Checklist

Authentication

Brute Force

1

A Brute Force attack is an automated process of trial and error used to

guess a person's username, password, credit card number or

cryptographic key.

Insufficient Authentication

2

Insufficient Authentication occurs when a web site permits an attacker to

access sensitive content or functionality without having to properly

authenticate.

Weak Password Recovery Validation

3

Weak Password Recovery Validation is when a web site permits an

attacker to illegally obtain, change or recover another user's password.

Authorization

Credential/Session Prediction

4

Credential/Session Prediction is a method of hijacking or impersonating a

web site user.

Insufficient Authorization

5

Insufficient Authorization is when a web site permits access to sensitive

content or functionality that should require increased access control

restrictions.

Insufficient Session Expiration

6

Insufficient Session Expiration is when a web site permits an attacker to

reuse old session credentials or session IDs for authorization.

Session Fixation

7

Session Fixation is an attack technique that forces a user s session ID to

an explicit value.

Client side Attacks

Content Spoofing

8

Content Spoofing is an attack technique used to trick a user into believing

that certain content appearing on a web site is legitimate and not from an

external source.

Cross site Scripting

9

Cross site Scripting (XSS) is an attack technique that forces a web site to

echo attacker supplied executable code, which loads in a user's browser.

Command Execution

7

Copyright 2004, Web Application Security Consortium. All rights reserved.