[Owasp-topten] OWASP Top 10 2009

Ralph Durkee rd at rd1.net
Tue May 19 06:34:38 EDT 2009

Andre Gironda wrote:
> On Mon, May 18, 2009 at 7:36 PM, Ralph Durkee <rd at rd1.net> wrote:
>> I would rather see XSS kept separate from injection attacks.  Although there
>> valid points about it being a subset of HTML injection there would be a
>> couple of serious losses by merging it in.  As we have been educating the
>> community on these attacks to merge something as widespread as XSS off the
>> Top 10, I think would cause confusion by it's absence.  There are still a
>> lot of security professionals that don't understand it's seriousness, and
>> with a quick read may misinterpret its loss from the list.  Also, even
>> though it's broadly a type of an injection attack the fact that it be run by
>> the browser rather than the server, changes the attack and the defense very
>> significantly, so that it's helpful to talk about them separately.
> Not to appear like I'm looking for a compromise, but why not put
> XSS/XML/JSON/HTML/CSS attacks under content-behavior weaknesses and
> SQL/LDAP/XPath under command-injection weaknesses?
> <snip> . . .
> Here's an idea:
> A1 : Command Injection via SQL, HQL, LDAP, XPath, XQuery, SMTP, OS
> A2 : Request Forgery - On-Site, Cross-Site, Web Services
> A3 : Content-Behavior Injection via HTML, XML, CSS, XSLT, Javascript,
> Ajax, JSON, Flash, Flex, Silverlight, AIR
> ...
> ...rest of list
Hmmm....  I think I like it.  At least separating A1 out, I'll have to 
think more on A2 and A3 but it seems like a logical division and would 
help people understand the difference is the attack and intent rather 
than the interpreter..  I think we are in danger of the 10 Top being a 
Top 10 broad categories of flaws, rather than the Top 10 flaws.  That's 
why we dropped the input validation from the 2004 list.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090519/d7add8ba/attachment.html 

More information about the Owasp-topten mailing list