[Owasp-board] OWASP Top 10 ... Done!

Andrew van der Stock vanderaj at owasp.org
Mon Jan 29 20:22:41 UTC 2007


Okay, I¹ve made the changes as suggested and posted it to T10 and ­leaders.

Thanks,
Andrew


On 1/29/07 11:10 AM, "Dinis Cruz" <dinis at ddplus.net> wrote:

> I think the issue is malicious code executed on the server (via a PHP include,
> uploaded via a vulnerable function, uploaded directly by an malicious
> developer (or via that developer's compromized access codes), etc...).
> 
> The issue of Unsafe file access is covered by A10  ­ Failure to Restrict URL
> Access
> 
> And yeah A3 - Malicious File Execution sounds good to me too
> 
> Dinis
> 
> On 1/29/07, Dave Wichers <dave.wichers at owasp.org> wrote:
>> I think this is a good idea and I'm leaning towards: A3 - Malicious File
>> Execution
>> 
>>  
>> 
>> I don't think Malicious Code Execution is a good name as that crosses over
>> into the Injection flaws area (or could be misinterpreted as such).
>> 
>>  
>> 
>> Isn't the problem both about remote file execution AND remote file access?
>> i.e., I would hope that reaching in and pulling out a machine's password file
>> because I can include path information in the file download function would
>> fall into this category. And the fact that I can upload a PHP file to
>> execute, or upload an Image File with embedded Javascript and then get that
>> to execute in a victim's browser would both count too, right?
>> 
>>  
>> 
>> If so, then should the name by 'Unsafe File Access'? Or something like that?
>> 
>>  
>> 
>> Jeff is in a meeting now but if you have more thoughts on this Dinis, please
>> send so I can discuss with him when he is done with his call.
>> 
>>  
>> 
>> Thanks, Dave
>> 
>>  
>> 
>> 
>> From: owasp-board-bounces at lists.owasp.org
>> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
>> Sent: Monday, January 29, 2007 10:13 AM
>> To: owasp-board at lists.owasp.org
>> Subject: Re: [Owasp-board] OWASP Top 10 ... Done!
>> 
>>  
>> 
>> Hi Dave, I just had a quick chat with Andrew about one medium change (it was
>> quicker to talk than to write)
>> 
>> Basically I asked if we could change A3 ­ Insecure Remote File Include to A3
>> - Malicious Remote File Execution  (or even A3 - Malicious File Execution or
>> even A3 - Malicious Code Execution) since this covers the PHP remote file
>> include issue, XSS/XSD Injections, remote file upload via
>> uploadFile.aspx/uploadFile.jsp and using reflection to invoke .Net/Java
>> classes directly. it also makes reference to the real problem that our web
>> apps today have that their security (and the surrounding environment) are
>> depended on the non-execution of malicious code.
>> 
>> Of course one of the solutions for this is to use Sandboxes that limit what
>> that code can do :)
>> 
>> Jeff, Dave, what do you think? (Andrew was ok with it and (after talking to
>> Jeff today) is able to make these small changes)
>> 
>> I think that the proposed title is a good compromise between Andrew's request
>> to have the PHP remote include in there and my request to have sandbox issue
>> in there (and it affects ALL web apps, so it is not PHP specific).
>> 
>> Sorry for not raising this issue earlier, but I was looking the proposed new
>> title (which only occurred to me this weekend)
>> 
>> Dinis
>> 
>> 
>> On 1/29/07, Dave Wichers < dave.wichers at owasp.org
>> <mailto:dave.wichers at owasp.org> > wrote:
>> 
>> Andrew,
>> 
>> Excellent job finishing all this up. Looks great. I did one more quick pass
>> through your changes and made a few more minor edits / corrections.
>> 
>> It is attached and I agree it's ready to go.
>> 
>> Jeff/Dinis?
>> 
>> -Dave
>> 
>> -----Original Message-----
>> From: Andrew van der Stock [mailto:vanderaj at aspectsecurity.com]
>> Sent: Monday, January 29, 2007 2:51 AM
>> To: Jeff Williams; Dave Wichers; Dinis Cruz
>> Subject: OWASP Top 10 ... Done!
>> 
>> Hi guys,
>> 
>> I've spent a goodly portion of this weekend going through the Top 10 Dave
>> sent through with a fine tooth comb.
>> 
>> Some of the changes:
>> 
>> * Fixed / resolved all of Dave's comments and yellow text
>> * Replaced some text to be clearer (generally near where Dave's comments
>> were)
>> * Updated graph and tables to adhere to new chapter names and update the
>> stats as per their raw values
>> * Fitted the summary onto a single page
>> * All samples in all 10 chapters actually go somewhere useful
>> * Improved links and references
>> * Added one new section (Vulnerabilities, not attacks) as one comment I got
>> from Jeremiah re: my ToC post to my blog last month, was that the ToC
>> doesn't deal with phishing, identity theft, etc. So I added a section
>> showing how this T10 deals with those sorts of attacks and a few others
>> 
>> Dinis/Jeff/Dave, if you're happy, I'm happy with this draft and I consider
>> it ready to be forwarded to -leaders and the T10 list. Even if it's now not
>> as perfect as it could be, I think we can make further changes during the
>> comments period rather than hanging on to it any longer.
>> 
>> It's time to get this baby out the door!
>> 
>> Thanks,
>> Andrew
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> http://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> 
>> 
>> 
>> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070129/1bd74930/attachment-0002.html>


More information about the Owasp-board mailing list