[Owasp-topten] Comment on A7 Failure To Restrict URL Access andInsufficient Anti-Automation

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Thu Dec 17 10:05:12 EST 2009

I agree. Let's take Ryan's narrative and include more descriptively
under A7 

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
Sent: Wednesday, December 16, 2009 5:21 PM
To: OWASP-TopTen at lists.owasp.org
Subject: [Owasp-topten] Comment on A7 Failure To Restrict URL Access
andInsufficient Anti-Automation

This issue was brought previously in the thread on missing Top 10 items
- Insufficient Anti-Automation.  This weakness allows attacks like brute
forcing login pages or sessionids, scraping, denial of service (think
slowloris types of attacks as well).  

My take on this is that Insufficient Anti-Automation defenses and these
attacks should be covered already under A7 - Failure To Restrict URL
Access.  In the current Am I Vulnerable/Example sections, we are taking
a narrow focus and really only highlighting sensitive data URLs that are
missing some form of access control.  I would highlight the insufficient
anti-automation weaknesses under A7 and include defensive items such as
rate-limiting, CAPTCHAs and hashcash.  

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader OWASP ModSecurity
Core Rule Set Project Leader Tactical Web Application Security

Owasp-topten mailing list
Owasp-topten at lists.owasp.org
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

More information about the Owasp-topten mailing list