[Owasp-topten] RFI taken out

Dave Wichers dave.wichers at aspectsecurity.com
Tue Nov 17 18:31:09 EST 2009

It's a fair comment. I'm sure in certain areas/organizations, this is
still a massive problem. Just because something doesn't make the Top 10,
doesn't mean it's not important anymore. It still is. Unfortunately
there are LOTS of important things to deal with.

That said, for the organizations we surveyed, this problem has been
dropping significantly in likelihood since we emphasized it last time
out. Prevalence is also massively affected by the type of organizations
you are dealing with, and the kinds of clients your company has.  My
client base sees this problem far less than yours for example. However,
we are trying to get a sense of how big this problem is across all users
of the top 10. Based on the data we saw from MITRE, Aspect, White Hat,
and Softek, the frequency of this issue had dropped significantly since
2006/2007, and for non-PHP developers this is a relatively rare issue.
So, overall we felt it didn't make the list this year.

But clearly, if you are a PHP shop, this belongs in your Top 10 list.
But if you aren't, we didn't think it made the list anymore.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ty Miller
Sent: Tuesday, November 17, 2009 4:56 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] RFI taken out

Hey guys,

You know this comment would be coming (if it hasn't already and I
missed it) ... But, here goes ... and to put it clearly so there are
no misunderstandings ...

"What were you guys smoking when you took RFI out of the top 10???"

I understand that RFI mainly affects php about 99.99% of the time, but
this vuln is out there and organisations are getting smashed with it.

I am the CTO of a pen testing company who also does digital forensics
when clients ring up in a panic saying "OMG, we've been hacked! What
do we do?"

The top two ways that organisations were being hacked via their web
apps that we saw was SQLi followed very closely by RFI.

I was expecting this vuln to be moved up the ranks, especially when I
read about the focus being more concentrated on the risk rather than
how common the vuln is ... But to my extreme suprise, it was gone!

If I had the choice between RFI and XSS to exploit and weigh up the
risks, RFI would win hands down.

BTW, doc looks good.

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list