[Owasp-topten] RFI taken out

Ty Miller tyronmiller at gmail.com
Tue Nov 17 16:47:28 EST 2009

Hey guys,

To tell you the truth, i'm not a fan of combining attacks into generic
groups for the top 10.

Correct me if i am wrong (because it may just be my assumption), but I
thought the top 10 was supposed to be to educate people to the current top
10 highest risk attacks so that they can protect against them. When we start
making generic groups and jamming everything in together, we start to
dissolve the usability of the top 10 since it ends up just covering
everything, and most people (outside of pen testers or the like) end up not
actually knowing what attacks they actually need to protect against.

I run online and face-to-face training courses for web app hacking "based on
the OWASP Top 10", because that is the title that people like to see. After
the course has finished, the students all leave exhausted from the massive
number of attacks and security weaknesses that they have just been taught,
rather than being taught the real top 10 vulnerabilities that are going to
pose real risks to their organisation. They end up getting lumped with
protecting almost every possible attack because their security policy
blindly says "Developers must protect against everything in the OWASP Top

I guess having said all of that, I would still be able to easly squeeze RFI
into probably a number of sections of the generic top 10 groups, but that
doesn't mean that developers are going to know to protect against it or that
security groups are going to know about it.


On Wed, Nov 18, 2009 at 4:38 AM, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon at ge.com> wrote:

> It might be true XXS is HTML/JavaScript injection and it will be a good
> fit under the injection bucket. Since, as you mention there is good
> awareness on it by now, we might not need to have it in a separated
> bucket.
> About RFI
> In my opinion RFI, LFI, malicious redirects and forwards, malicious
> dynamic frame content loading and dynamic content inclusion are all
> related. It is just a matter of not validating the source/destination
> path.
> So maybe we should include them all in "unauthorized user context
> change" and have one example for each one, or split it in "Phishing" for
> RFI and Redirect and include LFI and Forwards as part of "Insecure
> Direct Object Reference" and "Failure to Restrict URL Access" as all
> these problems deserve a spot in Top 10 to raise community/industry
> awareness.
> What do you think?
> Regards,
> -JC
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler Reguly
> Sent: Martes, 17 de Noviembre de 2009 09:51 a.m.
> To: Ty Miller
> Cc: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] RFI taken out
> >From my point of view, I was fairly neutral on the removal of
> "Malicious File Execution" but I would like to continue a statement I'd
> made previously on this list. If it continues to deserve a spot on the
> list, this is the perfect time to roll XSS into Injection and open up a
> spot. After all XSS, at a basic level, is just HTML Injection...
> and if we've already got SQL Injection, LDAP Injection and OS Command
> Injection, why not bring this one into the injection pile as well?
> Tyler.
> On Tue, Nov 17, 2009 at 4:55 AM, Ty Miller <tyronmiller at gmail.com>
> wrote:
> > Hey guys,
> >
> > You know this comment would be coming (if it hasn't already and I
> > missed it) ... But, here goes ... and to put it clearly so there are
> > no misunderstandings ...
> >
> > "What were you guys smoking when you took RFI out of the top 10???"
> >
> > I understand that RFI mainly affects php about 99.99% of the time, but
> > this vuln is out there and organisations are getting smashed with it.
> >
> > I am the CTO of a pen testing company who also does digital forensics
> > when clients ring up in a panic saying "OMG, we've been hacked! What
> > do we do?"
> >
> > The top two ways that organisations were being hacked via their web
> > apps that we saw was SQLi followed very closely by RFI.
> >
> > I was expecting this vuln to be moved up the ranks, especially when I
> > read about the focus being more concentrated on the risk rather than
> > how common the vuln is ... But to my extreme suprise, it was gone!
> >
> > If I had the choice between RFI and XSS to exploit and weigh up the
> > risks, RFI would win hands down.
> >
> > BTW, doc looks good.
> >
> > Ty
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091118/f4ef8210/attachment-0001.html 

More information about the Owasp-topten mailing list