[Owasp-topten] OWASP Top 10 2009
rd at rd1.net
Tue May 19 06:34:38 EDT 2009
Andre Gironda wrote:
> On Mon, May 18, 2009 at 7:36 PM, Ralph Durkee <rd at rd1.net> wrote:
>> I would rather see XSS kept separate from injection attacks. Although there
>> valid points about it being a subset of HTML injection there would be a
>> couple of serious losses by merging it in. As we have been educating the
>> community on these attacks to merge something as widespread as XSS off the
>> Top 10, I think would cause confusion by it's absence. There are still a
>> lot of security professionals that don't understand it's seriousness, and
>> with a quick read may misinterpret its loss from the list. Also, even
>> though it's broadly a type of an injection attack the fact that it be run by
>> the browser rather than the server, changes the attack and the defense very
>> significantly, so that it's helpful to talk about them separately.
> Not to appear like I'm looking for a compromise, but why not put
> XSS/XML/JSON/HTML/CSS attacks under content-behavior weaknesses and
> SQL/LDAP/XPath under command-injection weaknesses?
> <snip> . . .
> Here's an idea:
> A1 : Command Injection via SQL, HQL, LDAP, XPath, XQuery, SMTP, OS
> A2 : Request Forgery - On-Site, Cross-Site, Web Services
> Ajax, JSON, Flash, Flex, Silverlight, AIR
> ...rest of list
Hmmm.... I think I like it. At least separating A1 out, I'll have to
think more on A2 and A3 but it seems like a logical division and would
help people understand the difference is the attack and intent rather
than the interpreter.. I think we are in danger of the 10 Top being a
Top 10 broad categories of flaws, rather than the Top 10 flaws. That's
why we dropped the input validation from the 2004 list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten