You are on page 1of 13

OWASP to WASC to CWE Mapping

Correlating Different Industry Taxonomy

Jesper Jurcenoks
Director, Research
Chief Evangelist
June, 2013

Technical Whitepaper

2013

Abstract
Correlating vulnerabilities, weaknesses and threats across not only different vendors but also
different security industries is becoming increasingly complex with the proliferation of common
security categorization systems. How can security practitioners know if their IPS has been
configured to protect against all known vulnerabilities? In one of our most recent research
projects, Critical Watch has reviewed past taxonomy challenges and updated mapping
corollaries to meet todays security intelligence needs.
To create current mapping, existing standards and taxonomies were compared and correlated
by hand. The result is a clear picture of OWASP, WASC and CWE mappings correlated for a
unified taxonomy and accurate picture of vulnerability coverage.

Table of Contents
Introduction ........................................................................................................... 3
Methodology ......................................................................................................... 5
Mapping ................................................................................................................ 8
Conclusion ........................................................................................................... 11
Glossary ............................................................................................................... 12

Page |2

Technical Whitepaper

2013

Introduction
In 2010, WhiteHat founder and CTO Jeremiah Grossman, along with well-known Information
Security Engineer Bil Corry, made a provisional mapping between the early release candidate
(RC1) of OWASP Top 10 2010 and the then current WASC list. The mapping is good; however,
(1) the final OWASP release turned out to be slightly different from the release candidate used
by Grossman and Corry and (2) the mappings have not been updated or maintained. The
unmodified Grossman/Corry mapping has since been referenced in a number of other
mappings (i.e. incorporating some of the original shortcomings). The original mapping can be
found here http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasptop.html.

The Web Application Security Consortium (WASC) adapted the OWASP release candidate
mappings made by Grossman and Corry and enhanced it with mappings from WASC to CWE
and to Sans Top 25 to make a Matrix that combined OWASP Top 10 from 2010, 2007, and 2004,
with WASC, CWE, CWE/SANS Top 25 2009, and CAPEC. Our research found this mapping to be
the best publicly available mapping between OWASP Top 10, WASC and CWE. You can see the
WASC 2010 mapping here:
http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20
Reference%20View

Unfortunately, the mapping has not been maintained since April 2010, it is not based on the
final OWASP Top 10 2010 and it has certain internal inconsistencies; for example, when Mitre
mappings from OWASP Top 10 to CWE are compared with the WASCs OWASP to CWE via WASC
mapping the results are not always consistent.
The problem for security experts at organizations, security consultants and auditors is: how do I
know if my WAF will protect against the CVE that the PCI ASV found? Has my IPS been
configured to protect against all of OWASP top 10? What about the CWE/Sans Top 25?
Answering these questions in an easy-to-access format became the goal of the Critical Watch
research department. We determined that some of the original mappings could be optimized as
well as new mappings added. In addition to utilizing internal Security Intelligence tools, the
resources cited below were reviewed as part of our findings.

Page |3

Technical Whitepaper

2013

Qualys to WASC/OWASP Top 10/CWE mapping:


https://community.qualys.com/servlet/JiveServlet/previewBody/2788-102-3-6070/QualysQIDOWASP-WASC-CWE%20Mapping%20Matrix%202012-05-17.pdf
Mapping between OWASP Top 10 (2004, 2007), WASC 24+2 and Sans CWE/25 by Denim group:
http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-20042007-wasc-242-and-sans-cwe25.html
Suggested mapping of CWE/Sans top 25 to WASC TC by Dmitry Evteev from Positive
Technologies:
http://ptresearch.blogspot.com/2010/04/wasc-wstcv2-mapping-proposal.html

Page |4

Technical Whitepaper

2013

Methodology
Using a spreadsheet, the mappings were made using the following methodology:
Starting with OWASP Top 10 Rc1 from
http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20
Reference%20View, the list was re-numbered and resorted to reflect final version of OWASP Top

10, 2010, putting OWASP as the primary key.


