WASC Threat Classification
What it is — The Web Application Security Consortium (WASC) Threat Classification is a cooperative effort to classify web application security threats. It provides a standardized taxonomy for vulnerabilities, attacks, and weaknesses that affect web applications. While the WASC project is no longer actively maintained, the classification remains a useful reference for categorizing web security issues.
Appsec relevance — WASC is entirely focused on web application security. It categorizes threats into attacks, weaknesses, and information leakage — all within the scope of DAST testing.
How Detectify Supports WASC
| WASC Category | What it covers | Detectify Coverage | Key CWEs | Coverage |
|---|---|---|---|---|
| Client-Side Attacks (XSS, CSRF, content spoofing) | Attacks that target the end user’s browser via the vulnerable application | Cross-site scripting and CSRF detection with payload validation | CWE-79 , CWE-352 | Full |
| Command Execution (SQL, OS, LDAP, XPath injection) | Server-side injection attacks that execute attacker-controlled commands or queries | Comprehensive injection testing across multiple injection types | CWE-89 , CWE-78 , CWE-90 , CWE-91 | Full |
| Information Disclosure (directory listing, error messages, source disclosure) | Application inadvertently reveals sensitive data such as source code, credentials, or internal paths | Broad information exposure detection including verbose errors, directory listings, and sensitive file detection | CWE-200 , CWE-548 , CWE-209 , CWE-538 | Full |
| Authentication (brute force, credential testing, session fixation) | Weaknesses in verifying user identity, including insufficient credential complexity and session handling | Authentication bypass, default credentials, session management testing | CWE-287 , CWE-306 , CWE-613 | Partial |
| Authorization (path traversal, privilege escalation) | Failures in enforcing access controls, allowing users to reach resources they should not access | Path traversal and access control testing | CWE-22 , CWE-23 , CWE-284 | Full |
| Logical Attacks (SSRF, open redirect, abuse of functionality) | Misuse of legitimate application features for unintended purposes | SSRF and open redirect detection with payload validation | CWE-918 , CWE-601 | Full |
| Denial of Service / Buffer Overflow | Attacks that consume resources or corrupt memory to disrupt service availability | Not a primary focus of DAST — limited to detection of resource exhaustion indicators | CWE-400 | Limited |
What Detectify Covers
Detectify provides full coverage for the majority of WASC threat categories, with strong results for command execution, client-side attacks, information disclosure, authorization, and logical attacks. Partial coverage exists for authentication threats, where Detectify tests externally observable behaviors but cannot replace dedicated authentication infrastructure testing. DoS and buffer overflow testing is limited, as these are not the primary focus of web application DAST.
Complementary Tools You May Need
- Dedicated authentication testing — For comprehensive brute force and credential stuffing analysis
- Load testing tools — For denial of service resilience testing
- SAST — For buffer overflow and memory corruption analysis in compiled components
- WAF — For runtime protection against the attack categories WASC describes