[Owasp-leaders] [Owasp-community] OT10 Risks?

Josh Sokol josh.sokol at owasp.org
Mon Sep 22 16:57:11 UTC 2014


I agree that Injection and XSS are an attack type.  I can even get behind
the lack of controls as being the actual vulnerability and not the attack
itself.  Doesn't change what I said about risks though.  And in Bill's
example, parameterized queries, input validation, and output encoding would
be considered risk mitigation.

On Mon, Sep 22, 2014 at 11:52 AM, Bill Sempf <bill.sempf at owasp.org> wrote:

> I disagree.
>
> Injection is an attack. Lack of parameterized queries is a vulnerability.
> XSS is also an attack. Poor input validation, poor output encoding are
> vulnerabilities.
>
> Et cetera.
>
> S
>
> On Mon, Sep 22, 2014 at 12:47 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Some more info specific to the Top 10:
>>
>> A1 - Injection - Injection is a vulnerability.  Data theft resulting from
>> injection is a risk.
>> A2 - Broken Auth & Session Mgmt - This is a vulnerability.  An attacker
>> being able to leverage this flaw to authenticate as another user is a risk.
>> A3 - XSS - This is a vulnerability.  Compromise of customer data
>> resulting from exploitation of an XSS vuln is a risk.
>> A4 - Insecure Direct Object Reference - You could make an argument that
>> this is a poorly phrased risk, but mostly a vulnerability.  Risk is that
>> someone can access a page that wasn't intended to be accessed.
>> etc, etc, etc.
>>
>> ~josh
>>
>> On Mon, Sep 22, 2014 at 11:40 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> If you want to get technical, XSS is a vulnerability.  Getting XSS'ed is
>>> exploitation of that vulnerability.  An example of a risk would be the
>>> compromise of customer data resulting from the exploitation of a XSS
>>> vulnerability.
>>>
>>> If anyone is interested in learning more about Risk (and SimpleRisk),
>>> I'm teaching a 1-day class on it at LASCON this year.
>>>
>>> ~josh
>>>
>>> On Sun, Sep 21, 2014 at 4:13 PM, Eoin Keary <eoin.keary at owasp.org>
>>> wrote:
>>>
>>>>
>>>> Xss is not a risk :)  Getting XSS'ed is if you are vulnerable.
>>>>
>>>> It's a top 10 of most common vulns.
>>>> But if you actually did a top 10 (of common vulns)  the top 5 would be
>>>> SSL and security header related and make for slow reading. :)
>>>>
>>>>
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>>
>>>>
>>>> On 21 Sep 2014, at 17:04, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>>
>>>> > Risk != vuln
>>>> >
>>>> > Risk is defined as:
>>>> > "(Exposure to) the possibility of loss, injury, or other adverse or
>>>> unwelcome circumstance; a chance or situation involving such a possibility."
>>>> >
>>>> > The result of a weakness being leveraged and unwelcome outcomes.
>>>> >
>>>> >
>>>> >
>>>> > Eoin Keary
>>>> > Owasp Global Board
>>>> > +353 87 977 2988
>>>> >
>>>> >
>>>> > On 21 Sep 2014, at 16:53, Jim Manico <jim.manico at owasp.org> wrote:
>>>> >
>>>> >>> T10 lists does not accurately
>>>> >> reflect the most dangerous "risks" or that it would be better to
>>>> name it
>>>> >> differently?
>>>> >>
>>>> >> The commentary that I received was that the term "risk" did not
>>>> >> actually reflect the items on the lists. Folks have told me it should
>>>> >> be "vulnerabilities" or "attacks" or "weaknesses" and more.
>>>> >>
>>>> >> I'm not sure what the right answer is here...
>>>> >>
>>>> >> Aloha,
>>>> >> --
>>>> >> Jim Manico
>>>> >> @Manicode
>>>> >> (808) 652-3805
>>>> >>
>>>> >>> On Sep 21, 2014, at 4:50 PM, Tobias <tobias.gondrom at owasp.org>
>>>> wrote:
>>>> >>>
>>>> >>> T10 lists does not accurately
>>>> >>> reflect the most dangerous "risks" or that it would be better to
>>>> name it
>>>> >>> differently?
>>>> >> _______________________________________________
>>>> >> OWASP-Leaders mailing list
>>>> >> OWASP-Leaders at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> > _______________________________________________
>>>> > Owasp-community mailing list
>>>> > Owasp-community at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140922/03de4ba8/attachment.html>


More information about the OWASP-Leaders mailing list