[Owasp-topten] OWASP Top 10 2009

Ralph Durkee rd at rd1.net
Mon May 18 22:36:06 EDT 2009


I would rather see XSS kept separate from injection attacks.  Although 
there valid points about it being a subset of HTML injection there would 
be a couple of serious losses by merging it in.  As we have been 
educating the community on these attacks to merge something as 
widespread as XSS off the Top 10, I think would cause confusion by it's 
absence.  There are still a lot of security professionals that don't 
understand it's seriousness, and with a quick read may misinterpret its 
loss from the list.  Also, even though it's broadly a type of an 
injection attack the fact that it be run by the browser rather than the 
server, changes the attack and the defense very significantly, so that 
it's helpful to talk about them separately. 

-- 
-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA
Rochester OWASP President


Tyler Reguly wrote:
> I don't see it as simply a way to create a slot.
>
> While it's true that XSS and SQL Injection are the top two reported
> conditions, I don't think that merging them in the OWASP Top 10 will
> take away from that or decrease their importance. I think it just
> improves the accuracy of the list items.
>
> Again, this only applies, as I said, if you leave A2 as Injection
> Flaws.... (which I'd say detracts just as from SQL Injection as
> placing them both in the same bucket would). If A2 were specifically
> SQL Injection, then XSS would make much more sense as it's own item.
>
> Some logic behind this:
> A2 States: "SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery,
> XSLT, HTML, XML, OS command injection and many more."
>
> So then why if I inject these two lines:
>
> <iframe src="http://www.google.ca"></iframe>
> <script>alert(1)</script>
>
> Would we classify one of them as A1 and the other as A2?
>
> If we look at entry for A1, we see the following: "Cross-site
> scripting, better known as XSS, is in fact a subset of HTML
> injection." To me this is just confusing to some developers coming in
> and trying to tackle the OWASP Top 10. Why does one of the Top 10 fit
> within another one?
>
> To me this goes further to the point that the OWASP Top 10 isn't
> necessarily targeted for universal use, it needs some clarification
> before casual developers at SMBs, and even some developers at large
> businesses can fully wrap their heads around it.
>
> Maybe the bigger issue here is that the Top 10 varies between specific
> attacks (CSRF, XSS) and buckets (Injection Flaws, Broken
> Authentication and Session Management).
>
> The SANS Top 20 used to identify the top 10 Windows services and top
> 10 Unix services with flaws. It has since evolved to the point where I
> believe it includes every vulnerability ever released in one of it's
> 20 categories :). They went from 20 specific services to 20 classes of
> vulnerabilities (Instead of IE being a bullet point, Browser-Based now
> is).
>
> Perhaps it's time for the Top 10 to follow that same path? Become a
> Top 20 (or two Top 10 lists). One list identifying the top 10 buckets,
> the other identifying the top 10 vulnerabilities within those buckets.
>
> Example:
>
> Buckets:
> 1) Injection Flaws
> 2) Insecure Communications
> 3) Broken Authentication and Session Management
> 4) Insecure Direct Object Reference
> 5 )Insecure System Configuration
>
> Vulnerabilities:
> XSS (maps to 1)
> SQL Injection (maps to 1)
> Path Traversal (maps to 4)
> Use of SSL v2 (maps to 2)
> Use of Default System Credentials (maps to 5)
>
>
> I'm not trying to argue the importance of XSS or SQLi, I wouldn't do
> that... knowledge of them is extremely important. I'm also not trying
> to undermine the Top 10... I believe that it's a great resource. My
> goal here is to improve it so that it's accessible to everyone and
> make sure it's as clear as possible.
>
> A breakdown between buckets and vulnerabilities may also be beneficial
> to businesses with limited resources to target problems. Example:
> Injection flaws covers a lot of ground and issues... but resolving XSS
> and SQLi is a huge jump in the right direction and takes significantly
> less resources than tackling all of the issues it covers. The same is
> true if you compare Path Traversal to Insecure Direct Object Reference
> as a whole. At this point both become valid reference points, but the
