[Owasp-topten] OWASP Top 10 2009

Tyler Reguly ht at computerdefense.org
Mon May 18 12:54:37 EDT 2009


I don't see it as simply a way to create a slot.

While it's true that XSS and SQL Injection are the top two reported
conditions, I don't think that merging them in the OWASP Top 10 will
take away from that or decrease their importance. I think it just
improves the accuracy of the list items.

Again, this only applies, as I said, if you leave A2 as Injection
Flaws.... (which I'd say detracts just as from SQL Injection as
placing them both in the same bucket would). If A2 were specifically
SQL Injection, then XSS would make much more sense as it's own item.

Some logic behind this:
A2 States: "SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery,
XSLT, HTML, XML, OS command injection and many more."

So then why if I inject these two lines:

<iframe src="http://www.google.ca"></iframe>
<script>alert(1)</script>

Would we classify one of them as A1 and the other as A2?

If we look at entry for A1, we see the following: "Cross-site
scripting, better known as XSS, is in fact a subset of HTML
injection." To me this is just confusing to some developers coming in
and trying to tackle the OWASP Top 10. Why does one of the Top 10 fit
within another one?

To me this goes further to the point that the OWASP Top 10 isn't
necessarily targeted for universal use, it needs some clarification
before casual developers at SMBs, and even some developers at large
businesses can fully wrap their heads around it.

Maybe the bigger issue here is that the Top 10 varies between specific
attacks (CSRF, XSS) and buckets (Injection Flaws, Broken
Authentication and Session Management).

The SANS Top 20 used to identify the top 10 Windows services and top
10 Unix services with flaws. It has since evolved to the point where I
believe it includes every vulnerability ever released in one of it's
20 categories :). They went from 20 specific services to 20 classes of
vulnerabilities (Instead of IE being a bullet point, Browser-Based now
is).

Perhaps it's time for the Top 10 to follow that same path? Become a
Top 20 (or two Top 10 lists). One list identifying the top 10 buckets,
the other identifying the top 10 vulnerabilities within those buckets.

Example:

Buckets:
1) Injection Flaws
2) Insecure Communications
3) Broken Authentication and Session Management
4) Insecure Direct Object Reference
5 )Insecure System Configuration

Vulnerabilities:
XSS (maps to 1)
SQL Injection (maps to 1)
Path Traversal (maps to 4)
Use of SSL v2 (maps to 2)
Use of Default System Credentials (maps to 5)


I'm not trying to argue the importance of XSS or SQLi, I wouldn't do
that... knowledge of them is extremely important. I'm also not trying
to undermine the Top 10... I believe that it's a great resource. My
goal here is to improve it so that it's accessible to everyone and
make sure it's as clear as possible.

A breakdown between buckets and vulnerabilities may also be beneficial
to businesses with limited resources to target problems. Example:
Injection flaws covers a lot of ground and issues... but resolving XSS
and SQLi is a huge jump in the right direction and takes significantly
less resources than tackling all of the issues it covers. The same is
true if you compare Path Traversal to Insecure Direct Object Reference
as a whole. At this point both become valid reference points, but the
further breakdown allows for identification of the key points.

Tyler.


On Sat, May 16, 2009 at 5:37 PM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> Regarding merging injection and XSS, I really don't think that is a good
> idea. SQL Injection and XSS flaws are always reported separately and
> they are #1 and #2 in reported quantity so burying one inside the same
> bucket with the other would remove the emphasis that is sorely needed to
> keep these two items at the top of peoples radar.  So, I don't think
> that is the best way to create a slot.
>
> That said, I agree with your concern about Insecure Configuration
> Management disappearing from the Top 10. This specific topic was brought
> up in Portugal at the OWASP summit so is definitely something we need to
> directly address.
>
> The two proposed options were:
>
> 1) Add it back in to the Top 10 (and there is definitely merit to that),
> and
> 2) Make it clear in each top 10 item that the system needs to be
> configured properly in that area for that area to be performed properly.
>
> Item #1 makes this important issue much more obvious, but there were
> mixed opinions on which of the two paths we should take.
>
> So that is definitely something we need to discuss and resolve.
>
> -Dave
>
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler Reguly
> Sent: Thursday, May 14, 2009 5:29 PM
> To: owasp-topten at lists.owasp.org
> Subject: [Owasp-topten] OWASP Top 10 2009
>
> Hey All,
>
> Somehow I missed the thread on the first round of discussion on OWASP
> Top 10 2009, but I wanted to bring something up that has always
> bothered me slightly about the 2007 list.
>
> The 2007 list seems to "waste" a slot, by having Injection Flaws as a
> large bucket but then splitting out XSS (which is simply another
> injection flaw). I'd like to see that not exist on the next iteration
> of the list and to that point,  the 8 items presented by Jeremiah, in
> the original discussion on this list, resolve this by removing
> injection flaws and inserting SQLi, which means that XSS doesn't
> become repetitive. From a historic stand point... in order to get
> awareness, I think it fit at the time, but now I'm not sure that it's
> needed.
>
> - Cross Site Scripting
> - SQL Injection
> - Insecure Direct Object Reference / Predictable Resources Location
> - Cross Site Request Forgery
> - Clickjacking / UI Redressing
> - Insufficient Authorization
> - Insecure Communications / Insufficient Transport Layer Protection
> - Open URL Redirectors
>
> Since the presented list only contains 8 items, I wanted to bring up
> another point that I think deserves discussion. The 2004 list
> contained A10 - Insecure Configuration Management and discussed items
> such as vulnerable server software. I think this is an important
> point... the removal of this item makes sense if the list is designed
> to target people in pure development roles. In my mind thought it
> removes a critical item that other groups who rely on the Top 10 make
> use of. Owning the system means owning the web app and if the goal is
> to map the "Top 10 biggest security risks to web applications" then I
> think this deserves a spot. Web App Auditors and Web App Security
> Scanners should both be considering this aspect because undoubtedly
> the attackers are going to be. Yet I think the biggest group affected
> by the lack of this item is IT people at SMBs.
>
> Having worked in the IT role at an SMB, I know that it's quite often a
> single person responsible for OS, Software and Web Application
> security and that is only one of their roles. If they are deploying a
> web app and using the Top 10 as a checklist, they are missing a
> critical part of the infrastructure of that application. For that
> reason I'd love to see Insecure Configuration Management (or a
> variation of it) that covers all the underlying infrastructure, not
> just the web server included in the list.
>
> Tyler.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>


More information about the Owasp-topten mailing list