[Owasp-topten] A1 / A2 Review from Sylvan

Andrew van der Stock vanderaj at owasp.org
Thu Feb 1 11:03:30 EST 2007

As Sylvan is commenting on his blog rather than here, I'm taking the liberty
to re-post his detailed comments here. I've not had a chance to digest his
thoughts as yet. 


"A1. Cross Site Scripting (XSS)

While this is probably the most widespread of attacks against websites, it's
actually just that - an attack or threat. And it falls under the category
(IMO) of Command Injection. Well, okay, to be fair, Cross-site scripting
would imply injecting script from another site into a different one. What we
call Cross-site Scripting is probably more accurately called HTML injection
or script injection. But we stick with the name we're given, which somehow
implies it's a different concern than command injection. This misnaming is
not OWASP's fault. And it's probably not their fault it's mis-classified.

Because it's so serious, maybe it ought to be in its own category...

I agree with the fixes (finally! whitelist, and output filtering!), but the
encoding needs to take place at two levels:

(X)HTML (or whatever presentation format) encoding, meaning encode dynamic
markup into the appropriate entities.

Specify output encoding. It seems this gets lost in the shuffle, but there
are PoC's now for applications that expect or accept one encoding and either
don't specify the output encoding or specify the wrong one.

This is probably as close as we're going to get in a summary document like
the Top 10. And because the whole industry calls it Cross-site Scripting
(even when it's not), the name needs to stay the same so developers can find
solutions. (I'm assuming a search for "Cross-site Scripting" will return a
bunch more hits than "HTML Injection").

A2. Injection Flaws

Injection Flaws is the bucket for all the remaining (not XSS) injection
flaws. This includes SQL, command, LDAP, XSLT, you name it. Because of SQL
injection alone I can see this as #2 on the list. Not necessarily
second-most dangerous, but it can still be found semantically, or with
google dorks.

Again, the recommendations are almost spot-on. But there's not much detail
they can go into without breaking down the different types of injection. I
really don't like the statement that "validation is still recommended in
order to detect attacks". Validation should be used to determine anything
that isn't what we expect, not to try to find attacks."

More information about the Owasp-topten mailing list