[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Dave Wichers dave.wichers at owasp.org
Wed Mar 20 14:16:23 UTC 2013


Well. The web services Top 10 really hasn't gone anywhere unfortunately, so
I think if the Top 10 doesn't say anything about it, it won't get any real
awareness/play.

I would think that if we say anything about application level DOS, we can
include XML issues, and other issues that can lead to app level DOS risks,
including lack of anti-automation as well.

-Dave

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of McGovern, James
Sent: Wednesday, March 20, 2013 9:19 AM
To: Christey, Steven M.; Daniel Clemens; Dennis Groves
Cc: OWASP Leaders; OWASP TopTen
Subject: Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology

The usage of XML to sap CPU or expand memory is more about the Web Services
top ten and not the current Top ten. Yes?

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christey, Steven
M.
Sent: Wednesday, March 20, 2013 9:11 AM
To: Daniel Clemens; Dennis Groves
Cc: OWASP Leaders; OWASP TopTen
Subject: Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology

Regarding application DoS - I don't know if we should be so dismissive of
it.  The commentary I've seen on application DoS is concentrating on
network-based attacks.  There are other resource-consumption vulnerabilities
that are gaining popularity in CVE, such as unrestricted XML entity
expansion a.k.a. "billion laughs" (CWE-776) - memory consumption.   Another
example is algorithmic complexity involving hash collisions that slow down
hash-table lookups, which was all the rage about a year ago - CPU
consumption.  More recently, Ruby and/or Ruby-based applications have been
getting hit with a number of other resource-consumption issues, such as a
memory DoS by forcing the creation of a large number of symbols.

These types of issues are either at the application layer or the
library/framework layer depending on various factors.  Sometimes the
library/framework does not offer any way to restrict the amount of resource
consumption; in other cases, a restriction is available (e.g. as a
configuration option) but the application does not use it.

While I don't know how often these are exploited (and they may be difficult
to detect), or how often they'll be exploited in the future, these kinds of
application DoS issues are becoming popular.  As code-execution vulns get
harder to find, I suspect we will see more of these.  This might not be
enough to merit inclusion in the OWASP Top Ten, but is definitely something
to watch out for.

- Steve


>-----Original Message-----
>From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten- 
>bounces at lists.owasp.org] On Behalf Of Daniel Clemens
>Sent: Thursday, March 14, 2013 9:36 PM
>To: Dennis Groves
>Cc: OWASP Leaders; OWASP TopTen
>Subject: Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology
>
>
>On Mar 14, 2013, at 3:56 PM, Dennis Groves wrote:
>
>> I don't see how Application DOS could possibly be in the Top 10.
>
>+100; totally agree.
>
>| Daniel Uriah Clemens
>| Packetninjas L.L.C | | http://www.packetninjas.net
>| c. 205.567.6850      | | o. 866.267.8851
>"Moments of sorrow are moments of sobriety"
>
>
>
>
>
>
>
>
>
>

_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten



More information about the OWASP-Leaders mailing list