[Owasp-leaders] [Owasp-community] OT10 Risks?

Rahim Jina rahim.jina at owasp.org
Mon Sep 22 00:18:24 UTC 2014


Dont try to sugar-coat it Jim

Eoin's a scriptkiddy through and through

Sent from my iPhone

> On 21 Sep 2014, at 19:48, Jim Manico <jim.manico at owasp.org> wrote:
> 
> This is no-one to blame for this but the entire industry, the problem is systemic and I'm not trying to pick on anyone in particular. I am just seeking clarity and I might very well be wrong!
> 
> So back to Eoin's example, I think the full description would be:
> 
> You exploited a vulnerability in a specific system using the attack pattern of SQL Injection. Apparently, there was a weakness in the system you were reviewing where query parametrization or other defenses were not in place.
> 
> Aloha,
> Jim
> 
> 
>> On 9/21/14, 7:24 PM, Timur 'x' Khrotko (owasp) wrote:
>> Jim, I am absolutely with you! 
>> The AppSec is ruled by practitioners who does not care.)
>> 
>> Scriptkiddies take down systems with ascii strings and without knowing English.
>> 
>> There are software delivery contracts in the wild that refer to OT10 as a list of to avoid vulnerabilities - that is a problem, which in part grows from undefined appsec terms too.
>> 
>> 
>>> On Mon, Sep 22, 2014 at 1:14 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>> So per Mitre...
>>> 
>>> You exploited a vulnerability in a specific system using the attack                     pattern of SQL Injection.
>>> 
>>> Per Mitre, a vulnerability is only specific to a system (hence CVE) and is not a general definition, per my understanding.
>>> 
>>> I know this is pedantic, but so is all nomenclature within complex systems. :)
>>> 
>>> So just for the record, I've seen SQL Injection called a Risk, a Vulnerability, a Attack Pattern and a Weakness in my Sunday readings. Our industry is NOT good at this right now. I'm trying to achieve clarity.
>>> 
>>> Aloha,
>>> - Jim
>>> 
>>> 
>>>> On 9/21/14, 7:04 PM, Eoin Keary wrote:
>>>> Jim I've taken down entire financial systems via "or 11".
>>>> An attack pattern to a vulnerable system. A string of chars to a non vulnerable one.
>>>> 
>>>> I think we are drifting off the point here even though this is interesting.....
>>>> 
>>>> 
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> 
>>>> 
>>>> On 21 Sep 2014, at 18:57, Jim Manico <jim.manico at owasp.org> wrote:
>>>> 
>>>>> Attack patterns, per Mitre, are ABSTRACT descriptions not specific to any product, service or application. Plus your example below is not exploitable in most situations,                           so I would say no on multiple levels.
>>>>> 
>>>>> Here is Mitre's description of SQL Injection as an attack pattern. https://capec.mitre.org/data/definitions/66.html
>>>>> 
>>>>> I am not saying that Mitre is correct, I am only (trying) to express their perspective here.
>>>>> 
>>>>> Aloha,
>>>>> - Jim
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 9/21/14, 6:53 PM, Eoin Keary wrote:
>>>>>> Jim,
>>>>>> Is setting a username to "O'Brien" an attack pattern?
>>>>>> 
>>>>>> 
>>>>>> Eoin Keary
>>>>>> Owasp Global Board
>>>>>> +353 87 977 2988
>>>>>> 
>>>>>> 
>>>>>> On 21 Sep 2014, at 17:41, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>> 
>>>>>>> > Attack patterns are only "attack" if there is a vuln? Otherwise they are only character strings? Just sayin
>>>>>>> 
>>>>>>> From what I am reading, Eoin, an attack pattern (per Mitre) is an ABSTRACT mechanism to describe how one would attack a vulnerable cyber-enabled system.
>>>>>>> 
>>>>>>> A vulnerability would be a weakness in a specific product or service.
>>>>>>> 
>>>>>>> This kind of makes sense to me. I've been reading a lot lately, and most folks mix these terms in various ways, hence my confusion. I get the impression that Mitre is doing this right, but I'm not 100% sure.
>>>>>>> 
>>>>>>> Aloha,
>>>>>>> Jim
>>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Eoin Keary
>>>>>>>> Owasp Global Board
>>>>>>>> +353 87 977 2988
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 21 Sep 2014, at 17:35, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>> 
>>>>>>>>> Very interesting, Timur and Eoin. I might be reading this wrong, but it looks to me that SQL Injection per Mitre is an ....
>>>>>>>>> 
>>>>>>>>> ... attack pattern http://capec.mitre.org/data/definitions/66.html
