Background

Over the last several years, the web security industry has adopted

dozens of confusing and esoteric terms describing vulnerability

research. Terms such as Cross site Scripting, Parameter Tampering,

and Cookie Poisoning have all been given inconsistent names and

double meanings attempting to describe their impact.

For example, when a web site is vulnerable to Cross site Scripting,

the security issue can result in the theft of a users cookie. Once the

cookie has been compromised, this enables someone to perform a

session hijacking and take over the user's online account. To take

advantage of the vulnerability, an attacker uses data input

manipulation by way of URL parameter tampering.

This previous attack description is confusing and can be described

using all manner of technical jargon. This complex and

interchangeable vocabulary causes frustration and disagreement in

open forums, even when the participants agree on the core concepts.

Through the years, there has been no well documented,

standardized, complete, or accurate resource describing these

issues. In doing our work, we've relied upon tidbits of information

from a handful of books, dozens of white papers and hundreds of

presentations.

When web security newcomers arrive to study, they quickly become

overwhelmed and confused by the lack of standard language present.

This confusion traps the web security field in a blur and slows

ongoing progress. We need a formal, standardized approach to

discuss web security issues as we continue to improve the security of

the Web.

5

Copyright 2004, Web Application Security Consortium. All rights reserved.