[Owasp-leaders] [Owasp-community] OT10 Risks?

Eoin Keary eoin.keary at owasp.org
Sun Sep 21 21:37:54 UTC 2014


Attack patterns are only "attack" if there is a vuln? Otherwise they are only character strings? Just sayin


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:

> Very interesting, Timur and Eoin. I might be reading this wrong, but it looks to me that SQL Injection per Mitre is an ....
> 
> ... attack pattern http://capec.mitre.org/data/definitions/66.html
> ... caused by the weakness of lack of neutralization of special characters http://cwe.mitre.org/data/definitions/89.html [1]
> ... that effects many products and services and makes them vulnerable http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
> 
> So per Mitre, SQL Injection would NOT be a vulnerability, that is product specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
> 
> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against       vulnerable cyber-enabled capabilities is executed.
> 
> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
> 
> •A1 Injection
> •A2 Broken Authentication and Session Management
> •A3 Cross-Site Scripting (XSS)
> •A4 Insecure Direct Object References
> •A5 Security Misconfiguration
> •A6 Sensitive Data Exposure
> •A7 Missing Function Level Access Control
> •A8 Cross-Site Request Forgery (CSRF)
> •A9 Using Components with Known Vulnerabilities
> •A10 Unvalidated Redirects and Forwards
> 
> And just to make this more confusing, Mitre declares that SQL Injection is a attack pattern as described above, but considers sql injection through hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html which confuses the issue for me....
> 
> Aloha,
> Jim
> 
> [1] This is not so accurate (debatable) but that is besides the point. :) Query Parametrization does not neutralize special characters, it pre-compiles the query into a query plan that cannot be modified at query execution time. :)
> 
> 
> 
> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>> (vulnerability types, meta weaknesses)
>> 
>> We may take the MITRE approach in order not to invent parallel terminology.
>> 
>> https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>> https://capec.mitre.org (attack patterns)
>> 
>> 
>> The top 41 SANS "Most Dangerous Software Errors"
>> https://cwe.mitre.org/top25/index.html
>> + 16
>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>> 
>> 
>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> Risk != vuln
>>> 
>>> Risk is defined as:
>>> "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."
>>> 
>>> The result of a weakness being leveraged and unwelcome outcomes.
>>> 
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org>                   wrote:
>>> 
>>> >> T10 lists does not accurately
>>> > reflect the most dangerous "risks" or that it would be better to name it
>>> > differently?
>>> >
>>> > The commentary that I received was that the term "risk" did not
>>> > actually reflect the items on the lists. Folks have told me it should
>>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>> >
>>> > I'm not sure what the right answer is here...
>>> >
>>> > Aloha,
>>> > --
>>> > Jim Manico
>>> > @Manicode
>>> > (808) 652-3805
>>> >
>>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>> >>
>>> >> T10 lists does not accurately
>>> >> reflect the most dangerous "risks" or that it would be better to name it
>>> >> differently?
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/9f9066c0/attachment.html>


More information about the OWASP-Leaders mailing list