[Owasp-leaders] [Owasp-community] OT10 Risks?

Eoin Keary eoin.keary at owasp.org
Sun Sep 21 23:04:41 UTC 2014


Jim I've taken down entire financial systems via "or 11".
An attack pattern to a vulnerable system. A string of chars to a non vulnerable one.

I think we are drifting off the point here even though this is interesting.....


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org> wrote:

> Attack patterns, per Mitre, are ABSTRACT descriptions not specific to any product, service or application. Plus your example below is not exploitable in most situations, so I would say no on multiple levels.
> 
> Here is Mitre's description of SQL Injection as an attack pattern. https://capec.mitre.org/data/definitions/66.html
> 
> I am not saying that Mitre is correct, I am only (trying) to express their perspective here.
> 
> Aloha,
> - Jim
> 
> 
> 
> 
> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>> Jim,
>> Is setting a username to "O'Brien" an attack pattern?
>> 
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>>> > Attack patterns are only "attack" if there is a vuln? Otherwise they are only character strings? Just sayin
>>> 
>>> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT mechanism to describe how one would attack a vulnerable cyber-enabled system.
>>> 
>>> A vulnerability would be a weakness in a specific product or service.
>>> 
>>> This kind of makes sense to me. I've been reading a lot lately, and most folks mix these terms in various ways, hence my confusion. I get the impression that Mitre is doing this right, but I'm not 100% sure.
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>>> 
>>>> 
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> 
>>>> 
>>>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org>                wrote:
>>>> 
>>>>> Very interesting, Timur and Eoin. I might be reading this wrong, but it looks to me that SQL Injection per Mitre is an ....
>>>>> 
>>>>> ... attack pattern http://capec.mitre.org/data/definitions/66.html
>>>>> ... caused by the weakness of lack of neutralization of special characters http://cwe.mitre.org/data/definitions/89.html [1]
>>>>> ... that effects many products and services and makes them vulnerable http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>> 
>>>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is product specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>>>>> 
>>>>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against vulnerable cyber-enabled capabilities is executed.
>>>>> 
>>>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>>>>> 
>>>>> •A1 Injection
>>>>> •A2 Broken Authentication and Session Management
>>>>> •A3 Cross-Site Scripting (XSS)
>>>>> •A4 Insecure Direct Object References
>>>>> •A5 Security Misconfiguration
>>>>> •A6 Sensitive Data Exposure
>>>>> •A7 Missing Function Level Access Control
>>>>> •A8 Cross-Site Request Forgery (CSRF)
>>>>> •A9 Using Components with Known Vulnerabilities
>>>>> •A10 Unvalidated Redirects and Forwards
>>>>> 
>>>>> And just to make this more confusing, Mitre declares that SQL Injection is a attack pattern as described above, but considers sql injection through hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html which confuses the issue for me....
>>>>> 
>>>>> Aloha,
>>>>> Jim
>>>>> 
>>>>> [1] This is not so accurate (debatable) but that is besides the point. :) Query Parametrization does not neutralize special characters, it pre-compiles the query into a query plan that cannot be modified at query execution time. :)
>>>>> 
>>>>> 
>>>>> 
>>>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>> (vulnerability types, meta weaknesses)
>>>>>> 
>>>>>> We may take the MITRE approach in order not to invent parallel terminology.
>>>>>> 
>>>>>> https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
>>>>>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>>>>>> https://capec.mitre.org (attack patterns)
>>>>>> 
>>>>>> 
>>>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>>>> https://cwe.mitre.org/top25/index.html
>>>>>> + 16
>>>>>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>>>>>> 
>>>>>> 
>>>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>>> Risk != vuln
>>>>>>> 
>>>>>>> Risk is defined as:
>>>>>>> "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."
>>>>>>> 
>>>>>>> The result of a weakness being leveraged and unwelcome outcomes.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Eoin Keary
>>>>>>> Owasp Global Board
>>>>>>> +353 87 977 2988
>>>>>>> 
>>>>>>> 
>>>>>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>> 
>>>>>>> >> T10 lists does not accurately
>>>>>>> > reflect the most dangerous "risks" or that it would be better to name it
>>>>>>> > differently?
>>>>>>> >
>>>>>>> > The commentary that I received was that the term "risk" did not
>>>>>>> > actually reflect the items on the lists. Folks have told me it should
>>>>>>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>>>> >
>>>>>>> > I'm not sure what the right answer is here...
>>>>>>> >
>>>>>>> > Aloha,
>>>>>>> > --
>>>>>>> > Jim Manico
>>>>>>> > @Manicode
>>>>>>> > (808) 652-3805
>>>>>>> >
>>>>>>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>> >>
>>>>>>> >> T10 lists does not accurately
>>>>>>> >> reflect the most dangerous "risks" or that it would be better to name it
>>>>>>> >> differently?
>>>>>>> > _______________________________________________
>>>>>>> > OWASP-Leaders mailing list
>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> 
>>>>>> 
>>>>>> Email us to enforce secure link with your mail servers (domain).
>>>>>> This message may contain confidential information - you should handle it accordingly.
>>>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/b18c196f/attachment.html>


More information about the OWASP-Leaders mailing list