1) WASC was added to OWASP 2010 using the same page.
2) The list of WASC was then updated to include WASC-50.
3) Clearly marked OWASP categories Buffer Overflow and Denial of Service, from earlier
years where added where there was no 2010 relevant category, in order to get a more
encompassing WASC to OWASP mapping.
4) All WASC to OWASP Mappings was then evaluated for appropriateness:
a. WASC-03 Integer Overflow was mapped to OWASP 2004 Buffer Overflow due to
the link between Integer Overflow and Buffer Overflow described in CWE-680
b. WASC-05 Remote File Inclusion was mapped to A1 Injection because referenced
examples used attack methods that matched the OWASP definition for Injection.
c. WASC-06 Format String was mapped to WASP 2004 Buffer Overflow.
d. WASC-10 Denial of Service was changed from OWASP A7 Failure to restrict URL
access to the more appropriate OWASP 2004 Denial of Service.
e. WASC-11 Brute Force was changed from OWASP A8 Failure to restrict URL access
to OWASP A3 Broken Authentication and Session as the referenced CWE had to
do with entropy, randomness and predictability.
f. WASC-12 Contents Spoofing was mapped to OWASP A03 Broken
Authentication and Session because spoofing basically is a lack of Authentication
of data provided.
g. WASC-13 Information Leakage a very broad all-encompassing category was
mapped to the equally broad OWAP A06 Security Misconfiguration as most of
the Mitre CWE examples had more to do with misconfiguration than with
programming errors.
h. WASC-16 Directory indexing was mapped to OWASP A06 Security
Misconfiguration as that is what Directory Indexing typically is.
i. WASC-17 Improper File System permissions, while this could have been mapped
to OWASP A08 Failure to Restrict URL-access, WASC-17 has broader implications
than just OWASP A08 so it was mapped to the broader A06 Security
Misconfiguration.
Page |5

Technical Whitepaper

2013

j.

WASC-20 Improper Input Handling - it is hard to think of a Vulnerability or


Weakness that is not caused by improper input handling; they all seem caused
by this, so it is mapped to the worst one which is OWASP A01 Injection.
k. WASC-22 Improper Output handling - while superficially related to WASC-06
Format String, WASC-22 encompasses much more. There is no appropriate
OWASP Top 10 Category to map it to.
l. WASC-24 HTTP Request Splitting was mapped to A2 XSS. While Request Splitting
is technically not XSS, it is tightly coupled with XSS.
m. WASC-25 HTTP Response Splitting was mapped to A1 Injection as it is an
injection-style flaw.
n. In some cases, the difference in taxonomy between OWASP and WASC caused
several OWASP categories to reference the same WASC TC. This is considered
correct mapping.
5) The WASC to CWE mapping from column CWE ID and SANS/CWE top 25
http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cr
oss%20Reference%20View was individually evaluated then added to the mapping matrix

where appropriate. This resulted in an indirect OWASP -> CWE Mapping via WASC.
6) Mitres Mapping from OWASP 2010 directly to CWE was added for Parent CWEs (e.g.; if
an OWASP Weakness was mapped to a Broad CWE parent and a more specific child
CWE in the same family, only then would the parent be included. When the OWASP
Weakness referred to distinct CWE families, the parent of each family would be
included.)
7) The New CWEs added from the Mitre OWASP to CWE mapping was matched to existing
WASC categories under that OWASP Weakness. When an appropriate WASC TC could
not be found, the CWE name was put into the WASC column for description.
8) Mitres Mapping from OWASP 2004 directly to CWE was used to verify existing
mappings for OWASP 2004 Denial of Service and Buffer Overflow but old OWASP - CWE
coverage was not added to the matrix from Mitre unless it was deemed essential.
9) CWE/Sans Top 25 then was added to the matrix, making sure to categorize each CWE
from the CWE/Sans Top 25 into the right OWASP and WASC Threat Categories. When a
WASC could not be found, the CWE name was inserted into the WASC category as
description.
10) CWE/Sans Top 25 on the Cusp (26-41) was added to the matrix. When a child CWE was
directly referenced in the Cusp listing and the parent was already in the Mapping, the
child was still included for completeness.
a. Note: while WASC-41 XML Attribute Blowup is CWE-770, CWE-770 is more than
just XML Attribute blowup which is why CWE/Sans Top 25 #26 is mapped to
WASC-10 Denial of Service.
Page |6

Technical Whitepaper

2013

11) More than 1 CWE per WASC is listed in a few places where it was appropriate.
12) When Owasp Top 10 2013 was released the mapping was updated to reflect the new list
a. OWASP A01 Injection was left Unchanged
b. OWASP 2010 A03 became OWASP 2013 A02 Broken Authentication and Session
Management
c. OWASP 2010 A02 became OWASP 2013 A03 Cross-site Scripting (XSS)
d. OWASP A04 Insecure Direct Object Reference was left unchanged
e. OWASP 2010 A06 became OWASP 2013 A05 Security misconfiguration
f. OWASP 2010 A07 and A09 was combined to make A06 Sensitive Data Exposure
g. OWASP 2010 A08 became OWASP 2013 A07 Missing Function Level Access
Control
h. OWASP 2010 A05 became OWASP 2013 A08 Cross site Request Forgery
i. Added new Category A09 Using Components With Known Vulnerabilities
j. OWASP A10 Unvalidated Redirects and Forwards was left unchanged
k. OWASP A05 Misconfiguration was evaluated to see if any mappings should be
removed now that A09 using components With Known Vulnerabilities had been
extracted, None was found.
l. Research of WASC was performed to see if any WASC belonged in New OWASP
A9 None where found
m. Research of CWE was performed to see if any CWE belonged in New OWASP A9
CWE-830 and CWE-829 were evaluated, CWE-830 was rejected as it only
references Insecure components outside of sphere of control, where A9
specifically talks about insecure components within Sphere of control. CWE-829
was included because it lists libraries that contain their own weaknesses.

Page |7

Technical Whitepaper

2013

Mapping
Our research concluded with an updated mapping of taxonomy across OWASP, WASC and CWE. The
findings are reflected below.
OWASP Top 10, 2013

WASC v2

A01 - Injection

External Control of AssumedImmutable Web Parameter


File Injection

CWE/
SANS
Top 25
2011

CWE-472

PHP Injection
WASC-05 Remote File Inclusion

A02 - Broken Authentication


and Session Management

A03 - Cross Site Scripting


(XSS)
A04 - Insecure Direct Object

Page |8

CWE-ID

WASC-19 SQL Injection

WASC-20 Improper Input Handling


WASC-23 XML Injection
WASC-25 HTTP Response splitting
WASC-28 Null byte injection
WASC-29 Ldap Injection
WASC-30 Mail command Injection
WASC-31 OS Command Injection
WASC-36 SSI Injection
WASC-39 Xpath Injection
WASC-46 XQuery Injection
WASC-01 Insufficient Authentication

27

WASC-11 Brute Force


WASC-12 Contents Spoofing
WASC-18 Credential/Session
Prediction
WASC-37 Session Fixation
WASC-47 Insufficient Session
Expiration
Reliance on Untrusted Inputs in a
Security Decision
Download of Code Without Integrity
Check
WASC-08 Cross-site scripting
WASC-24 HTTP Request Splitting
Unrestricted Upload of File with

21

7
31

CWE-98
CWE-73
CWE-94
CWE-98
CWE-426
CWE-73
CWE-89
CWE-564
CWE-20
CWE-91
CWE-113
CWE-158
CWE-90
CWE-88
CWE-78
CWE-97
CWE-643
CWE-652
CWE-306
CWE-287
CWE-307
CWE-345
CWE-798
CWE-330
CWE-384
CWE-613

10

CWE-807

14

CWE-494

CWE-79
CWE-93
CWE-434

Technical Whitepaper
Reference

A05 - Security
Misconfiguration

2013

Dangerous Type
WASC-01 Insufficient Authentication
WASC-02 Insufficient Authorization

