WASC and CWE IDs
534 views
Skip to first unread message
luigi.ca...@gmail.com
Jan 10, 2018, 6:56:22 AM1/10/18
to OWASP ZAP Developer Group
Hello everyone,
I'm developing an addon for the nosql injection scan and i'm searching the correct
WASC and CWE IDs for the MongoDB injection attack but them don’t seem to exist.
In the CWE there is the 943 ID which refers to any kind of query injection attack.
Its children are:
89 (sql injection)
90 (ldap injection)
643 (xml path injection)
652 (xml query injection)
For some nosql databases the 652 CWE ID could be fine, but MongoDB uses
the json format, not the xml one. Therefore, the only valid ID could be the
generic 943 but it hasn’t a corresponding in the CWS ranking.
Best regards,
Luigi Casciaro.
kingthorin+owaspzap
Jan 10, 2018, 8:24:26 AM1/10/18
to OWASP ZAP Developer Group
943 seems fine to me. As for WASC, I'd just go with 19.
Unfortunately WASC seems to be kind of stale/dead.
(For example their website is still copyright 2005: http://www.webappsec.org/, and the main page of the wiki hasn't had any updates in almost 5 years: http://projects.webappsec.org/w/page/13246927/FrontPage, for the threat classification page it's been over 6: http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
Unfortunately WASC seems to be kind of stale/dead.
(For example their website is still copyright 2005: http://www.webappsec.org/, and the main page of the wiki hasn't had any updates in almost 5 years: http://projects.webappsec.org/w/page/13246927/FrontPage, for the threat classification page it's been over 6: http://projects.webappsec.org/w/page/13246978/Threat%20Classification)
luigi.ca...@gmail.com
Jan 10, 2018, 12:39:11 PM1/10/18
to OWASP ZAP Developer Group
Thanks.
Reply all
Reply to author
Forward
0 new messages