[Owasp-leaders] [Owasp-community] OT10 Risks?

Jim Manico jim.manico at owasp.org
Sun Sep 21 23:48:35 UTC 2014


This is no-one to blame for this but the entire industry, the problem is 
systemic and I'm not trying to pick on anyone in particular. I am just 
seeking clarity and I might very well be wrong!

So back to Eoin's example, I think the full description would be:

You /*exploited*/ a /*vulnerability*//*in a specific system*/ using the 
/*attack pattern of SQL Injection*/. Apparently, there was a *weakness* 
in the system you were reviewing where query parametrization or other 
defenses were not in place.

Aloha,
Jim


On 9/21/14, 7:24 PM, Timur 'x' Khrotko (owasp) wrote:
> Jim, I am absolutely with you!
> The AppSec is ruled by practitioners who does not care.)
>
> Scriptkiddies take down systems with ascii strings and without knowing 
> English.
>
> There are software delivery contracts in the wild that refer to OT10 
> as a list of to avoid vulnerabilities - that is a problem, which in 
> part grows from undefined appsec terms too.
>
>
> On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     So per Mitre...
>
>     You /*exploited*/ a /*vulnerability*//*in a specific system*/
>     using the /*attack pattern of SQL Injection*/.
>
>     Per Mitre, a vulnerability is only specific to a system (hence
>     CVE) and is not a general definition, per my understanding.
>
>     I know this is pedantic, but so is all nomenclature within complex
>     systems. :)
>
>     So just for the record, I've seen SQL Injection called a Risk, a
>     Vulnerability, a Attack Pattern and a Weakness in my Sunday
>     readings. Our industry is NOT good at this right now. I'm trying
>     to achieve clarity.
>
>     Aloha,
>     - Jim
>
>
>     On 9/21/14, 7:04 PM, Eoin Keary wrote:
>>     Jim I've taken down entire financial systems via "or 11".
>>     An attack pattern to a vulnerable system. A string of chars to a
>>     non vulnerable one.
>>
>>     I think we are drifting off the point here even though this is
>>     interesting.....
>>
>>
>>     Eoin Keary
>>     Owasp Global Board
>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>
>>
>>     On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>>     Attack patterns, per Mitre, are ABSTRACT descriptions not
>>>     specific to any product, service or application. Plus your
>>>     example below is not exploitable in most situations, so I would
>>>     say no on multiple levels.
>>>
>>>     Here is Mitre's description of SQL Injection as an attack
>>>     pattern. https://capec.mitre.org/data/definitions/66.html
>>>
>>>     I am not saying that Mitre is correct, I am only (trying) to
>>>     express their perspective here.
>>>
>>>     Aloha,
>>>     - Jim
>>>
>>>
>>>
>>>
>>>     On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>>>     Jim,
>>>>     Is setting a username to "O'Brien" an attack pattern?
>>>>
>>>>
>>>>     Eoin Keary
>>>>     Owasp Global Board
>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>
>>>>
>>>>     On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org
>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>>     > Attack patterns are only "attack" if there is a vuln?
>>>>>     Otherwise they are only character strings? Just sayin
>>>>>
>>>>>     From what I am reading, Eoin, an attack pattern (per Mitre) is
>>>>>     an ABSTRACT mechanism to describe how one would attack a
>>>>>     vulnerable cyber-enabled system.
>>>>>
>>>>>     A vulnerability would be a weakness in a specific product or
>>>>>     service.
>>>>>
>>>>>     This kind of makes sense to me. I've been reading a lot
>>>>>     lately, and most folks mix these terms in various ways, hence
>>>>>     my confusion. I get the impression that Mitre is doing this
>>>>>     right, but I'm not 100% sure.
>>>>>
>>>>>     Aloha,
>>>>>     Jim
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>     Eoin Keary
>>>>>>     Owasp Global Board
>>>>>>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>
>>>>>>
>>>>>>     On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org
>>>>>>     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>
>>>>>>>     Very interesting, Timur and Eoin. I might be reading this
>>>>>>>     wrong, but it looks to me that SQL Injection per Mitre is an
>>>>>>>     ....
>>>>>>>
>>>>>>>     ... *attack pattern*
>>>>>>>     http://capec.mitre.org/data/definitions/66.html
>>>>>>>     ... caused by the *weakness* of lack of neutralization of
>>>>>>>     special characters
>>>>>>>     http://cwe.mitre.org/data/definitions/89.html *[1]*
>>>>>>>     ... that *effects many products and services and makes them
>>>>>>>     vulnerable*
>>>>>>>     http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>>>>
>>>>>>>     So per Mitre, SQL Injection would NOT be a vulnerability,
>>>>>>>     that is product specific (CVE). SQL Injection per Mitre
>>>>>>>     seems to be an attack pattern.
>>>>>>>
>>>>>>>     Per Mitre: An "attack pattern" is an abstraction mechanism
>>>>>>>     to assist in understanding how an attack against vulnerable
>>>>>>>     cyber-enabled capabilities is executed.
>>>>>>>
>>>>>>>     So I'm thinking that the "classic" OWASP Top Ten is really a
>>>>>>>     mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2,
>>>>>>>     a4, a5, a6, a6, a9).
>>>>>>>
>>>>>>>     •A1 Injection
>>>>>>>     •A2 Broken Authentication and Session Management
>>>>>>>     •A3 Cross-Site Scripting (XSS)
>>>>>>>     •A4 Insecure Direct Object References
>>>>>>>     •A5 Security Misconfiguration
>>>>>>>     •A6 Sensitive Data Exposure
>>>>>>>     •A7 Missing Function Level Access Control
>>>>>>>     •A8 Cross-Site Request Forgery (CSRF)
>>>>>>>     •A9 Using Components with Known Vulnerabilities
>>>>>>>     •A10 Unvalidated Redirects and Forwards
>>>>>>>
>>>>>>>     And just to make this more confusing, Mitre declares that
>>>>>>>     SQL Injection is a attack pattern as described above, but
>>>>>>>     considers sql injection through hibernate to be a weakness
>>>>>>>     http://cwe.mitre.org/data/definitions/564.html which
>>>>>>>     confuses the issue for me....
>>>>>>>
>>>>>>>     Aloha,
>>>>>>>     Jim
>>>>>>>
>>>>>>>     [1] This is not so accurate (debatable) but that is besides
>>>>>>>     the point. :) Query Parametrization does not neutralize
>>>>>>>     special characters, it pre-compiles the query into a query
>>>>>>>     plan that cannot be modified at query execution time. :)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>>>>     (vulnerability types, meta weaknesses)
>>>>>>>>
>>>>>>>>     We may take the MITRE approach in order not to invent
>>>>>>>>     parallel terminology.
>>>>>>>>
>>>>>>>>     https://cwe.mitre.org <http://mitre.org> (weaknesses, vuln
>>>>>>>>     types, cca 700 elements)
>>>>>>>>     https://cve.mitre.org <http://mitre.org>  (vulnerabilities
>>>>>>>>     and exposures, thousands)
>>>>>>>>     https://capec.mitre.org <http://mitre.org> (attack patterns)
>>>>>>>>
>>>>>>>>
>>>>>>>>     The top 41 SANS "Most Dangerous Software Errors"
>>>>>>>>     https://cwe.mitre.org/top25/index.html
>>>>>>>>     <http://mitre.org/top25/index.html>
>>>>>>>>     + 16
>>>>>>>>     https://cwe.mitre.org/top25/archive/2011/2011_
>>>>>>>>     <http://mitre.org/top25/archive/2011/2011_>onthecusp.html
>>>>>>>>
>>>>>>>>
>>>>>>>>     On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary
>>>>>>>>     <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>>>>>>>>
>>>>>>>>         Risk != vuln
>>>>>>>>
>>>>>>>>         Risk is defined as:
>>>>>>>>         "(Exposure to) the possibility of loss, injury, or
>>>>>>>>         other adverse or unwelcome circumstance; a chance or
>>>>>>>>         situation involving such a possibility."
>>>>>>>>
>>>>>>>>         The result of a weakness being leveraged and unwelcome
>>>>>>>>         outcomes.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>         Eoin Keary
>>>>>>>>         Owasp Global Board
>>>>>>>>         +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>>>>>>>
>>>>>>>>
>>>>>>>>         On 21 Sep 2014, at 16:53, Jim Manico
>>>>>>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>>>>>
>>>>>>>>         >> T10 lists does not accurately
>>>>>>>>         > reflect the most dangerous "risks" or that it would
>>>>>>>>         be better to name it
>>>>>>>>         > differently?
>>>>>>>>         >
>>>>>>>>         > The commentary that I received was that the term
>>>>>>>>         "risk" did not
>>>>>>>>         > actually reflect the items on the lists. Folks have
>>>>>>>>         told me it should
>>>>>>>>         > be "vulnerabilities" or "attacks" or "weaknesses" and
>>>>>>>>         more.
>>>>>>>>         >
>>>>>>>>         > I'm not sure what the right answer is here...
>>>>>>>>         >
>>>>>>>>         > Aloha,
>>>>>>>>         > --
>>>>>>>>         > Jim Manico
>>>>>>>>         > @Manicode
>>>>>>>>         > (808) 652-3805
>>>>>>>>         >
>>>>>>>>         >> On Sep 21, 2014, at 4:50 PM, Tobias
>>>>>>>>         <tobias.gondrom at owasp.org
>>>>>>>>         <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>>>>>         >>
>>>>>>>>         >> T10 lists does not accurately
>>>>>>>>         >> reflect the most dangerous "risks" or that it would
>>>>>>>>         be better to name it
>>>>>>>>         >> differently?
>>>>>>>>         > _______________________________________________
>>>>>>>>         > OWASP-Leaders mailing list
>>>>>>>>         > OWASP-Leaders at lists.owasp.org
>>>>>>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>         > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>         _______________________________________________
>>>>>>>>         OWASP-Leaders mailing list
>>>>>>>>         OWASP-Leaders at lists.owasp.org
>>>>>>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     Email us to enforce secure link with your mail servers
>>>>>>>>     (domain).
>>>>>>>>     This message may contain confidential information - you
>>>>>>>>     should handle it accordingly.
>>>>>>>>     Ez a levél bizalmas információt tartalmazhat, és ekként
>>>>>>>>     kezelendő. 
>>>>>>>
>>>>>
>>>
>
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle 
> it accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/660d2521/attachment-0001.html>


More information about the OWASP-Leaders mailing list