logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

WASSEC

Summary

The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. It covers areas such as crawling, parsing, session handling, testing and reporting. The version used in this section is WASSEC version 1.0.

Definitions

DefinitionRequirements
WASSEC-1_1. Transport support
WASSEC-2_1. Authentication schemes
WASSEC-3_1. Session management capabilities
WASSEC-3_2_1. HTTP cookies
WASSEC-3_3. Session token detection configuration
WASSEC-3_4. Session token refresh policy
WASSEC-4_1. Web crawler configuration
WASSEC-4_1_5. Supporting concurrent sessions
WASSEC-5_3. Parser tolerance
WASSEC-5_5. Extraction of dynamic content
WASSEC-6_1_2. URL patterns
WASSEC-6_1_6. HTTP headers
WASSEC-6_2_1_1. Authentication - Brute force
WASSEC-6_2_1_2. Authentication - Insufficient authentication
WASSEC-6_2_1_3. Authentication - Weak password recovery validation
WASSEC-6_2_1_4. Authentication - Lack of SSL on login pages
WASSEC-6_2_2_1. Authorization - Credential/Session prediction
WASSEC-6_2_2_2. Authorization - Insufficient authorization
WASSEC-6_2_2_3. Authorization - Insufficient session expiration
WASSEC-6_2_2_4. Authorization - Session fixation
WASSEC-6_2_2_5. Authorization - Session weaknesses
WASSEC-6_2_3_1. Client-side attacks - Content spoofing
WASSEC-6_2_3_2. Client-side attacks - Cross-site scripting
WASSEC-6_2_3_4. Client-side attacks - HTML injection
WASSEC-6_2_3_5. Client-side attacks - Cross-site request forgery
WASSEC-6_2_3_6. Client-side attacks - Flash-related attack
WASSEC-6_2_4_1. Command execution - Format string attack
WASSEC-6_2_4_2. Command execution - LDAP injection
WASSEC-6_2_4_3. Command execution - OS command injection
WASSEC-6_2_4_4. Command execution - SQL injection
WASSEC-6_2_4_6. Command execution - Xpath injection
WASSEC-6_2_4_8. Command execution - Remote file includes
WASSEC-6_2_4_9. Command execution - Local file includes
WASSEC-6_2_4_10. Command execution - Potential malicious file uploads
WASSEC-6_2_5_2. Information disclosure - Information leakage
WASSEC-6_2_5_3. Information disclosure - Path traversal
WASSEC-6_2_5_5. Information disclosure - Insecure HTTP methods enabled
WASSEC-6_2_5_7. Information disclosure - Default web server files
WASSEC-8_4_1. Compliance report

Last updated

2023/09/18