> further breakdown allows for identification of the key points.
>
> Tyler.
>
>
> On Sat, May 16, 2009 at 5:37 PM, Dave Wichers
> <dave.wichers at aspectsecurity.com> wrote:
>   
>> Regarding merging injection and XSS, I really don't think that is a good
>> idea. SQL Injection and XSS flaws are always reported separately and
>> they are #1 and #2 in reported quantity so burying one inside the same
>> bucket with the other would remove the emphasis that is sorely needed to
>> keep these two items at the top of peoples radar.  So, I don't think
>> that is the best way to create a slot.
>>
>> That said, I agree with your concern about Insecure Configuration
>> Management disappearing from the Top 10. This specific topic was brought
>> up in Portugal at the OWASP summit so is definitely something we need to
>> directly address.
>>
>> The two proposed options were:
>>
>> 1) Add it back in to the Top 10 (and there is definitely merit to that),
>> and
>> 2) Make it clear in each top 10 item that the system needs to be
>> configured properly in that area for that area to be performed properly.
>>
>> Item #1 makes this important issue much more obvious, but there were
>> mixed opinions on which of the two paths we should take.
>>
>> So that is definitely something we need to discuss and resolve.
>>
>> -Dave
>>
>> -----Original Message-----
>> From: owasp-topten-bounces at lists.owasp.org
>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler Reguly
>> Sent: Thursday, May 14, 2009 5:29 PM
>> To: owasp-topten at lists.owasp.org
>> Subject: [Owasp-topten] OWASP Top 10 2009
>>
>> Hey All,
>>
>> Somehow I missed the thread on the first round of discussion on OWASP
>> Top 10 2009, but I wanted to bring something up that has always
>> bothered me slightly about the 2007 list.
>>
>> The 2007 list seems to "waste" a slot, by having Injection Flaws as a
>> large bucket but then splitting out XSS (which is simply another
>> injection flaw). I'd like to see that not exist on the next iteration
>> of the list and to that point,  the 8 items presented by Jeremiah, in
>> the original discussion on this list, resolve this by removing
>> injection flaws and inserting SQLi, which means that XSS doesn't
>> become repetitive. From a historic stand point... in order to get
>> awareness, I think it fit at the time, but now I'm not sure that it's
>> needed.
>>
>> - Cross Site Scripting
>> - SQL Injection
>> - Insecure Direct Object Reference / Predictable Resources Location
>> - Cross Site Request Forgery
>> - Clickjacking / UI Redressing
>> - Insufficient Authorization
>> - Insecure Communications / Insufficient Transport Layer Protection
>> - Open URL Redirectors
>>
>> Since the presented list only contains 8 items, I wanted to bring up
>> another point that I think deserves discussion. The 2004 list
>> contained A10 - Insecure Configuration Management and discussed items
>> such as vulnerable server software. I think this is an important
>> point... the removal of this item makes sense if the list is designed
>> to target people in pure development roles. In my mind thought it
>> removes a critical item that other groups who rely on the Top 10 make
>> use of. Owning the system means owning the web app and if the goal is
>> to map the "Top 10 biggest security risks to web applications" then I
>> think this deserves a spot. Web App Auditors and Web App Security
>> Scanners should both be considering this aspect because undoubtedly
>> the attackers are going to be. Yet I think the biggest group affected
>> by the lack of this item is IT people at SMBs.
>>
>> Having worked in the IT role at an SMB, I know that it's quite often a
>> single person responsible for OS, Software and Web Application
>> security and that is only one of their roles. If they are deploying a
>> web app and using the Top 10 as a checklist, they are missing a
>> critical part of the infrastructure of that application. For that
>> reason I'd love to see Insecure Configuration Management (or a
>> variation of it) that covers all the underlying infrastructure, not
>> just the web server included in the list.
>>
>> Tyler.
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>>     
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090518/cce85e14/attachment-0001.html 


More information about the Owasp-topten mailing list