CWE-287
CWE-862

WASC-33 Path Traversal

15
13

CWE-863
CWE-22

16

CWE-829

Inclusion of Functionality from


Untrusted Control Sphere
Improper Access Control
Authentication Bypass Through Usercontrolled Key
Information Exposure Through an
Error Message
Sensitive data under web root
WASC-13 Information Leakage

CWE-284
CWE-639
39

11

CWE-219
CWE-200
CWE-754
CWE-16
CWE-16
CWE-548
CWE-250

17

CWE-732

CWE-280
CWE-538
CWE-552
CWE-311

28
WASC-14 Server Misconfiguration
WASC-15 Application Misconfiguration
WASC-16 Directory Indexing
WASC-17 Improper Filesystem
Permissions

A06 Sensitive Data Exposure

WASC-50 Insufficient Data Protection

19
25

A07 Missing Function Level


Access Control

A08 - Cross Site Request


Forgery (CSRF)
A09 Unsing components
With Known Vulnerabilities
A10 - Unvalidated Redirects
and Forwards
OWASP Top 10, 2004 A05 Buffer Overflow

Page |9

CWE-209

WASC-04 Insufficient Transport Layer


Protection
WASC-02 Insufficient Authorization
WASC-21 Insufficient Anti-automation

CWE-327
CWE-759
CWE-326
CWE-311
CWE-285
CWE-799
CWE-084
CWE-425

WASC-34 Predictable Resource


Location
WASC-09 Cross-site Request Forgery

12

CWE-352

[NO WASC]

16

CWE-829

WASC-38 URI Redirector Abuse

22

CWE-601

WASC-03 Integer Overflow


WASC-06 Format String

24
23

CWE-190
CWE-134

Technical Whitepaper

2013

WASC-07 Buffer Overflow


3
18
20
29
32
40

OWASP Top 10, 2004 A09


Denial of Service

WASC-10 Denial of Service


26

38

No OWASP - Other WASC


threats

WASC-35 SOAP Array Abuse


WASC-41 XML Attribute Blowup
WASC-44 XML Entity Expansion
Improper Validation of Array Index
NULL Pointer Dereference
WASC-22 Improper Output Handling

27
36
30

34
WASC-26 Request smuggling
WASC-27 Response smuggling
WASC-32 Routing Detour
WASC-40 Insufficient Process
Validation

No OWASP No WASC

P a g e | 10

WASC-42 Abuse of Functionality


WASC-43 XML External Entities
WASC-45 Fingerprinting
WASC-48 Insecure indexing
WASC-49 Insufficient Password
Recovery
Race condition
Incorrect Conversion between Numeric
Types
Missing Initialization

37

CWE-119
CWE-120
CWE-676
CWE-131
CWE-805 (child
of CWE-119)
CWE-822(child
of CWE-119)
CWE-825
(child of CWE119)
CWE-400
CWE-770
(child of CWE400)
CWE-772
CWE-789
CWE-770
CWE-775
CWE-129
CWE-476
CWE-116
CWE-838
(Child of CWE116)
CWE-212 (Child
of CWE-200)
CWE-444
CWE-436
CWE-300
CWE-441
CWE-691
CWE-841 (Child
of CWE-691)
CWE-227
CWE-611
CWE-205
CWE-612
CWE-640

33
35

CWE-362
CWE-681

41

CWE-456

Technical Whitepaper

2013

Conclusion
Taxonomic information is critical for both perimeter and internal defenses to quickly detect,
manage and control threats to a weak infrastructure. Effective control and management
measures can be implemented only when security issues are promptly and correctly identified.
Modern security ecosystems are heterogeneous based on best of breed from disparate and
incompatible vendors. A consistent cross-taxonomy is going to be the key in realizing active
countermeasures that dynamically integrate these ecosystems.

