[Owasp-leaders] [Owasp-community] OT10 Risks?

Timur 'x' Khrotko (owasp) timur at owasp.org
Sun Sep 21 23:24:04 UTC 2014


Jim, I am absolutely with you!
The AppSec is ruled by practitioners who does not care.)

Scriptkiddies take down systems with ascii strings and without knowing
English.

There are software delivery contracts in the wild that refer to OT10 as a
list of to avoid vulnerabilities - that is a problem, which in part grows
from undefined appsec terms too.


On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org> wrote:

>  So per Mitre...
>
> You *exploited* a *vulnerability** in a specific system* using the *attack
> pattern of SQL Injection*.
>
> Per Mitre, a vulnerability is only specific to a system (hence CVE) and is
> not a general definition, per my understanding.
>
> I know this is pedantic, but so is all nomenclature within complex
> systems. :)
>
> So just for the record, I've seen SQL Injection called a Risk, a
> Vulnerability, a Attack Pattern and a Weakness in my Sunday readings. Our
> industry is NOT good at this right now. I'm trying to achieve clarity.
>
> Aloha,
> - Jim
>
>
> On 9/21/14, 7:04 PM, Eoin Keary wrote:
>
> Jim I've taken down entire financial systems via "or 11".
> An attack pattern to a vulnerable system. A string of chars to a non
> vulnerable one.
>
>  I think we are drifting off the point here even though this is
> interesting.....
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org> wrote:
>
>   Attack patterns, per Mitre, are ABSTRACT descriptions not specific to
> any product, service or application. Plus your example below is not
> exploitable in most situations, so I would say no on multiple levels.
>
> Here is Mitre's description of SQL Injection as an attack pattern.
> https://capec.mitre.org/data/definitions/66.html
>
> I am not saying that Mitre is correct, I am only (trying) to express their
> perspective here.
>
> Aloha,
> - Jim
>
>
>
>
> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>
> Jim,
> Is setting a username to "O'Brien" an attack pattern?
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:
>
>   > Attack patterns are only "attack" if there is a vuln? Otherwise they
> are only character strings? Just sayin
>
> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT
> mechanism to describe how one would attack a vulnerable cyber-enabled
> system.
>
> A vulnerability would be a weakness in a specific product or service.
>
> This kind of makes sense to me. I've been reading a lot lately, and most
> folks mix these terms in various ways, hence my confusion. I get the
> impression that Mitre is doing this right, but I'm not 100% sure.
>
> Aloha,
> Jim
>
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>
>   Very interesting, Timur and Eoin. I might be reading this wrong, but it
> looks to me that SQL Injection per Mitre is an ....
>
> ... *attack pattern* http://capec.mitre.org/data/definitions/66.html
> ... caused by the *weakness* of lack of neutralization of special
> characters http://cwe.mitre.org/data/definitions/89.html *[1]*
> ... that *effects many products and services and makes them vulnerable*
> http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>
> So per Mitre, SQL Injection would NOT be a vulnerability, that is product
> specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>
> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in
> understanding how an attack against vulnerable cyber-enabled capabilities
> is executed.
>
> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack
> patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>
> •A1 Injection
> •A2 Broken Authentication and Session Management
> •A3 Cross-Site Scripting (XSS)
> •A4 Insecure Direct Object References
> •A5 Security Misconfiguration
> •A6 Sensitive Data Exposure
> •A7 Missing Function Level Access Control
> •A8 Cross-Site Request Forgery (CSRF)
> •A9 Using Components with Known Vulnerabilities
> •A10 Unvalidated Redirects and Forwards
>
> And just to make this more confusing, Mitre declares that SQL Injection is
> a attack pattern as described above, but considers sql injection through
> hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html
> which confuses the issue for me....
>
> Aloha,
> Jim
>
> [1] This is not so accurate (debatable) but that is besides the point. :)
> Query Parametrization does not neutralize special characters, it
> pre-compiles the query into a query plan that cannot be modified at query
> execution time. :)
>
>
>
> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>
>  (vulnerability types, meta weaknesses)
>
>  We may take the MITRE approach in order not to invent parallel
> terminology.
>
>  https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
> https://capec.mitre.org (attack patterns)
>
>
>  The top 41 SANS "Most Dangerous Software Errors"
> https://cwe.mitre.org/top25/index.html
> + 16
> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>
>
>   On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org>
> wrote:
>
>> Risk != vuln
>>
>> Risk is defined as:
>> "(Exposure to) the possibility of loss, injury, or other adverse or
>> unwelcome circumstance; a chance or situation involving such a possibility."
>>
>> The result of a weakness being leveraged and unwelcome outcomes.
>>
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988 <%2B353%2087%20977%202988>
>>
>>
>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>
>> >> T10 lists does not accurately
>> > reflect the most dangerous "risks" or that it would be better to name it
>> > differently?
>> >
>> > The commentary that I received was that the term "risk" did not
>> > actually reflect the items on the lists. Folks have told me it should
>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>> >
>> > I'm not sure what the right answer is here...
>> >
>> > Aloha,
>> > --
>> > Jim Manico
>> > @Manicode
>> > (808) 652-3805
>> >
>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> >>
>> >> T10 lists does not accurately
>> >> reflect the most dangerous "risks" or that it would be better to name
>> it
>> >> differently?
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>
>
>
>
>
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/0d0075cb/attachment-0001.html>


More information about the OWASP-Leaders mailing list