[Owasp-board] Top 10 headings

Andrew van der Stock vanderaj at owasp.org
Fri Nov 17 02:02:30 UTC 2006


Dave asked me to fill in some definitions for each heading.

> 1. XSS

Obvious as it's easy to find and lays the ground work for CSRF.

> 2. SQL Injection

Should we include more injections, or leave just as SQL?

> 3. Insufficient Authentication

Brute forcing, etc. As per Top 10 2004 essentially.

> 4. Authorization - Privilege Escalation

Calling privileged functions, lack of authZ, etc. Same as Top 10  
2004. Might add some Ajax to this as I see this a lot in Ajax enabled  
apps

> 5. Remote File Include

Not just a PHP problem. Also for XML files, DTDs, etc.

> 6. CSRF

Should be in there

> 7. Content Spoofing

Phishing etc. Where attackers try to emulate your web site, or send  
better looking e-mails than you do. Lots of loss via this mechanism.

> 8. Abuse of Functionality

Things like form mail and so on and send e-mail to member as found  
and used by spam gangs to send e-mail from legitimate sites. AuthZ  
issues are above

> 9. Information Leakage

Include configuration files being able to be read, and misusing the  
application to see other's records through tampering of the  
application (Almost an authZ issue.)

> 10. Insecure Storage

Should include items such as pulling up report files for others if  
you know how the naming scheme works, Ajax local storage mechanisms,  
and sites which include protected items like Access databases - or  
worse - in the web root.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20061117/1351bf26/attachment-0002.bin>


More information about the Owasp-board mailing list