[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 22:57:35 UTC 2014


Attack patterns, per Mitre, are ABSTRACT descriptions not specific to 
any product, service or application. Plus your example below is not 
exploitable in most situations, so I would say no on multiple levels.

Here is Mitre's description of SQL Injection as an attack pattern. 
https://capec.mitre.org/data/definitions/66.html

I am not saying that Mitre is correct, I am only (trying) to express 
their perspective here.

Aloha,
- Jim




On 9/21/14, 6:53 PM, Eoin Keary wrote:
> Jim,
> Is setting a username to "O'Brien" an attack pattern?
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> > Attack patterns are only "attack" if there is a vuln? Otherwise 
>> they are only character strings? Just sayin
>>
>> From what I am reading, Eoin, an attack pattern (per Mitre) is an 
>> ABSTRACT mechanism to describe how one would attack a vulnerable 
>> cyber-enabled system.
>>
>> A vulnerability would be a weakness in a specific product or service.
>>
>> This kind of makes sense to me. I've been reading a lot lately, and 
>> most folks mix these terms in various ways, hence my confusion. I get 
>> the impression that Mitre is doing this right, but I'm not 100% sure.
>>
>> Aloha,
>> Jim
>>
>>
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>> Very interesting, Timur and Eoin. I might be reading this wrong, 
>>>> but it looks to me that SQL Injection per Mitre is an ....
>>>>
>>>> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
>>>> ... caused by the *weakness* of lack of neutralization of special 
>>>> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
>>>> ... that *effects many products and services and makes them 
>>>> vulnerable* 
>>>> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>
>>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is 
>>>> product specific (CVE). SQL Injection per Mitre seems to be an 
>>>> attack pattern.
>>>>
>>>> Per Mitre: An "attack pattern" is an abstraction mechanism to 
>>>> assist in understanding how an attack against vulnerable 
>>>> cyber-enabled capabilities is executed.
>>>>
>>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of 
>>>> attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, 
>>>> a6, a9).
>>>>
>>>> •A1 Injection
>>>> •A2 Broken Authentication and Session Management
>>>> •A3 Cross-Site Scripting (XSS)
>>>> •A4 Insecure Direct Object References
>>>> •A5 Security Misconfiguration
>>>> •A6 Sensitive Data Exposure
>>>> •A7 Missing Function Level Access Control
>>>> •A8 Cross-Site Request Forgery (CSRF)
>>>> •A9 Using Components with Known Vulnerabilities
>>>> •A10 Unvalidated Redirects and Forwards
>>>>
>>>> And just to make this more confusing, Mitre declares that SQL 
>>>> Injection is a attack pattern as described above, but considers sql 
>>>> injection through hibernate to be a weakness 
>>>> http://cwe.mitre.org/data/definitions/564.html which confuses the 
>>>> issue for me....
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>> [1] This is not so accurate (debatable) but that is besides the 
>>>> point. :) Query Parametrization does not neutralize special 
>>>> characters, it pre-compiles the query into a query plan that cannot 
>>>> be modified at query execution time. :)
>>>>
>>>>
>>>>
>>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>> (vulnerability types, meta weaknesses)
>>>>>
>>>>> We may take the MITRE approach in order not to invent parallel 
>>>>> terminology.
>>>>>
>>>>> https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln types, 
>>>>> cca 700 elements)
>>>>> https://cve.mitre.org <http://mitre.org>  (vulnerabilities and 
>>>>> exposures, thousands)
>>>>> https://capec.mitre.org <http://mitre.org> (attack patterns)
>>>>>
>>>>>
>>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>>> https://cwe.mitre.org/top25/index.html 
>>>>> <http://mitre.org/top25/index.html>
>>>>> + 16
>>>>> https://cwe.mitre.org/top25/archive/2011/2011_ 
>>>>> <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>>>>>
>>>>>
>>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org 
>>>>> <mailto:eoin.keary at owasp.org>> wrote:
>>>>>
>>>>>     Risk != vuln
>>>>>
>>>>>     Risk is defined as:
>>>>>     "(Exposure to) the possibility of loss, injury, or other
>>>>>     adverse or unwelcome circumstance; a chance or situation
>>>>>     involving such a possibility."
>>>>>
>>>>>     The result of a weakness being leveraged and unwelcome outcomes.
>>>>>
>>>>>
>>>>>
>>>>>     Eoin Keary
>>>>>     Owasp Global Board
>>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>
>>>>>
>>>>>     On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>     >> T10 lists does not accurately
>>>>>     > reflect the most dangerous "risks" or that it would be
>>>>>     better to name it
>>>>>     > differently?
>>>>>     >
>>>>>     > The commentary that I received was that the term "risk" did not
>>>>>     > actually reflect the items on the lists. Folks have told me
>>>>>     it should
>>>>>     > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>>     >
>>>>>     > I'm not sure what the right answer is here...
>>>>>     >
>>>>>     > Aloha,
>>>>>     > --
>>>>>     > Jim Manico
>>>>>     > @Manicode
>>>>>     > (808) 652-3805
>>>>>     >
>>>>>     >> On Sep 21, 2014, at 4:50 PM, Tobias
>>>>>     <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>>
>>>>>     wrote:
>>>>>     >>
>>>>>     >> T10 lists does not accurately
>>>>>     >> reflect the most dangerous "risks" or that it would be
>>>>>     better to name it
>>>>>     >> differently?
>>>>>     > _______________________________________________
>>>>>     > OWASP-Leaders mailing list
>>>>>     > OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>> Email us to enforce secure link with your mail servers (domain).
>>>>> This message may contain confidential information - you should 
>>>>> handle it accordingly.
>>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 
>>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/dfe65cef/attachment-0001.html>


More information about the OWASP-Leaders mailing list