[Owasp-board] OWASP Top 10 ... Done!

Dave Wichers dave.wichers at owasp.org
Mon Jan 29 15:59:26 UTC 2007

I think this is a good idea and I'm leaning towards: A3 - Malicious File


I don't think Malicious Code Execution is a good name as that crosses over
into the Injection flaws area (or could be misinterpreted as such). 


Isn't the problem both about remote file execution AND remote file access?
i.e., I would hope that reaching in and pulling out a machine's password
file because I can include path information in the file download function
would fall into this category. And the fact that I can upload a PHP file to
execute, or upload an Image File with embedded Javascript and then get that
to execute in a victim's browser would both count too, right?


If so, then should the name by 'Unsafe File Access'? Or something like that?


Jeff is in a meeting now but if you have more thoughts on this Dinis, please
send so I can discuss with him when he is done with his call.


Thanks, Dave



From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Monday, January 29, 2007 10:13 AM
To: owasp-board at lists.owasp.org
Subject: Re: [Owasp-board] OWASP Top 10 ... Done!


Hi Dave, I just had a quick chat with Andrew about one medium change (it was
quicker to talk than to write)

Basically I asked if we could change A3 - Insecure Remote File Include to A3
- Malicious Remote File Execution (or even A3 - Malicious File Execution or
even A3 - Malicious Code Execution) since this covers the PHP remote file
include issue, XSS/XSD Injections, remote file upload via
uploadFile.aspx/uploadFile.jsp and using reflection to invoke .Net/Java
classes directly. it also makes reference to the real problem that our web
apps today have that their security (and the surrounding environment) are
depended on the non-execution of malicious code. 

Of course one of the solutions for this is to use Sandboxes that limit what
that code can do :)

Jeff, Dave, what do you think? (Andrew was ok with it and (after talking to
Jeff today) is able to make these small changes) 

I think that the proposed title is a good compromise between Andrew's
request to have the PHP remote include in there and my request to have
sandbox issue in there (and it affects ALL web apps, so it is not PHP

Sorry for not raising this issue earlier, but I was looking the proposed new
title (which only occurred to me this weekend)


On 1/29/07, Dave Wichers <dave.wichers at owasp.org> wrote:


Excellent job finishing all this up. Looks great. I did one more quick pass
through your changes and made a few more minor edits / corrections.

It is attached and I agree it's ready to go.



-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj at aspectsecurity.com]
Sent: Monday, January 29, 2007 2:51 AM
To: Jeff Williams; Dave Wichers; Dinis Cruz
Subject: OWASP Top 10 ... Done!

Hi guys,

I've spent a goodly portion of this weekend going through the Top 10 Dave
sent through with a fine tooth comb.

Some of the changes:

* Fixed / resolved all of Dave's comments and yellow text
* Replaced some text to be clearer (generally near where Dave's comments
* Updated graph and tables to adhere to new chapter names and update the 
stats as per their raw values
* Fitted the summary onto a single page
* All samples in all 10 chapters actually go somewhere useful
* Improved links and references
* Added one new section (Vulnerabilities, not attacks) as one comment I got 
from Jeremiah re: my ToC post to my blog last month, was that the ToC
doesn't deal with phishing, identity theft, etc. So I added a section
showing how this T10 deals with those sorts of attacks and a few others 

Dinis/Jeff/Dave, if you're happy, I'm happy with this draft and I consider
it ready to be forwarded to -leaders and the T10 list. Even if it's now not
as perfect as it could be, I think we can make further changes during the 
comments period rather than hanging on to it any longer.

It's time to get this baby out the door!


Owasp-board mailing list 
Owasp-board at lists.owasp.org

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070129/52920160/attachment-0002.html>

More information about the Owasp-board mailing list