[Owasp-topten] OWASP Top 10 2009

Andre Gironda andre at operations.net
Mon May 18 23:43:32 EDT 2009


On Mon, May 18, 2009 at 7:36 PM, Ralph Durkee <rd at rd1.net> wrote:
> I would rather see XSS kept separate from injection attacks.  Although there
> valid points about it being a subset of HTML injection there would be a
> couple of serious losses by merging it in.  As we have been educating the
> community on these attacks to merge something as widespread as XSS off the
> Top 10, I think would cause confusion by it's absence.  There are still a
> lot of security professionals that don't understand it's seriousness, and
> with a quick read may misinterpret its loss from the list.  Also, even
> though it's broadly a type of an injection attack the fact that it be run by
> the browser rather than the server, changes the attack and the defense very
> significantly, so that it's helpful to talk about them separately.

Not to appear like I'm looking for a compromise, but why not put
XSS/XML/JSON/HTML/CSS attacks under content-behavior weaknesses and
SQL/LDAP/XPath under command-injection weaknesses?

To be honest, I could really seriously care less about XSS,
specifically. It's over-hyped.

With the popular platforms of the year being Spring, Struts 2, and
ASP.NET 3.x (unknown how much of this was ASP.NET MVC) - I honestly
think we need to focus on the "Top Ten" looking at what these are
missing. They are, after all, the defining platforms for "web
applications" - I would argue that Rails or PHP are second to Java or
C#.

Defenses missing in popular platforms include: XML encoding, LDAP
parameterization (most pen-testers still confuse LDAPi with SQLi), and
anti-CSRF. XSS is not #1... SQLi is... then CSRF. I believe we would
do the industry a favor by changing these up - showing that "command
injection" is the most serious, followed by request forgeries,
followed by content-behavior injection (i.e. XSS, Clickjacking,
Formjacking, presentation/formatting/behavior attacks).

Here's an idea:
A1 : Command Injection via SQL, HQL, LDAP, XPath, XQuery, SMTP, OS
A2 : Request Forgery - On-Site, Cross-Site, Web Services
A3 : Content-Behavior Injection via HTML, XML, CSS, XSLT, Javascript,
Ajax, JSON, Flash, Flex, Silverlight, AIR
...
...rest of list

I would be interested in building a bigger list (Top 20?) and fully
fleshing out popular tiers:
1) Client Content Injection - HTML, Flash
2) Client Presentation Injection - CSS
3) Client Behavior Injection - Javascript, Actionscript
4) Integration Content-Behavior Injection - XML, JSON
5) Integration Presentation Injection - XSLT
etc
Or maybe a Top Ten per Tier? I think the point I'm trying to make is
that a lot of people don't understand the difference between XSS, Java
applet, ActiveX, Flash, Flex/AS3/AMF, or Web 2.0 attacks - let alone
how XSS can come from integration tiers via a presentation layer
technology such as CSS.

Cheers,
Andre


More information about the Owasp-topten mailing list