Foro de elhacker.net

Seguridad Informática => Nivel Web => Mensaje iniciado por: T0rete en 6 Enero 2010, 22:16 pm


Título: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: T0rete en 6 Enero 2010, 22:16 pm
Leo en securitybydefault.com que el WASC (Web Application Security Consortium) ha publicado la segunda versión de su clasificación de amenazas web.

http://projects.webappsec.org/Threat-Classification-Enumeration-View

Attacks
 
  • Abuse of Functionality (http://webappsec.pbworks.com/Abuse-of-Functionality)
  • Brute Force (http://webappsec.pbworks.com/Brute-Force)
  • Buffer Overflow (http://webappsec.pbworks.com/Buffer-Overflow)
  • Content Spoofing (http://webappsec.pbworks.com/Content-Spoofing)
  • Credential/Session Prediction (http://webappsec.pbworks.com/Credential-and-Session-Prediction)
  • Cross-Site Scripting (http://webappsec.pbworks.com/Cross-Site+Scripting)
  • Cross-Site Request Forgery (http://webappsec.pbworks.com/Cross-Site-Request-Forgery)
  • Denial of Service (http://webappsec.pbworks.com/Denial-of-Service)
  • Fingerprinting (http://webappsec.pbworks.com/Fingerprinting)
  • Format String (http://webappsec.pbworks.com/Format-String)
  • HTTP Response Smuggling (http://webappsec.pbworks.com/HTTP-Response-Smuggling)
  • HTTP Response Splitting (http://webappsec.pbworks.com/HTTP-Response-Splitting)
  • HTTP Request Smuggling (http://webappsec.pbworks.com/HTTP-Request-Smuggling)
  • HTTP Request Splitting (http://webappsec.pbworks.com/HTTP-Request-Splitting)
  • Integer Overflows (http://webappsec.pbworks.com/Integer-Overflows)
  • LDAP Injection (http://webappsec.pbworks.com/LDAP-Injection)
  • Mail Command Injection (http://webappsec.pbworks.com/Mail-Command-Injection)
  • Null Byte Injection (http://webappsec.pbworks.com/Null-Byte-Injection)
  • OS Commanding (http://webappsec.pbworks.com/OS-Commanding)
  • Path Traversal (http://webappsec.pbworks.com/Path-Traversal)
  • Predictable Resource Location (http://webappsec.pbworks.com/Predictable-Resource-Location)
  • Remote File Inclusion (http://webappsec.pbworks.com/Remote-File-Inclusion) (RFI (http://webappsec.pbworks.com/Remote-File-Inclusion))
  • Routing Detour (http://webappsec.pbworks.com/Routing-Detour)
  • Session Fixation (http://webappsec.pbworks.com/Session-Fixation)
  • SOAP Array Abuse (http://webappsec.pbworks.com/SOAP-Array-Abuse)
  • SSI Injection (http://webappsec.pbworks.com/SSI-Injection)
  • SQL Injection (http://webappsec.pbworks.com/SQL-Injection)
  • URL Redirector Abuse (http://webappsec.pbworks.com/URL-Redirector-Abuse)
  • XPath Injection (http://webappsec.pbworks.com/XPath-Injection)
  • XML Attribute Blowup (http://webappsec.pbworks.com/XML-Attribute-Blowup)
  • XML External Entities (http://webappsec.pbworks.com/XML-External-Entities)
  • XML Entity Expansion (http://webappsec.pbworks.com/XML-Entity-Expansion)
  • XML Injection (http://webappsec.pbworks.com/XML-Injection)
  • XQuery Injection (http://webappsec.pbworks.com/XQuery-Injection)
 

 Weaknesses
 
  • Application Misconfiguration (http://webappsec.pbworks.com/Application-Misconfiguration)
  • Directory Indexing (http://webappsec.pbworks.com/Directory-Indexing)
  • Improper Filesystem Permissions (http://webappsec.pbworks.com/Improper-Filesystem-Permissions)
  • Improper Input Handling (http://webappsec.pbworks.com/Improper-Input-Handling)
  • Improper Output Handling (http://projects.webappsec.org/Improper-Output-Handling)
  • Information Leakage (http://webappsec.pbworks.com/Information-Leakage)
  • Insecure Indexing (http://webappsec.pbworks.com/Insecure-Indexing)
  • Insufficient Anti-automation (http://webappsec.pbworks.com/Insufficient+Anti-automation)
  • Insufficient Authentication (http://webappsec.pbworks.com/Insufficient-Authentication)
  • Insufficient Authorization (http://webappsec.pbworks.com/Insufficient-Authorization)
  • Insufficient Password Recovery (http://projects.webappsec.org/Insufficient-Password-Recovery)
  • Insufficient Process Validation (http://webappsec.pbworks.com/Insufficient-Process-Validation)
  • Insufficient Session Expiration (http://webappsec.pbworks.com/Insufficient-Session-Expiration)
  • Insufficient Transport Layer Protection (http://webappsec.pbworks.com/Insufficient-Transport-Layer-Protection)
  • Server Misconfiguration (http://webappsec.pbworks.com/Server-Misconfiguration)

Me parece una documentación muy util para cualquiera que este interesado en el estudio de las vulnerabilidades web.
También os vuelvo a recordar el documento de la guia de pruebas de la OWASP que tambien considero imprescindible (documento traducido al español).

http://foro.elhacker.net/nivel_web/guia_de_pruebas_de_el_proyecto_abierto_de_seguridad_en_aplicaciones_web_owasp-t261116.0.html

Título: Re: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: Darioxhcx en 6 Enero 2010, 22:28 pm
interesante che.. gracias por el link ;­D
saludos

Título: Re: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: AlbertoBSD en 6 Enero 2010, 23:36 pm
Es para tenerse en cuenta.

Saludos

Título: Re: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: T0rete en 6 Enero 2010, 23:43 pm
Gracias por moverlo Anon, al ir a buscar mi otro post debí confundirme, evidentemente mi intención era postearlo en el foro de Nivel Web

Título: Re: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: WHK en 7 Enero 2010, 00:30 am
ah genial, ni me habia dado cuenta del otro post xD lo veré, gracias.

Título: Re: Documentos muy interesantes sobre vulnerabilidades web de el WASC y OWASP
Publicado por: RON06 en 7 Enero 2010, 10:57 am
Muy buen aporte  ;D

Saludos!!!


Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines