[Owasp-topten] RFI taken out

Dave van Stein dvstein at gmail.com
Wed Nov 18 13:49:15 EST 2009

2009/11/18 Andre Gironda <andre at operations.net>

> The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
> rare to find people who get this concept.

Call me a cynic, but when we start walking that road, we might as well
create an OWASP top 1 with the only entry "Vulnerable Web Applications".

The problem is that many developers and architects don't understand the
specifics of web application vulnerabilities, not that they don't understand
the concepts of exploiting.

When I talk to these people I often see reactions like "we use ACL so even
when someone bypasses the authentication we're still safe".
So it's not the concept of combining attacks they don't get, it's the
attacks themselves and the consequences that are beyond their sight.

As far as the top 10 itself; I read the discussions about the list the last
days and I think that although from a pentesters point of few several good
suggestions have been raised, the scope should be the non-pentesting public.
For example; combining XSS and Injection attacks might seem logical for 'us'
, they are very different for the target audience. Injection attacks
'happen' on the back-end, whereas XSS 'happens' on the front-end ... get
what I mean ?

I also regret the absence of Information leakage and error messages. Not
because they occur more often or are more dangerous than flaw X, but because
it is so often overlooked at and out of scope. Often people (even technical
vendor consultants) don't realize what info is really present in these
messages and what can be done with it.

So I vote for creating a top 10 not based on occurrence or impact, but based
on misconception. List the problems that are the most often misunderstood or
remediated in the wrong way ...

regards, Dave (van Stein to prevent mixing up with the other Dave's on the
list ... )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091118/8666d86c/attachment.html 

More information about the Owasp-topten mailing list