Threat Taxonomy v2.0

WASC TC

Threat Classification

Web Application Security Consortium (WASC) Source Document →

What It Is

A comprehensive, flat taxonomy of web application security threats. Where the OWASP Top 10 ranks the ten most critical risk categories, WASC TC catalogs all 49 known web attack types and weakness classes without ranking:

Attacks — the actions an adversary takes:

  • SQL Injection, OS Commanding, XSS, CSRF, HTTP Response Splitting, SSI Injection, LDAP Injection, XPath Injection, Path Traversal, and many more

Weaknesses — the underlying flaws that enable attacks:

  • Insufficient Authentication, Insufficient Authorization, Insufficient Transport Layer Protection, Improper Input Handling, Information Leakage, and more

Each item has a unique WASC-ID (WASC-01 through WASC-49) and is also organized by a development lifecycle view (design, implementation, deployment) — showing where in the SDLC each class of vulnerability originates.

Why It Matters

The dual-view structure (attacks vs. weaknesses) mirrors what CWE and CAPEC would later standardize, but WASC TC did it first. The flat enumeration is useful when you need exhaustive coverage rather than a prioritized top-N list. If you’re building a vulnerability scanner, writing security requirements, or creating a test plan that must cover everything, WASC TC is the taxonomy you enumerate against.

Note: WASC is dormant. The taxonomy is historically significant and still technically valid, but not actively maintained.

When to Use It

Vulnerability classification, scanner development, and as a completeness check against other frameworks. If your OWASP WSTG-based test plan covers 40 of the 49 WASC categories, you can identify the gaps.

The Offensive Angle

The lifecycle view is underappreciated. It tells you that some vulnerabilities are designed in (architecture decisions), some are coded in (implementation errors), and some are deployed in (configuration mistakes). This maps to three different remediation strategies — and three different places to look during an assessment. A pentester who understands this taxonomy doesn’t just find vulns; they understand why the vuln exists and how to prevent the entire class.

Pairs Well With

  • OWASP WSTG — Testing procedures for the threats WASC TC classifies
  • CWE/CAPEC — Modern successors for vulnerability and attack pattern enumeration
  • OWASP ASVS — Verification requirements mapped against WASC weakness categories