[Owasp-topten] RFI taken out
rd at rd1.net
Thu Nov 19 03:33:44 EST 2009
I think it would be helpful to include a couple of sentences in the
intro to educate people that the attacks are combined, and give a quick
-- Ralph Durkee
Dave Wichers wrote:
> You are always thinking outside the box, and that is good, but I think the audience for the Top 10 is far more basic and so they need the obvious (to us) steps first.
> -----Original Message-----
> From: andreg at gmail.com [mailto:andreg at gmail.com] On Behalf Of Andre Gironda
> Sent: Wednesday, November 18, 2009 12:01 PM
> To: owasp-topten at lists.owasp.org
> Cc: Dave Wichers; Chris Eng
> Subject: Re: [Owasp-topten] RFI taken out
> On Wed, Nov 18, 2009 at 9:13 AM, Chris Eng <ceng at veracode.com> wrote:
>> As all of the pen testers here are well aware, info leakage vulnerabilities are often combined or used as a stepping stone to more serious exploits which otherwise may not have been discovered.
> The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
> rare to find people who get this concept. Thus, concepts like using
> XSS to bypass CSRF protections can be discussed. Also, using log/error
> files or other writable local files can turn a LFI into an RFI. Source
> code disclosure can lead to very advanced (e.g. logic) attacks with
> OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
> other marketing tools don't show is that the problems aren't meant to
> be solved one-at-a-time. One vulnerability isn't as "prevalent" or
> "severe" as any other, especially because multiple vulnerabilities are
> almost always present in any given large web application.
> We're not recommending controls with the T10; we're trying to
> demonstrate the attack principles -- the inherent weaknesses in the
> system. Yet we forget that the system can be attacked like a system.
> The Orange book calls them "object reuse" and "covert channels".
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten