SpoC 007 - Attacks Reference Guide - Progress Page

The Attack reference guide is being developed by NSRAV Security Research group and Przemyslaw 'Rezos' Skowron. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:


 * 1) Attack list revision and description
 * 2) Attacks categorization
 * 3) Research and describe new attacks

Phase 1

 * Attack List Revision: Done!
 * Attacks Description: 20 of 84 items done!

Phase 2
The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.

The categories defined are:
 * Abuse of Functionality
 * Spoofing
 * Probabilistic Techniques
 * Exploitation of Authentication
 * Resource Depletion
 * Exploitation of Privilege/Trust
 * Injection (Injecting Control Plane content through the Data Plane)
 * Data Structure Attacks
 * Data Leakage Attacks
 * Resource Manipulation
 * Protocol Manipulation
 * Time and State Attacks

It was also defined the threats categorization based on WASC Threat Classification v2, under development.

Phase 3

 * Research new attacks
 * New attacks description