WASC's Web Security Threat Classification (v2.0)

The Threat Classification v2.0 outlines the attacks and weaknesses that can lead to the compromise of a website, its data, or its users. This document primarily serves as a reference guide for each given attack or weakness and provides examples of each issue as well as helpful reference material. This document is utilized by many organizations and is typically used in the following ways.

Attacks Weaknesses
Abuse of Functionality Application Misconfiguration
Brute Force Directory Indexing
Buffer Overflow Improper Filesystem Permissions
Content Spoofing Improper Input Handling
Credential/Session Prediction Improper Output Handling
Cross-Site Scripting Information Leakage
Cross-Site Request Forgery Insecure Indexing
Denial of Service Insufficient Anti-automation
Fingerprinting Insufficient Authentication
Format String Insufficient Authorization
HTTP Response Smuggling Insufficient Password Recovery
HTTP Response Splitting Insufficient Process Validation
HTTP Request Smuggling Insufficient Session Expiration
HTTP Request Splitting Insufficient Transport Layer Protection
Integer Overflows Server Misconfiguration
LDAP Injection  
Mail Command Injection  
Null Byte Injection  
OS Commanding  
Path Traversal  
Predictable Resource Location  
Remote File Inclusion (RFI)  
Routing Detour
Session Fixation  
SOAP Array Abuse  
SSI Injection  
SQL Injection  
URL Redirector Abuse   
XPath Injection  
XML Attribute Blowup  
XML External Entities  
XML Entity Expansion   
XML Injection  
XQuery Injection  

Source: WASC