[Owasp-topten] OWASP Top 10 2009

Raul Siles raul.siles at gmail.com
Fri May 15 05:15:14 EDT 2009


Hello,
Following Tyler's suggestion, I would like to follow up the discussion with
another topic I feel should be added to the list, "Session management
issues".

We can think about the best title for it, but the idea is to reflect all the
security issues around session management in web applications, such as the
lack of more restrictive cookie directives like httponly or secure,
vulnerabilities such as session fixation, the lack of additional protections
against session id duplication (by checking other client details), the bad
habit of allowing http and https interchangeably in different web sections
disclosing session ids (potential overlapping with "Insecure Communications
/ Insufficient Transport Layer Protection"), etc.

On my experience, almost all applications are vulnerable someway to
different session management issues, hence its importance.

Cheers,
--
Raul Siles
www.raulsiles.com


On Thu, May 14, 2009 at 11:47 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:

> Good point, the persons that point to OWASP's Top 10 are a wide audience
> these days including .gov's, tools and best practice documents.  Dave
> Wichers is the project lead for the 2009 update.
>
> In Portugal our friend at PCI made it clear that OWASP is a ongoing
> valuable reference as well as large industry stake holders such as Darren
> and others that want to share other vuln data in support of what they see
> and track in a agnostic way.
>
> Dave what are you thinking is the revised submission criteria for this next
> round that people on this project/list can help with so we can as a
> professional .org can backup with references as well as hypothesis of under
> reported items new trends etc for the next rev., under the forthcoming grant
> project effort?
>
>
>
>
> \\--------------------------------------------
> Sent from my crackberry, call me and lets discuss the old fashion way at
> 973-202-0122 if you have any questions about this email.
>
> -----Original Message-----
> From: Tyler Reguly <ht at computerdefense.org>
>
> Date: Thu, 14 May 2009 17:29:21
> To: <owasp-topten at lists.owasp.org>
> Subject: [Owasp-topten] OWASP Top 10 2009
>
>
> Hey All,
>
> Somehow I missed the thread on the first round of discussion on OWASP
> Top 10 2009, but I wanted to bring something up that has always
> bothered me slightly about the 2007 list.
>
> The 2007 list seems to "waste" a slot, by having Injection Flaws as a
> large bucket but then splitting out XSS (which is simply another
> injection flaw). I'd like to see that not exist on the next iteration
> of the list and to that point,  the 8 items presented by Jeremiah, in
> the original discussion on this list, resolve this by removing
> injection flaws and inserting SQLi, which means that XSS doesn't
> become repetitive. From a historic stand point... in order to get
> awareness, I think it fit at the time, but now I'm not sure that it's
> needed.
>
> - Cross Site Scripting
> - SQL Injection
> - Insecure Direct Object Reference / Predictable Resources Location
> - Cross Site Request Forgery
> - Clickjacking / UI Redressing
> - Insufficient Authorization
> - Insecure Communications / Insufficient Transport Layer Protection
> - Open URL Redirectors
>
> Since the presented list only contains 8 items, I wanted to bring up
> another point that I think deserves discussion. The 2004 list
> contained A10 - Insecure Configuration Management and discussed items
> such as vulnerable server software. I think this is an important
> point... the removal of this item makes sense if the list is designed
> to target people in pure development roles. In my mind thought it
> removes a critical item that other groups who rely on the Top 10 make
> use of. Owning the system means owning the web app and if the goal is
> to map the "Top 10 biggest security risks to web applications" then I
> think this deserves a spot. Web App Auditors and Web App Security
> Scanners should both be considering this aspect because undoubtedly
> the attackers are going to be. Yet I think the biggest group affected
> by the lack of this item is IT people at SMBs.
>
> Having worked in the IT role at an SMB, I know that it's quite often a
> single person responsible for OS, Software and Web Application
> security and that is only one of their roles. If they are deploying a
> web app and using the Top 10 as a checklist, they are missing a
> critical part of the infrastructure of that application. For that
> reason I'd love to see Insecure Configuration Management (or a
> variation of it) that covers all the underlying infrastructure, not
> just the web server included in the list.
>
> Tyler.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090515/861c35a4/attachment.html 


More information about the Owasp-topten mailing list