[Owasp-leaders] [Owasp-community] OT10 Risks?
jim.manico at owasp.org
Sun Sep 21 21:35:00 UTC 2014
Very interesting, Timur and Eoin. I might be reading this wrong, but it
looks to me that SQL Injection per Mitre is an ....
... *attack pattern* http://capec.mitre.org/data/definitions/66.html
... caused by the *weakness* of lack of neutralization of special
characters http://cwe.mitre.org/data/definitions/89.html **
... that *effects many products and services and makes them vulnerable*
So per Mitre, SQL Injection would NOT be a vulnerability, that is
product specific (CVE). SQL Injection per Mitre seems to be an attack
Per Mitre: An "attack pattern" is an abstraction mechanism to assist in
understanding how an attack against vulnerable cyber-enabled
capabilities is executed.
So I'm thinking that the "classic" OWASP Top Ten is really a mix of
attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
•A2 Broken Authentication and Session Management
•A3 Cross-Site Scripting (XSS)
•A4 Insecure Direct Object References
•A5 Security Misconfiguration
•A6 Sensitive Data Exposure
•A7 Missing Function Level Access Control
•A8 Cross-Site Request Forgery (CSRF)
•A9 Using Components with Known Vulnerabilities
•A10 Unvalidated Redirects and Forwards
And just to make this more confusing, Mitre declares that SQL Injection
is a attack pattern as described above, but considers sql injection
through hibernate to be a weakness
http://cwe.mitre.org/data/definitions/564.html which confuses the issue
 This is not so accurate (debatable) but that is besides the point.
:) Query Parametrization does not neutralize special characters, it
pre-compiles the query into a query plan that cannot be modified at
query execution time. :)
On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
> (vulnerability types, meta weaknesses)
> We may take the MITRE approach in order not to invent parallel
> https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln types, cca
> 700 elements)
> https://cve.mitre.org <http://mitre.org> (vulnerabilities and
> exposures, thousands)
> https://capec.mitre.org <http://mitre.org> (attack patterns)
> The top 41 SANS "Most Dangerous Software Errors"
> https://cwe.mitre.org/top25/index.html <http://mitre.org/top25/index.html>
> + 16
> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
> Risk != vuln
> Risk is defined as:
> "(Exposure to) the possibility of loss, injury, or other adverse
> or unwelcome circumstance; a chance or situation involving such a
> The result of a weakness being leveraged and unwelcome outcomes.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> >> T10 lists does not accurately
> > reflect the most dangerous "risks" or that it would be better to
> name it
> > differently?
> > The commentary that I received was that the term "risk" did not
> > actually reflect the items on the lists. Folks have told me it
> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
> > I'm not sure what the right answer is here...
> > Aloha,
> > --
> > Jim Manico
> > @Manicode
> > (808) 652-3805
> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
> >> T10 lists does not accurately
> >> reflect the most dangerous "risks" or that it would be better
> to name it
> >> differently?
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle
> it accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders