SpoC 007 - Attacks Reference Guide - Progress Page
The Attack reference guide is being developed by NSRAV Security Research group and Przemyslaw 'Rezos' Skowron. In order to avoid work superposition, the project was divided in 3 phases comprising the following activities:
- Attack list revision and description
- Attacks categorization
- Research and describe new attacks
CheckPoints and Decision
- Attack List Revision: Done!
- Attacks Description: 20 of 84 items done!
Phase 2 - DONE!
The attacks categorization was based on Common Attack Pattern Enumeration and Classification - CAPEC, since it is maintained by a respected entity and wide enough to fit all web application attacks.
The categories defined are:
- Abuse of Functionality
- Probabilistic Techniques
- Exploitation of Authentication
- Resource Depletion
- Exploitation of Privilege/Trust
- Injection (Injecting Control Plane content through the Data Plane)
- Data Structure Attacks
- Data Leakage Attacks
- Resource Manipulation
- Protocol Manipulation
- Time and State Attacks
It was also defined the threats categorization based on WASC Threat Classification v2, under development.
- Research new attacks
- New attacks description