[Owasp-leaders] [Owasp-community] OT10 Risks?

Eoin Keary eoin.keary at owasp.org
Sun Sep 21 22:53:51 UTC 2014


Jim,
Is setting a username to "O'Brien" an attack pattern?


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:

> > Attack patterns are only "attack" if there is a vuln? Otherwise they are only character strings? Just sayin
> 
> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT mechanism to describe how one would attack a vulnerable cyber-enabled system.
> 
> A vulnerability would be a weakness in a specific product or service.
> 
> This kind of makes sense to me. I've been reading a lot lately, and most folks mix these terms in various ways, hence my confusion. I get the impression that Mitre is doing this right, but I'm not 100% sure.
> 
> Aloha,
> Jim
> 
> 
>> 
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> Very interesting, Timur and Eoin. I might be reading this wrong, but it looks to me that SQL Injection per Mitre is an ....
>>> 
>>> ... attack pattern http://capec.mitre.org/data/definitions/66.html
>>> ... caused by the weakness of lack of neutralization of special characters http://cwe.mitre.org/data/definitions/89.html [1]
>>> ... that effects many products and services and makes them vulnerable http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>> 
>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is product specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>>> 
>>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against vulnerable cyber-enabled capabilities is executed.
>>> 
>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>>> 
>>> •A1 Injection
>>> •A2 Broken Authentication and Session Management
>>> •A3 Cross-Site Scripting (XSS)
>>> •A4 Insecure Direct Object References
>>> •A5 Security Misconfiguration
>>> •A6 Sensitive Data Exposure
>>> •A7 Missing Function Level Access Control
>>> •A8 Cross-Site Request Forgery (CSRF)
>>> •A9 Using Components with Known Vulnerabilities
>>> •A10 Unvalidated Redirects and Forwards
>>> 
>>> And just to make this more confusing, Mitre declares that SQL           Injection is a attack pattern as described above, but considers sql injection through hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html which confuses the issue for me....
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> [1] This is not so accurate (debatable) but that is besides the point. :) Query Parametrization does not neutralize special characters, it pre-compiles the query into a query plan that cannot be modified at query execution time. :)
>>> 
>>> 
>>> 
>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>> (vulnerability types, meta weaknesses)
>>>> 
>>>> We may take the MITRE approach in order not to invent parallel terminology.
>>>> 
>>>> https://cwe.mitre.org (weaknesses, vuln types, cca 700                 elements)
>>>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>>>> https://capec.mitre.org (attack patterns)
>>>> 
>>>> 
>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>> https://cwe.mitre.org/top25/index.html
>>>> + 16
>>>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>>>> 
>>>> 
>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>> Risk != vuln
>>>>> 
>>>>> Risk is defined as:
>>>>> "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."
>>>>> 
>>>>> The result of a weakness being leveraged and unwelcome outcomes.
>>>>> 
>>>>> 
>>>>> 
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>> 
>>>>> 
>>>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>>> 
>>>>> >> T10 lists does not accurately
>>>>> > reflect the most dangerous "risks" or that it would be better to name it
>>>>> > differently?
>>>>> >
>>>>> > The commentary that I received was that the term "risk" did not
>>>>> > actually reflect the items on the lists. Folks have told me it should
>>>>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>> >
>>>>> > I'm not sure what the right answer is here...
>>>>> >
>>>>> > Aloha,
>>>>> > --
>>>>> > Jim Manico
>>>>> > @Manicode
>>>>> > (808) 652-3805
>>>>> >
>>>>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>> >>
>>>>> >> T10 lists does not accurately
>>>>> >> reflect the most dangerous "risks" or that it would be better to name it
>>>>> >> differently?
>>>>> > _______________________________________________
>>>>> > OWASP-Leaders mailing list
>>>>> > OWASP-Leaders at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> Email us to enforce secure link with your mail servers (domain).
>>>> This message may contain confidential information - you should handle it accordingly.
>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/aa89f764/attachment.html>


More information about the OWASP-Leaders mailing list