Mitigating the WASC Web Security Threat Classification with Apache / Page 2 | WebReference

Mitigating the WASC Web Security Threat Classification with Apache / Page 2


[previous] [next]

Mitigating the WASC Web Security Threat Classification with Apache

Classes of Attack

We will be covering the following classes of attack:

Authentication
Brute Force
Insufficient Authentication
Weak Password Recovery Validation

Authorization
Credential/Session Prediction
Insufficient Authorization
Insufficient Session Expiration
Session Fixation

Command Execution
Buffer Overflow
Format String Attack
LDAP Injection
OS Commanding
SQL Injection
SSI Injection
XPath Injection
Client-Side Attacks
Content Spoofing
Cross-site Scripting

Information Disclosure
Directory Indexing
Information Leakage
Path Traversal
Predictable Resource Location

Logical Attacks
Abuse of Functionality
Denial of Service
Insufficient Anti-Automation
Insufficient Process Validation

Threat Format

The format of the sections is as follows.

Definition

This will provide detailed information as to the scope of the attack and what factors may be involved for an attacker to attempt to exploit a specific vulnerability.

Example

This section will provide some examples of how an attack may work, including possible example code of either an attack script or vulnerable program.

Apache Countermeasures

This section provides example mitigation options utilizing Apache capabilities, and associated modules. The countermeasure sections of this document are not official WASC-supported recommendations. For the initial release of the Threat Classification, it was decided to omit the mitigations section due to the multitude of possible solutions based on the technologies being used. Because we are focusing on Apache as our application of choice, I thought that I would put much of this data back in, with some updates. The recommendations presented are based on my own experiences and lessons learned while teaching the Web Intrusion Detection and Prevention with Apache class for the SANS Institute.

References

This section lists links to further information on the subject.

 

 

 

 

 


[previous] [next]

URL: