[Owasp-topten] OWASP Top 10 2009

AF owasp at nxtg.net
Fri May 15 07:46:26 EDT 2009


Actually, it seemed to me that class A7 from the 2009 version addressed 
authentication and session management problems. This is at least how I 
have dealt with it internally with developers and architects.

We typically address the A7 with two separate trees 
(authentication/session threats) of which the "session" include 
countermeasures/controls such as:
- random session identifiers distribution (session ID guessing attacks)
- session identifiers regeneration (session ID fixing attacks)
- session transport channel security level locking (sidejacking attacks)
- session identifiers location awareness (session ID stealing attacks)
- session lifecycle (session replay, session timeout, and incomplete 
session termination)

If I am addressing the wrong issues at the A7 section, then any insight 
would be appreciated. Otherwise, I can't but think that creating a new 
entry for the sole purpose of session management would result in 
confusion due to both entries addressing session management issues.

Cheers,
Antonio Fontes




Raul Siles wrote:
> Hello,
> Following Tyler's suggestion, I would like to follow up the discussion 
> with another topic I feel should be added to the list, "Session 
> management issues".
>
> We can think about the best title for it, but the idea is to reflect 
> all the security issues around session management in web applications, 
> such as the lack of more restrictive cookie directives like httponly 
> or secure, vulnerabilities such as session fixation, the lack of 
> additional protections against session id duplication (by checking 
> other client details), the bad habit of allowing http and https 
> interchangeably in different web sections disclosing session ids 
> (potential overlapping with "Insecure Communications / Insufficient 
> Transport Layer Protection"), etc.
>
> On my experience, almost all applications are vulnerable someway to 
> different session management issues, hence its importance.
>
> Cheers,
> --
> Raul Siles
> www.raulsiles.com <http://www.raulsiles.com>
>
>
> On Thu, May 14, 2009 at 11:47 PM, Tom Brennan - OWASP <tomb at owasp.org 
> <mailto:tomb at owasp.org>> wrote:
>
>     Good point, the persons that point to OWASP's Top 10 are a wide
>     audience these days including .gov's, tools and best practice
>     documents.  Dave Wichers is the project lead for the 2009 update.
>
>     In Portugal our friend at PCI made it clear that OWASP is a
>     ongoing valuable reference as well as large industry stake holders
>     such as Darren and others that want to share other vuln data in
>     support of what they see and track in a agnostic way.
>
>     Dave what are you thinking is the revised submission criteria for
>     this next round that people on this project/list can help with so
>     we can as a professional .org can backup with references as well
>     as hypothesis of under reported items new trends etc for the next
>     rev., under the forthcoming grant project effort?
>
>
>
>
>     \\--------------------------------------------
>     Sent from my crackberry, call me and lets discuss the old fashion
>     way at 973-202-0122 if you have any questions about this email.
>
>     -----Original Message-----
>     From: Tyler Reguly <ht at computerdefense.org
>     <mailto:ht at computerdefense.org>>
>
>     Date: Thu, 14 May 2009 17:29:21
>     To: <owasp-topten at lists.owasp.org
>     <mailto:owasp-topten at lists.owasp.org>>
>     Subject: [Owasp-topten] OWASP Top 10 2009
>
>
>     Hey All,
>
>     Somehow I missed the thread on the first round of discussion on OWASP
>     Top 10 2009, but I wanted to bring something up that has always
>     bothered me slightly about the 2007 list.
>
>     The 2007 list seems to "waste" a slot, by having Injection Flaws as a
>     large bucket but then splitting out XSS (which is simply another
>     injection flaw). I'd like to see that not exist on the next iteration
>     of the list and to that point,  the 8 items presented by Jeremiah, in
>     the original discussion on this list, resolve this by removing
>     injection flaws and inserting SQLi, which means that XSS doesn't
>     become repetitive. From a historic stand point... in order to get
>     awareness, I think it fit at the time, but now I'm not sure that it's
>     needed.
>
>     - Cross Site Scripting
>     - SQL Injection
>     - Insecure Direct Object Reference / Predictable Resources Location
>     - Cross Site Request Forgery
>     - Clickjacking / UI Redressing
>     - Insufficient Authorization
>     - Insecure Communications / Insufficient Transport Layer Protection
>     - Open URL Redirectors
>
>     Since the presented list only contains 8 items, I wanted to bring up
>     another point that I think deserves discussion. The 2004 list
>     contained A10 - Insecure Configuration Management and discussed items
>     such as vulnerable server software. I think this is an important
>     point... the removal of this item makes sense if the list is designed
>     to target people in pure development roles. In my mind thought it
>     removes a critical item that other groups who rely on the Top 10 make
>     use of. Owning the system means owning the web app and if the goal is
>     to map the "Top 10 biggest security risks to web applications" then I
>     think this deserves a spot. Web App Auditors and Web App Security
>     Scanners should both be considering this aspect because undoubtedly
>     the attackers are going to be. Yet I think the biggest group affected
>     by the lack of this item is IT people at SMBs.
>
>     Having worked in the IT role at an SMB, I know that it's quite often a
>     single person responsible for OS, Software and Web Application
>     security and that is only one of their roles. If they are deploying a
>     web app and using the Top 10 as a checklist, they are missing a
>     critical part of the infrastructure of that application. For that
>     reason I'd love to see Insecure Configuration Management (or a
>     variation of it) that covers all the underlying infrastructure, not
>     just the web server included in the list.
>
>     Tyler.
>     _______________________________________________
>     Owasp-topten mailing list
>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-topten
>     _______________________________________________
>     Owasp-topten mailing list
>     Owasp-topten at lists.owasp.org <mailto:Owasp-topten at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>   



More information about the Owasp-topten mailing list