[Owasp-topten] help

Alinoor Rahman alinoor at islamicdesignhouse.com
Thu Dec 17 12:08:02 EST 2009


_________________
Sent from my iPhone

On 17 Dec 2009, at 17:00, owasp-topten-request at lists.owasp.org wrote:

> Send Owasp-topten mailing list submissions to
>    owasp-topten at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.owasp.org/mailman/listinfo/owasp-topten
> or, via email, send a message with subject or body 'help' to
>    owasp-topten-request at lists.owasp.org
>
> You can reach the person managing the list at
>    owasp-topten-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-topten digest..."
>
>
> Today's Topics:
>
>   1. Re: Comment on A7 Failure To Restrict URL Access
>      andInsufficient Anti-Automation (McGovern, James F. (eBusiness))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Dec 2009 10:05:12 -0500
> From: "McGovern, James F. (eBusiness)"
>    <James.McGovern at thehartford.com>
> Subject: Re: [Owasp-topten] Comment on A7 Failure To Restrict URL
>    Access    andInsufficient Anti-Automation
> To: <owasp-topten at lists.owasp.org>
> Message-ID:
>    <BFD50E79FBE23A4FB6BE93572A6FE287025F2DF5 at AD1HFDEXC312.ad1.prod>
> Content-Type: text/plain; charset="us-ascii"
>
> I agree. Let's take Ryan's narrative and include more descriptively
> under A7
>
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ryan  
> Barnett
> Sent: Wednesday, December 16, 2009 5:21 PM
> To: OWASP-TopTen at lists.owasp.org
> Subject: [Owasp-topten] Comment on A7 Failure To Restrict URL Access
> andInsufficient Anti-Automation
>
> This issue was brought previously in the thread on missing Top 10  
> items
> - Insufficient Anti-Automation.  This weakness allows attacks like  
> brute
> forcing login pages or sessionids, scraping, denial of service (think
> slowloris types of attacks as well).
>
> My take on this is that Insufficient Anti-Automation defenses and  
> these
> attacks should be covered already under A7 - Failure To Restrict URL
> Access.  In the current Am I Vulnerable/Example sections, we are  
> taking
> a narrow focus and really only highlighting sensitive data URLs that  
> are
> missing some form of access control.  I would highlight the  
> insufficient
> anti-automation weaknesses under A7 and include defensive items such  
> as
> rate-limiting, CAPTCHAs and hashcash.
>
> --
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader OWASP ModSecurity
> Core Rule Set Project Leader Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
>
>
>
> ------------------------------
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
> End of Owasp-topten Digest, Vol 25, Issue 11
> ********************************************


More information about the Owasp-topten mailing list