P a g e | 11

Technical Whitepaper

2013

Glossary
CVE (Common Vulnerability Enumeration) is the leading naming standard for vulnerabilities in
the world using a CVE-id. This nomenclature denotes is the manifestation of a particular
computer weakness on a particular piece of software (or firmware). Other vulnerability naming
systems are maintained by OSVDB (Open Source Vulnerability Database), Security Focus
(bugtraq), Secunia and national CERTs (Computer Emergency Response Teams). Mitre records a
little over 80 new vulnerabilities in an average week. As of 2012, there are more than 50,000
CVE-ids (a CVE-id is made from the current year and a sequential number - i.e.; the first CVE this
year was CVE-2013-0001. Master CVE definitions can be found here http://cve.mitre.org.)
CVEs are assigned severity using the common Vulnerability Scoring System (CVSS). NVD is
scoring CVEs using CVSS and the scores are publicly available here http://nvd.nist.gov.
CWE (Common Weakness Enumeration) is the classification of the types of weaknesses that
causes vulnerabilities. The list is created from input from security researchers all over the world
and maintained by Mitre Corporation. A CWE can be a broad class of weaknesses, a very
specific subgroup of a weakness and it can even be a list of weaknesses grouped together for a
single reference by a CWE-id. Example: the CWE-119 Buffer Overflow is parent for a number
of different specific types of buffer overflow. As of June 2012, there are less than 1000 CWE-ids.
CWE are assigned on a sequential basis as they are defined. It is not possible to conclude that a
certain CWE is more important that another CWE based on the numeric value of the ID alone.
Sometimes a family of related CWE-ids is assigned numbers next to each other and other times
they are not. This is a factor of the CWE-ids being defined at the same time and not as a
numerical grouping.
The NVD (National Vulnerability Database) group within NIST (National Institute of Standards
and Technology) currently is doing a good job of mapping CVE to CWE. The mapping can be
found here http://nvd.nist.gov. Note: NVD is using only a subset of the CWEs in their mapping.
The list can be seen here http://nvd.nist.gov/cwe.cfm.
OWASP Top 10 is a list of web application weaknesses issued every 3 years (2004, 2007, 2010,
2013) made from the consensus of the members of the Open Web Application Security Project
(OWASP). The list is prioritized with OWASP A01 as the most critical weakness and OWASP A10
as the least critical weakness. OWASP relates to the security weaknesses found in webapplications. The OWASP Top 10 2013 can be found here:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Mitre has a mapping between OWASP Top 10 in 2004, 2007 and 2010 to CWE in the CWE
database here:

P a g e | 12

Technical Whitepaper

2013

OWASP top 10 2004 CWE mapping http://cwe.mitre.org/data/definitions/711.html (CWE-711)


OWASP top 10 2007 CWE mapping http://cwe.mitre.org/data/definitions/629.html (CWE-629)
OWASP top 10 2010 CWE mapping http://cwe.mitre.org/data/definitions/809.html (CWE-809)
WASC Threat Classification is a weakness and attack classification maintained by the Web
Application Security Consortium. WASC numbers are assigned chronologically upon definition
of the weakness or attack. Meaning, WASC TCs lower IDs are not necessarily more severe than
WASC TCs with a higher ID, they were just defined earlier. It is interesting to note that WASC
contains both weaknesses and attack patterns where other systems typically contain one or the
other. WASC Definitions can be found here:
http://projects.webappsec.org/w/page/13246978/Threat%20Classification

CWE/Sans Top 25, is a yearly list of the most severe weaknesses as a result of a collaboration
between SANS (SysAdmin, Audit, Networking, and Security), Mitre and top software security
experts in the U.S. and Europe. The list partially replaces the old Sans Top 20 of Vulnerabilities
list that was discontinued after 2007. The most current list is the 2011 edition CWE Sans Top 25
(available here http://cwe.mitre.org/top25/). Due to the nature of the Sans selection process and
the nature of the CWE, some of the entries on the Top 25 list are more specific variants of other
entries. The vote produced 41 prioritized results. The top 25 can be found here:
http://cwe.mitre.org/top25/#Listing with the rest from 26-41 here:
http://cwe.mitre.org/top25/cusp.html

P a g e | 13