[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 21:35:00 UTC 2014


Very interesting, Timur and Eoin. I might be reading this wrong, but it 
looks to me that SQL Injection per Mitre is an ....

... *attack pattern* http://capec.mitre.org/data/definitions/66.html
... caused by the *weakness* of lack of neutralization of special 
characters http://cwe.mitre.org/data/definitions/89.html *[1]*
... that *effects many products and services and makes them vulnerable* 
http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html

So per Mitre, SQL Injection would NOT be a vulnerability, that is 
product specific (CVE). SQL Injection per Mitre seems to be an attack 
pattern.

Per Mitre: An "attack pattern" is an abstraction mechanism to assist in 
understanding how an attack against vulnerable cyber-enabled 
capabilities is executed.

So I'm thinking that the "classic" OWASP Top Ten is really a mix of 
attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).

•A1 Injection
•A2 Broken Authentication and Session Management
•A3 Cross-Site Scripting (XSS)
•A4 Insecure Direct Object References
•A5 Security Misconfiguration
•A6 Sensitive Data Exposure
•A7 Missing Function Level Access Control
•A8 Cross-Site Request Forgery (CSRF)
•A9 Using Components with Known Vulnerabilities
•A10 Unvalidated Redirects and Forwards

And just to make this more confusing, Mitre declares that SQL Injection 
is a attack pattern as described above, but considers sql injection 
through hibernate to be a weakness 
http://cwe.mitre.org/data/definitions/564.html which confuses the issue 
for me....

Aloha,
Jim

[1] This is not so accurate (debatable) but that is besides the point. 
:) Query Parametrization does not neutralize special characters, it 
pre-compiles the query into a query plan that cannot be modified at 
query execution time. :)



On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
> (vulnerability types, meta weaknesses)
>
> We may take the MITRE approach in order not to invent parallel 
> terminology.
>
> https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln types, cca 
> 700 elements)
> https://cve.mitre.org <http://mitre.org>  (vulnerabilities and 
> exposures, thousands)
> https://capec.mitre.org <http://mitre.org> (attack patterns)
>
>
> The top 41 SANS "Most Dangerous Software Errors"
> https://cwe.mitre.org/top25/index.html <http://mitre.org/top25/index.html>
> + 16
> https://cwe.mitre.org/top25/archive/2011/2011_ 
> <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>
>
> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org 
> <mailto:eoin.keary at owasp.org>> wrote:
>
>     Risk != vuln
>
>     Risk is defined as:
>     "(Exposure to) the possibility of loss, injury, or other adverse
>     or unwelcome circumstance; a chance or situation involving such a
>     possibility."
>
>     The result of a weakness being leveraged and unwelcome outcomes.
>
>
>
>     Eoin Keary
>     Owasp Global Board
>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>
>
>     On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>
>     >> T10 lists does not accurately
>     > reflect the most dangerous "risks" or that it would be better to
>     name it
>     > differently?
>     >
>     > The commentary that I received was that the term "risk" did not
>     > actually reflect the items on the lists. Folks have told me it
>     should
>     > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>     >
>     > I'm not sure what the right answer is here...
>     >
>     > Aloha,
>     > --
>     > Jim Manico
>     > @Manicode
>     > (808) 652-3805
>     >
>     >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org
>     <mailto:tobias.gondrom at owasp.org>> wrote:
>     >>
>     >> T10 lists does not accurately
>     >> reflect the most dangerous "risks" or that it would be better
>     to name it
>     >> differently?
>     > _______________________________________________
>     > OWASP-Leaders mailing list
>     > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle 
> it accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/69b5f526/attachment.html>


More information about the OWASP-Leaders mailing list