[GPC] Idea About Top 10 2010 - A10-Unvalidated Forwards

Paulo Coimbra paulo.coimbra at owasp.org
Wed Nov 10 11:58:55 EST 2010 

Hello Marcos,

First of all, thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourself that OWASP continues to succeed in making
application security visible.

Second, regarding your new leadership of this project, I'd like to request
that you send a project roadmap - basically the high level details of where
you'd like to take the project.  The OWASP Global Projects Committee (GPC)
will look at the roadmap and provide feedback on your project:  suggesting
projects which are closely related, resources and contacts which may assist
your efforts and any other suggestions to increase your project's success.

 

To get your project started, here are a couple of references for your
review:

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,


 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and Stable
(former Release).  The Assessment Criteria allows project leaders to know
what aspects of projects OWASP values -
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,

 

 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,


Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page.

Details to create your project page:
(0) Project Name,

(1) Project purpose / overview,
(2) Project Roadmap (as mentioned above),
(3) Project links (if any) to external sites,
(4) Project License
(http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licens
ing),
(5) Project Leader name, 

(6) Project Leader email address,
(7) Project Leader wiki account - the username (you'll need this to edit the
wiki - http://www.owasp.org/index.php/Tutorial),
(8) Project Contributor(s) (if any) - name email and wiki account (if any),

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/


 * Project Flyer/Pamphlet (PDF file) -
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/


As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -
http://www.owasp.org/index.php/Category:OWASP_Project

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards,

 

Thanks,

- Paulo

 

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: Marcos Mateos Garcia [mailto:mmateos at germinus.com] 
Sent: quarta-feira, 10 de Novembro de 2010 08:27
To: 'Paulo Coimbra'
Subject: RE: Idea About Top 10 2010 - A10-Unvalidated Forwards

 

Dear Paulo,

 

As I have talked with Dave Wichers in previous emails (you can see below), I
am interested in contribute a tool to OWASP. The tool (is trying) exploit
“Top Ten 2010 A10-Unvalidated Forwards” vulnerability to download known
files and source code in Java Applications.

 

Dave told me to contact you to set up a project, so, please let me know next
steps to contribute it.

 

Thanks in advance and best regards



______________________________
Marcos Mateos Garcia 
Consultor de Seguridad

Subdirección de Seguridad TIC
Dirección Global Técnica y de Outsourcing
Teléfono: +34 660 476 035
Correo-e: mmateos at germinus.com
PGP: 0xB519358728C7420F
<https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0xB519358728C7420F> 

 


Grupo GESFOR, www.gesfor.es, Avenida de Manoteras 32, 28050 - Madrid.
Edificio GESFOR. Teléfono: 91 3048094. Fax: 91 754 50 52

Gesfor cumple 25 años

 

  _____  

De: Dave Wichers [mailto:dave.wichers at owasp.org] 
Enviado el: viernes, 05 de noviembre de 2010 2:43
Para: 'Marcos Mateos Garcia'; Paulo Coimbra
Asunto: RE: Idea About Top 10 2010 - A10-Unvalidated Forwards

 

Sorry for the delay in responding. I had a hard disk crash last week and I’m
still recovering.

 

OWASP is interested in all tool contributions. Paulo can help you set up
your project if you would like to contribute it to OWASP.

 

Thanks for thinking of OWASP!

 

-Dave

 

From: Marcos Mateos Garcia [mailto:mmateos at germinus.com] 
Sent: Tuesday, November 02, 2010 6:13 AM
To: dave.wichers at owasp.org
Subject: RE: Idea About Top 10 2010 - A10-Unvalidated Forwards

 

Dear Dave,

 

Last week I sent you an email you can see below this one. Please let me know
you receive this mail and if this idea is interesting for you. 

 

Thanks in advance. Best regards



______________________________
Marcos Mateos Garcia 
Consultor de Seguridad

Subdirección de Seguridad TIC
Dirección Global Técnica y de Outsourcing
Teléfono: +34 660 476 035
Correo-e: mmateos at germinus.com
PGP: 0xB519358728C7420F
<https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0xB519358728C7420F> 

 


Grupo GESFOR, www.gesfor.es, Avenida de Manoteras 32, 28050 - Madrid.
Edificio GESFOR. Teléfono: 91 3048094. Fax: 91 754 50 52

Gesfor cumple 25 años

 

  _____  

De: Marcos Mateos Garcia [mailto:mmateos at germinus.com] 
Enviado el: lunes, 25 de octubre de 2010 18:55
Para: 'dave.wichers at owasp.org'
Asunto: Idea About Top 10 2010 - A10-Unvalidated Forwards

 

Dear Dave,

 

Let me introduce myself. I'm working as Security Consultant of Germinus, a
company of Gesfor Group (Spain), specialized in security deployment and
audits. I've a lot of experience with projects relative to secure
development and mostly in Ethical Hacking and Penetration Testing of Web
applications.

I’m writing you about the new vulnerability category in Top Ten Project
named “A10-Unvalidated Redirects and Forwards”. I have seen this problem in
several applications that I've analyzed in last times. I’m specially
interested in “Unvalidated Forwards”, because it can be used to bypass
access controls as Top Ten A10 Impacts illustrates. Related to this issue,
I've exploited this vulnerability for download others Java application
files, like “web.xml”. I am working in a small tool to automate download of
known files and source code (Java classes to decompile) using an unvalidated
Forward vulnerability.

 

I would like to contribute this tool to OWASP Project. Please let me know if
you think that it is interesting for you as part of Top Ten Project, or
maybe if you consider that it is suitable in other OWASP Project. 

 

Thanks in advance and best regards.



______________________________
Marcos Mateos Garcia 
Consultor de Seguridad

Subdirección de Seguridad TIC
Dirección Global Técnica y de Outsourcing
Teléfono: +34 660 476 035
Correo-e: mmateos at germinus.com
PGP: 0xB519358728C7420F
<https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0xB519358728C7420F> 

 


Grupo GESFOR, www.gesfor.es, Avenida de Manoteras 32, 28050 - Madrid.
Edificio GESFOR. Teléfono: 91 3048094. Fax: 91 754 50 52

Gesfor cumple 25 años

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20101110/e5f61a5e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 4035 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20101110/e5f61a5e/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4079 bytes
Desc: not available
Url : https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20101110/e5f61a5e/attachment-0001.jpe

More information about the Global-projects-committee mailing list