canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security Severity Ratings: Difference between revisions
Jump to navigation
Jump to search
→Additional Status Codes or Whiteboard Tracking Tags
| Line 137: | Line 137: | ||
! style="width:10%"| Description | ! style="width:10%"| Description | ||
|- | |- | ||
| csec- | |csec-bounds || client security issues due to incorrect boundary conditions (read or write) | ||
| | |- | ||
|csec-disclosure || Disclosure of sensitive user data, personal information, etc in a client product. | |||
|- | |||
|csec-dos || Used to tag client Denial of Service bugs. For web server denial of service bugs please use wsec-dos as these tend to be more severe. Search 28 | |||
|- | |||
|csec-intoverflow || client security issues due to integer overflow | |||
|- | |||
|csec-oom || A client crash or hang that occurs in Out Of Memory conditions Search 2 | |||
|- | |||
|csec-other || client security issues that don't fit into other categories | |||
|- | |||
|csec-priv-escalation || client privilege escalation security issues | |||
|- | |||
|csec-sop || violations of the client Same Origin Policy (Universal-XSS bugs, for example). | |||
|- | |||
|csec-uaf || client security issues due to a use-after-free Search 1 | |||
|- | |||
|csec-ui-redress || client security issues due to UI Redress attacks, either site-on-site ("clickjacking" and friends) or manipulation of the browser UI to fool users into taking the wrong action. | |||
|- | |||
|csec-uninitialized || client security issues due to use of uninitialized memory | |||
|- | |||
|csec-wildptr || client security issues due to pointer misuse not otherwise covered (see csec-uaf, csec-uninitialized, csec-intoverflow, csec-bounds) | |||
|- | |- | ||
|} | |} | ||
| Line 151: | Line 172: | ||
! style="width:10%"| Description | ! style="width:10%"| Description | ||
|- | |- | ||
| wsec- | |wsec-authentication || Website or server authentication security issues (lockouts, password policy, etc) | ||
| | |- | ||
|wsec-authorization || web/server authorization security issues | |||
|- | |||
|wsec-cookie || Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path) | |||
|- | |||
|wsec-crossdomain || Issue such as x-frame-options, crossdomain.xml, cross site sharing settings | |||
|- | |||
|wsec-crypto || Crypto related items such as password hashing | |||
|- | |||
|wsec-csrf || Cross-Site Request Forgery (CSRF) bugs in server products | |||
|- | |||
|wsec-disclosure || Disclosure of sensitive data, personal information, etc from a web service | |||
|- | |||
|wsec-dos || Used to denote web server Denial of Service bugs. For similar bugs in client software please use csec-dos instead. | |||
|- | |||
|wsec-errorhandling || Any error handling issue | |||
|- | |||
|wsec-impersonation || Impersonation / Spoofing attacks (UI Redress, etc) | |||
|- | |||
|wsec-injection || Injection attacks other than SQLi or XSS | |||
|- | |||
|wsec-input || Failure to perform input validation. Most often you will probably use the xss tag instead | |||
|- | |||
|wsec-logging || Logging issues such as requests for CEF log points. | |||
|- | |||
|wsec-other || web/server security issues that don't fit into other categories | |||
|- | |||
|wsec-session || Issues related to sesson management (Session fixation, etc) | |||
|- | |||
|wsec-sqli || SQL Injection | |||
|- | |||
|wsec-xss || Cross-Site Scripting (XSS) bugs in server products | |||
|- | |- | ||
|} | |} | ||