[Owasp-leaders] Zone transfer

Rogan Dawes rogan at dawes.za.net
Fri Jun 11 07:23:36 EDT 2010

On 2010/06/11 1:18 PM, Christian Heinrich wrote:

> The difference between "inherent' risk and "residual" risk is that the
> mitigating controls are considered when measuring the "residual risk"
> only.
> In the context of your SQL injection example, the "inherent" risk and
> "residual" risk can have the same value if both of the following
> controls aren't applied (i.e. applying 1 or 2 would reduce the
> "residual" risk):
> 1. "parameterized statements" are not used *and* the;
> 2. Input from the web browser isn't "escaped" of SQL related
> characters e.g. single quote, etc

Ok, but if we start talking about risk, we also have to consider impact.

What is the impact to OWASP of allowing Zone Transfers? Technically, 
nothing, in my opinion, and echoed by other participants in this thread.

That said, if there is some way that we can disable AXFR for OWASP, we 
can short circuit this entire discussion, and stop people dragging up 
red herrings at every turn.

Even though there is no technical impact to this "finding", we're 
arguing with fools who are beating us with experience (and sheer mass of 

Removing the bait will stop feeding the trolls.

Rogan (who is wondering how many metaphors he mutilated in this mail)

More information about the OWASP-Leaders mailing list