Difference between revisions of "SpoC 007 - Attacks Reference Guide - Progress Page"

From OWASP
Jump to: navigation, search
(Phase 2 - DONE!)
(Work Done)
Line 95: Line 95:
 
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).
 
Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).
  
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=20797&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])
+
* [[Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29]] - ([http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&diff=23056&oldid=6053 diff] , [http://www.owasp.org/index.php?title=Direct_Dynamic_Code_Evaluation_%28%27Eval_Injection%27%29&action=history history])
  
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=22071&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])
+
* [[Direct_Static_Code_Injection]] - ([http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&diff=23057&oldid=5711 diff] , [http://www.owasp.org/index.php?title=Direct_Static_Code_Injection&action=history history])
  
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=20712&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])
+
* [[Double_Encoding]] - ([http://www.owasp.org/index.php?title=Double_Encoding&diff=23058&oldid=5740 diff] , [http://www.owasp.org/index.php?title=Double_Encoding&action=history history])
  
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=20649&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])
+
* [[Forced_browsing]] - ([http://www.owasp.org/index.php?title=Forced_browsing&diff=23060&oldid=19889 diff] , [http://www.owasp.org/index.php?title=Forced_browsing&action=history history])
  
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=22173&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])
+
* [[Format_string_attack]] - ([http://www.owasp.org/index.php?title=Format_string_attack&diff=23065&oldid=7393 diff] , [http://www.owasp.org/index.php?title=Format_string_attack&action=history history])
  
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=20874&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])
+
* [[LDAP_injection]] - ([http://www.owasp.org/index.php?title=LDAP_injection&diff=23067&oldid=10830 diff] , [http://www.owasp.org/index.php?title=LDAP_injection&action=history history])
  
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=21145&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])
+
* [[Man-in-the-middle_attack]] - ([http://www.owasp.org/index.php?title=Man-in-the-middle_attack&diff=23075&oldid=18290 diff] , [http://www.owasp.org/index.php?title=Man-in-the-middle_attack&action=history history])
  
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=22072&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])
+
* [[Mobile_code:_invoking_untrusted_mobile_code]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_invoking_untrusted_mobile_code&diff=23077&oldid=6035 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_invoking_untrusted_mobile_code&action=history history history])
  
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=22725&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])
+
* [[Mobile_code:_non-final_public_field]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_non-final_public_field&diff=23079&oldid=6036 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_non-final_public_field&action=history history])
  
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=22727&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])
+
* [[Mobile_code:_object_hijack]] - ([http://www.owasp.org/index.php?title=Mobile_code%3A_object_hijack&diff=23082&oldid=6040 diff] , [http://www.owasp.org/index.php?title=Mobile_code:_object_hijack&action=history history])
  
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=21449&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])
+
* [[Parameter_Delimiter]] - ([http://www.owasp.org/index.php?title=Parameter_Delimiter&diff=23084&oldid=6190 diff] , [http://www.owasp.org/index.php?title=Parameter_Delimiter&action=history history])
 
 
 
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=22073&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])
 
* [[Path_Manipulation]] - ([http://www.owasp.org/index.php?title=Path_Manipulation&diff=22073&oldid=7983 diff] , [http://www.owasp.org/index.php?title=Path_Manipulation&action=history history])

Revision as of 11:25, 5 November 2007

Back to Attacks Reference Guide Main Page

Back to Refresh Attacks List Main Page


The Attack reference guide is being developed by NSRAV Security R&D and Przemyslaw 'Rezos' Skowron. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:

  1. Attack list revision and description (75% of the project)
  2. Attacks categorization (40% of the project)
  3. Research and describe new attacks (80% of the project)

Total project status: 90% Done!

CheckPoints and Decision

Phase 1 - 90% Done

  • Attack List Revision: Done!

Total number of items on the Attack Guide: 91!

We noticed that Attack reference guide was previously defined based on CWE - Common Weakness Enumeration, which defines global software weakness and threats. In order to develop the Attack reference guide focused on Web application attacks, we reviewed the list and marked some items to be removed from the list. The contents of generic or redundant items were used in descriptions of some items and marked to be removed too.

Items considered to removal from the attack list: 30 items, as follows:

Phase 2 - DONE!

The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.

The categories defined are:

It was also defined the threats categorization based on WASC Threat Classification v2, under development.

Phase 3

Research and Description of new attacks(under revision):

Work Done

Note: this links were inserted here by Dinis Cruz from OWASP-NSRAV.zip file

Note2: Other items inserted and sorted by name by Leonardo Cavallari (NSRAV).


by Przemyslaw 'rezos' Skowron (20071025 - part I - first 50%])

by Przemyslaw 'rezos' Skowron (20071104 - part II - second 50%])

NEW ITEMS - 20071104 (by Przemyslaw 'rezos' Skowron):