[Owasp-topten] RFI taken out

Andre Gironda andre at operations.net
Wed Nov 18 12:00:49 EST 2009

On Wed, Nov 18, 2009 at 9:13 AM, Chris Eng <ceng at veracode.com> wrote:
>  As all of the pen testers here are well aware, info leakage vulnerabilities are often combined or used as a stepping stone to more serious exploits which otherwise may not have been discovered.

The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
rare to find people who get this concept. Thus, concepts like using
XSS to bypass CSRF protections can be discussed. Also, using log/error
files or other writable local files can turn a LFI into an RFI. Source
code disclosure can lead to very advanced (e.g. logic) attacks with

OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
other marketing tools don't show is that the problems aren't meant to
be solved one-at-a-time. One vulnerability isn't as "prevalent" or
"severe" as any other, especially because multiple vulnerabilities are
almost always present in any given large web application.

We're not recommending controls with the T10; we're trying to
demonstrate the attack principles -- the inherent weaknesses in the
system. Yet we forget that the system can be attacked like a system.
The Orange book calls them "object reuse" and "covert channels".


More information about the Owasp-topten mailing list