[Owasp-topten] RFI taken out

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Tue Nov 17 12:38:09 EST 2009

It might be true XXS is HTML/JavaScript injection and it will be a good
fit under the injection bucket. Since, as you mention there is good
awareness on it by now, we might not need to have it in a separated

About RFI
In my opinion RFI, LFI, malicious redirects and forwards, malicious
dynamic frame content loading and dynamic content inclusion are all
related. It is just a matter of not validating the source/destination

So maybe we should include them all in "unauthorized user context
change" and have one example for each one, or split it in "Phishing" for
RFI and Redirect and include LFI and Forwards as part of "Insecure
Direct Object Reference" and "Failure to Restrict URL Access" as all
these problems deserve a spot in Top 10 to raise community/industry

What do you think?


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler Reguly
Sent: Martes, 17 de Noviembre de 2009 09:51 a.m.
To: Ty Miller
Cc: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] RFI taken out

>From my point of view, I was fairly neutral on the removal of
"Malicious File Execution" but I would like to continue a statement I'd
made previously on this list. If it continues to deserve a spot on the
list, this is the perfect time to roll XSS into Injection and open up a
spot. After all XSS, at a basic level, is just HTML Injection...
and if we've already got SQL Injection, LDAP Injection and OS Command
Injection, why not bring this one into the injection pile as well?


On Tue, Nov 17, 2009 at 4:55 AM, Ty Miller <tyronmiller at gmail.com>
> Hey guys,
> You know this comment would be coming (if it hasn't already and I 
> missed it) ... But, here goes ... and to put it clearly so there are 
> no misunderstandings ...
> "What were you guys smoking when you took RFI out of the top 10???"
> I understand that RFI mainly affects php about 99.99% of the time, but

> this vuln is out there and organisations are getting smashed with it.
> I am the CTO of a pen testing company who also does digital forensics 
> when clients ring up in a panic saying "OMG, we've been hacked! What 
> do we do?"
> The top two ways that organisations were being hacked via their web 
> apps that we saw was SQLi followed very closely by RFI.
> I was expecting this vuln to be moved up the ranks, especially when I 
> read about the focus being more concentrated on the risk rather than 
> how common the vuln is ... But to my extreme suprise, it was gone!
> If I had the choice between RFI and XSS to exploit and weigh up the 
> risks, RFI would win hands down.
> BTW, doc looks good.
> Ty
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list