>>>>>>>>> ... caused by the weakness of lack of neutralization of special characters http://cwe.mitre.org/data/definitions/89.html [1]
>>>>>>>>> ... that effects many products and services and makes them vulnerable http://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html
>>>>>>>>> 
>>>>>>>>> So per Mitre, SQL Injection would NOT be a vulnerability, that is product specific (CVE). SQL Injection per Mitre seems to be an attack pattern.
>>>>>>>>> 
>>>>>>>>> Per Mitre: An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against vulnerable cyber-enabled capabilities is executed.
>>>>>>>>> 
>>>>>>>>> So I'm thinking that the "classic" OWASP Top Ten is really a mix of attack patterns (a1, a3, a8, a10) and weaknesses (a2, a4, a5, a6, a6, a9).
>>>>>>>>> 
>>>>>>>>> •A1 Injection
>>>>>>>>> •A2 Broken Authentication and Session Management
>>>>>>>>> •A3 Cross-Site Scripting (XSS)
>>>>>>>>> •A4 Insecure Direct Object References
>>>>>>>>> •A5 Security Misconfiguration
>>>>>>>>> •A6 Sensitive Data Exposure
>>>>>>>>> •A7 Missing Function Level Access Control
>>>>>>>>> •A8 Cross-Site Request Forgery (CSRF)
>>>>>>>>> •A9 Using Components with Known Vulnerabilities
>>>>>>>>> •A10 Unvalidated Redirects and Forwards
>>>>>>>>> 
>>>>>>>>> And just to make this more confusing, Mitre declares that SQL Injection is a attack pattern as described above, but considers sql injection through hibernate to be a weakness http://cwe.mitre.org/data/definitions/564.html which confuses the issue for me....
>>>>>>>>> 
>>>>>>>>> Aloha,
>>>>>>>>> Jim
>>>>>>>>> 
>>>>>>>>> [1] This is not so accurate (debatable) but that is besides the point. :) Query Parametrization does not neutralize special characters, it pre-compiles the query into a query plan that cannot be modified at query execution time. :)
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On 9/21/14, 5:11 PM, Timur 'x' Khrotko (owasp) wrote:
>>>>>>>>>> (vulnerability types, meta weaknesses)
>>>>>>>>>> 
>>>>>>>>>> We may take the MITRE approach in order not to invent parallel terminology.
>>>>>>>>>> 
>>>>>>>>>> https://cwe.mitre.org (weaknesses, vuln types, cca 700 elements)
>>>>>>>>>> https://cve.mitre.org  (vulnerabilities and exposures, thousands)
>>>>>>>>>> https://capec.mitre.org (attack patterns)
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> The top 41 SANS "Most Dangerous Software Errors"
>>>>>>>>>> https://cwe.mitre.org/top25/index.html
>>>>>>>>>> + 16
>>>>>>>>>> https://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On Sun, Sep 21, 2014 at 11:04 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>>>>>>>> Risk != vuln
>>>>>>>>>>> 
>>>>>>>>>>> Risk is defined as:
>>>>>>>>>>> "(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility."
>>>>>>>>>>> 
>>>>>>>>>>> The result of a weakness being leveraged and unwelcome outcomes.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Eoin Keary
>>>>>>>>>>> Owasp Global Board
>>>>>>>>>>> +353 87 977 2988
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> >> T10 lists does not accurately
>>>>>>>>>>> > reflect the most dangerous "risks" or that it would be better to name it
>>>>>>>>>>> > differently?
>>>>>>>>>>> >
>>>>>>>>>>> > The commentary that I received was that the term "risk" did not
>>>>>>>>>>> > actually reflect the items on the lists. Folks have told me it should
>>>>>>>>>>> > be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>>>>>>>>> >
>>>>>>>>>>> > I'm not sure what the right answer is here...
>>>>>>>>>>> >
>>>>>>>>>>> > Aloha,
>>>>>>>>>>> > --
>>>>>>>>>>> > Jim Manico
>>>>>>>>>>> > @Manicode
>>>>>>>>>>> > (808) 652-3805
>>>>>>>>>>> >
>>>>>>>>>>> >> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>>>>>> >>
>>>>>>>>>>> >> T10 lists does not accurately
>>>>>>>>>>> >> reflect the most dangerous "risks" or that it would be better to name it
>>>>>>>>>>> >> differently?
>>>>>>>>>>> > _______________________________________________
>>>>>>>>>>> > OWASP-Leaders mailing list
>>>>>>>>>>> > OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Email us to enforce secure link with your mail servers (domain).
>>>>>>>>>> This message may contain confidential information - you should handle it accordingly.
>>>>>>>>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>> 
>> 
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.     
> 
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140921/a06c7249/attachment-0001.html>


More information about the OWASP-Leaders mailing list