[Owasp-topten] Comment on A7 Failure To Restrict URL Access and Insufficient Anti-Automation

Ryan Barnett rcbarnett at gmail.com
Wed Dec 16 17:20:54 EST 2009

This issue was brought previously in the thread on missing Top 10 items - 
Insufficient Anti-Automation.  This weakness allows attacks like brute forcing 
login pages or sessionids, scraping, denial of service (think slowloris types 
of attacks as well).  

My take on this is that Insufficient Anti-Automation defenses and these attacks 
should be covered already under A7 - Failure To Restrict URL Access.  In the 
current Am I Vulnerable/Example sections, we are taking a narrow focus and 
really only highlighting sensitive data URLs that are missing some form of 
access control.  I would highlight the insufficient anti-automation weaknesses 
under A7 and include defensive items such as rate-limiting, CAPTCHAs and 

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security

More information about the Owasp-topten mailing list