[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 23:14:50 UTC 2014


So per Mitre...

You /*exploited*/ a /*vulnerability*//*in a specific system*/ using the 
/*attack pattern of SQL Injection*/.

Per Mitre, a vulnerability is only specific to a system (hence CVE) and 
is not a general definition, per my understanding.

I know this is pedantic, but so is all nomenclature within complex 
systems. :)

So just for the record, I've seen SQL Injection called a Risk, a 
Vulnerability, a Attack Pattern and a Weakness in my Sunday readings. 
Our industry is NOT good at this right now. I'm trying to achieve clarity.

Aloha,
- Jim

On 9/21/14, 7:04 PM, Eoin Keary wrote:
> Jim I've taken down entire financial systems via "or 11".
> An attack pattern to a vulnerable system. A string of chars to a non 
> vulnerable one.
>
> I think we are drifting off the point here even though this is 
> interesting.....
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Attack patterns, per Mitre, are ABSTRACT descriptions not specific to 
>> any product, service or application. Plus your example below is not 
>> exploitable in most situations, so I would say no on multiple levels.
>>
>> Here is Mitre's description of SQL Injection as an attack pattern. 
>> https://capec.mitre.org/data/definitions/66.html
>>
>> I am not saying that Mitre is correct, I am only (trying) to express 
>> their perspective here.
>>
>> Aloha,
>> - Jim
>>
>>
>>
>>
>> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>> Jim,
>>> Is setting a username to "O'Brien" an attack pattern?
>>>
>>>
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>> > Attack patterns are only "attack" if there is a vuln? Otherwise 
>>>> they are only character strings? Just sayin
>>>>
>>>> From what I am reading, Eoin, an attack pattern (per Mitre) is an 
>>>> ABSTRACT mechanism to describe how one would attack a vulnerable 
>>>> cyber-enabled system.
>>>>
>>>> A vulnerability would be a weakness in a specific product or service.
>>>>
>>>> This kind of makes sense to me. I've been reading a lot lately, and 
>>>> most folks mix these terms in various ways, hence my confusion. I 
>>>> get the impression that Mitre is doing this right, but I'm not 100% 
>>>> sure.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>>
>>>>>
>>>>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org 
>>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>> Very interesting, Timur and Eoin. I might be reading this wrong, 
>>>>>> but it looks to me that SQL Injection per Mitre is an ....
>>>>>>
>>>>>> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
>>>>>> ... caused by the *weakness* of lack of neutralization of special 
>>>>>> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
>>>>>> ... that *effects many products and services and makes them 
>>>>>> vulnerable* 
>>>>>> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>>>
>>>>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is 
>>>>>> product specific (CVE). SQL Injection per Mitre seems to be an 
>>>>>> attack pattern.
>>>>>>
>>>>>> Per Mitre: An "attack pattern" is an abstraction mechanism to 
>>>>>> assist in understanding how an attack against vulnerable 
>>>>>> cyber-enabled capabilities is executed.
>>>>>>
>>>>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix 
>>>>>> of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, 
>>>>>> a6, a6, a9).
>>>>>>
>>>>>> •A1 Injection
>>>>>> •A2 Broken Authentication and Session Management
>>>>>> •A3 Cross-Site Scripting (XSS)
>>>>>> •A4 Insecure Direct Object References
>>>>>> •A5 Security Misconfiguration
>>>>>> •A6 Sensitive Data Exposure
>>>>>> •A7 Missing Function Level Access Control
>>>>>> •A8 Cross-Site Request Forgery (CSRF)
>>>>>> •A9 Using Components with Known Vulnerabilities
>>>>>> •A10 Unvalidated Redirects and Forwards
>>>>>>
>>>>>> And just to make this more confusing, Mitre declares that SQL 
>>>>>> Injection is a attack pattern as described above, but considers 
>>>>>> sql injection through hibernate to be a weakness 
>>>>>> http://cwe.mitre.org/data/definitions/564.html which confuses the 
>>>>>> issue for me....
>>>>>>
>>>>>> Aloha,
>>>>>> Jim
>>>>>>
>>>>>> [1] This is not so accurate (debatable) but that is besides the 
>>>>>> point. :) Query Parametrization does not neutralize special 
>>>>>> characters, it pre-compiles the query into a query plan that 
>>>>>> cannot be modified at query execution time. :)
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>>> (vulnerability types, meta weaknesses)
>>>>>>>
>>>>>>> We may take the MITRE approach in order not to invent parallel 
>>>>>>> terminology.
>>>>>>>
>>>>>>> https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln 
>>>>>>> types, cca 700 elements)
>>>>>>> https://cve.mitre.org <http://mitre.org>  (vulnerabilities and 
>>>>>>> exposures, thousands)
>>>>>>> https://capec.mitre.org <http://mitre.org> (attack patterns)
>>>>>>>
>>>>>>>
>>>>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>>>>> https://cwe.mitre.org/top25/index.html 
>>>>>>> <http://mitre.org/top25/index.html>
>>>>>>> + 16
>>>>>>> https://cwe.mitre.org/top25/archive/2011/2011_ 
>>>>>>> <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>>>>>>>
>>>>>>>
>>>>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary 
>>>>>>> <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>>>>>>
>>>>>>>     Risk != vuln
>>>>>>>
>>>>>>>     Risk is defined as:
>>>>>>>     "(Exposure to) the possibility of loss, injury, or other
>>>>>>>     adverse or unwelcome circumstance; a chance or situation
>>>>>>>     involving such a possibility."
>>>>>>>
>>>>>>>     The result of a weakness being leveraged and unwelcome outcomes.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     Eoin Keary
>>>>>>>     Owasp Global Board
>>>>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>>
>>>>>>>
>>>>>>>     On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org
>>>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>>
>>>>>>>     >> T10 lists does not accurately
>>>>>>>     > reflect the most dangerous "risks" or that it would be
>>>>>>>     better to name it
>>>>>>>     > differently?
>>>>>>>     >
>>>>>>>     > The commentary that I received was that the term "risk"
>>>>>>>     did not
>>>>>>>     > actually reflect the items on the lists. Folks have told
>>>>>>>     me it should
>>>>>>>     > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>>>>     >
>>>>>>>     > I'm not sure what the right answer is here...
>>>>>>>     >
>>>>>>>     > Aloha,
>>>>>>>     > --
>>>>>>>     > Jim Manico
>>>>>>>     > @Manicode
>>>>>>>     > (808) 652-3805
>>>>>>>     >
>>>>>>>     >> On Sep 21, 2014, at 4:50 PM, Tobias
>>>>>>>     <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>>
>>>>>>>     wrote:
>>>>>>>     >>
>>>>>>>     >> T10 lists does not accurately
>>>>>>>     >> reflect the most dangerous "risks" or that it would be
>>>>>>>     better to name it
>>>>>>>     >> differently?
>>>>>>>     > _______________________________________________
>>>>>>>     > OWASP-Leaders mailing list
>>>>>>>     > OWASP-Leaders at lists.owasp.org
>>>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>     _______________________________________________
>>>>>>>     OWASP-Leaders mailing list
>>>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Email us to enforce secure link with your mail servers (domain).
>>>>>>> This message may contain confidential information - you should 
>>>>>>> handle it accordingly.
>>>>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 
>>>>>>
>>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/4074d220/attachment-0001.html>


More information about the OWASP-Leaders mailing list