The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC
Threat Classification v2.0. The Threat Classification is an effort to classify the weaknesses, and attacks
that can lead to the compromise of a website, its data, or its users. This document's primarily purpose is
to serve as a reference guide for common attacks and weaknesses.
Main goals
- Refine document scope, terminology, and purpose
- Update existing sections when applicable
- Add missing attacks and weaknesses
- Creation of a firm, scalable base foundation allowing for the introduction of data views allowing for various
WHID 2007-48: MSU investigating hacking incident
Reported: 17 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information including birth date and social security number of 1400
students who enrolled online to the Montana State University has been
stolen by hackers. While no technical explanation is provided, the fact
that only students who enrolled online where affected points to a web
It's not serious statement. This is known for a long time class of
vulnerability. If you didn't read WASC TC yet, then you'd better read it.
First, this is Insufficient Anti-automation vulnerability. The class
Insufficient Anti-automation is listed in WASC Threat Classification v1
(released in 2004) and in Threat Classification v2 (released in 2010). In TC
v2 it's also referenced as WASC-21.
Second, this attack is directed on the site. This hole doesn't belong to
Client-side Attacks (TC v.1), but to Logical Attacks (TC v.1) and is using
