[Owasp-board] OWASP Top 10 ... Done!

Dinis Cruz dinis at ddplus.net
Mon Jan 29 16:10:57 UTC 2007


I think the issue is malicious code executed on the server (via a PHP
include, uploaded via a vulnerable function, uploaded directly by an
malicious developer (or via that developer's compromized access codes),
etc...).

The issue of Unsafe file access is covered by *A10 – Failure to Restrict URL
Access

*And yeah *A3 - Malicious File Execution *sounds good to me too

Dinis

On 1/29/07, Dave Wichers <dave.wichers at owasp.org> wrote:
>
>  I think this is a good idea and I'm leaning towards: *A3 - Malicious File
> Execution*
>
> * *
>
> I don't think Malicious Code Execution is a good name as that crosses over
> into the Injection flaws area (or could be misinterpreted as such).
>
>
>
> Isn't the problem both about remote file execution AND remote file access?
> i.e., I would hope that reaching in and pulling out a machine's password
> file because I can include path information in the file download function
> would fall into this category. And the fact that I can upload a PHP file to
> execute, or upload an Image File with embedded Javascript and then get that
> to execute in a victim's browser would both count too, right?
>
>
>
> If so, then should the name by 'Unsafe File Access'? Or something like
> that?
>
>
>
> Jeff is in a meeting now but if you have more thoughts on this Dinis,
> please send so I can discuss with him when he is done with his call.
>
>
>
> Thanks, Dave
>
>
>  ------------------------------
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Dinis Cruz
> *Sent:* Monday, January 29, 2007 10:13 AM
> *To:* owasp-board at lists.owasp.org
> *Subject:* Re: [Owasp-board] OWASP Top 10 ... Done!
>
>
>
> Hi Dave, I just had a quick chat with Andrew about one medium change (it
> was quicker to talk than to write)
>
> Basically I asked if we could change *A3 – Insecure Remote File Include *to
> *A3 - Malicious Remote File Execution** *(or even *A3 - Malicious File
> Execution* or even *A3 - Malicious Code Execution*) since this covers the
> PHP remote file include issue, XSS/XSD Injections, remote file upload via
> uploadFile.aspx/uploadFile.jsp and using reflection to invoke .Net/Java
> classes directly. it also makes reference to the real problem that our web
> apps today have that their security (and the surrounding environment) are
> depended on the non-execution of malicious code.
>
> Of course one of the solutions for this is to use Sandboxes that limit
> what that code can do :)
>
> Jeff, Dave, what do you think? (Andrew was ok with it and (after talking
> to Jeff today) is able to make these small changes)
>
> I think that the proposed title is a good compromise between Andrew's
> request to have the PHP remote include in there and my request to have
> sandbox issue in there (and it affects ALL web apps, so it is not PHP
> specific).
>
> Sorry for not raising this issue earlier, but I was looking the proposed
> new title (which only occurred to me this weekend)
>
> Dinis
>
>
>  On 1/29/07, *Dave Wichers* <dave.wichers at owasp.org> wrote:
>
> Andrew,
>
> Excellent job finishing all this up. Looks great. I did one more quick
> pass
> through your changes and made a few more minor edits / corrections.
>
> It is attached and I agree it's ready to go.
>
> Jeff/Dinis?
>
> -Dave
>
> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at aspectsecurity.com]
> Sent: Monday, January 29, 2007 2:51 AM
> To: Jeff Williams; Dave Wichers; Dinis Cruz
> Subject: OWASP Top 10 ... Done!
>
> Hi guys,
>
> I've spent a goodly portion of this weekend going through the Top 10 Dave
> sent through with a fine tooth comb.
>
> Some of the changes:
>
> * Fixed / resolved all of Dave's comments and yellow text
> * Replaced some text to be clearer (generally near where Dave's comments
> were)
> * Updated graph and tables to adhere to new chapter names and update the
> stats as per their raw values
> * Fitted the summary onto a single page
> * All samples in all 10 chapters actually go somewhere useful
> * Improved links and references
> * Added one new section (Vulnerabilities, not attacks) as one comment I
> got
> from Jeremiah re: my ToC post to my blog last month, was that the ToC
> doesn't deal with phishing, identity theft, etc. So I added a section
> showing how this T10 deals with those sorts of attacks and a few others
>
> Dinis/Jeff/Dave, if you're happy, I'm happy with this draft and I consider
> it ready to be forwarded to -leaders and the T10 list. Even if it's now
> not
> as perfect as it could be, I think we can make further changes during the
> comments period rather than hanging on to it any longer.
>
> It's time to get this baby out the door!
>
> Thanks,
> Andrew
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
> --
> Dinis Cruz
> Chief OWASP Evangelist, Are you a member yet?
> http://www.owasp.org
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>


-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070129/684fcabb/attachment-0002.html>


More information about the Owasp-board mailing list