[Owasp-topten] RFI taken out

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 18 18:37:01 EST 2009

I also agree with XSS and SQL injection being very different, which is
another reason to keep them separate.

Regarding dropping Info Leak/Error handling - It is incredibly
prevalent, no question. But their impact is typically very low, so the
overall risk is low, which is why it fell out of this new risk focused
top 10. It doesn't mean this isn't important, but the other items in our
opinion introduce more risk.

We'd rather have people spend more time fixing the actual flaws than
focusing on fixing info leak/error handling that help them find actual

Unchecked redirects for many clients are majorly dangerous because they
facilitate phishing attacks and driving people to malware sites. In
fact, for some of my clients, an unchecked redirect is their biggest or
almost their biggest concern. (but again, that is with my client base,
and the risk perception of this certainly varies significantly from org
to org).

Unvalidated forwards are certainly far less prevalent than unvalidated
redirects, but it gives us a chance to raise that issue at the same time
as raising the far more prevalent unvalidated redirect. Its interesting
though that defending against an unvalidated forward is probably much
trickier than an unvalidated redirect. (see my OWASP presentation as to
why I think this is the case).


-----Original Message-----
From: Chris Eng [mailto:ceng at Veracode.com] 
Sent: Wednesday, November 18, 2009 11:14 AM
To: Dave Wichers; owasp-topten at lists.owasp.org
Subject: RE: [Owasp-topten] RFI taken out

I like keeping XSS separate not so much because of its complexity
(though that is a valid point) but because it is so fundamentally
different from the other types of injection flaws, not only with regard
to the exploit mechanism but also in how the flaws are remediated.

I'm surprised that nobody is discussing the addition of "Unvalidated
Redirects and Forwards".  Adding this category came at the cost of
removing "Information Leakage and Error Handling", which at a glance,
feels misguided to me.  According to the recent WASS study, Information
Leakage problems accounted for 32% of all vulnerabilities and appeared
in 65% of sites surveyed.  As all of the pen testers here are well
aware, info leakage vulnerabilities are often combined or used as a
stepping stone to more serious exploits which otherwise may not have
been discovered.  The problem is far from being solved.

Open redirects on the other hand are not that serious in my opinion.
Yes, it's generally a bad practice, but if it's a true 301 redirect the
worst that happens is somebody gets sent to a malicious page or a
phishing site, which can happen by clicking on ANY link if the user is
not paying attention.  If, on the other hand, the vulnerable site is
fetching the contents of the unvalidated URL and embedding that content
in its 200 response, then clearly THAT is dangerous but I think it's a
much less common scenario.  Unvalidated internal forwards are an
interesting category and probably under-studied.  In my experience the
prevalence of these issues is low.  I haven't found much data to suggest
otherwise but would be interested in hearing if anybody has some.  


Chris Eng
Senior Director, Security Research
Veracode, Inc.
Office: 781.418.3828
Mobile: 617.501.3280
ceng at veracode.com 

> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-
> bounces at lists.owasp.org] On Behalf Of Dave Wichers
> Sent: Tuesday, November 17, 2009 6:39 PM
> To: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] RFI taken out
> One of the reasons I don't mind rolling LDAP and Command Injection
> Injection is that the primary issue is SQL Injection (which is
> prevalent). Command injection is becoming relatively rare and LDAP
> injection is also relatively rare, so the fact that we lose a little
> focus on those two issues is OK in my opinion, but rolling XSS into
> injection as well would be a huge mistake since XSS is probably the
> hardest item in the Top 10 to completely eliminate from an
> I've worked with clients for over 5 years trying to stomp out the top
> and we get SQL Injection licked in like 6 months and it never reappers
> and yet we are STILL struggling with XSS because it's SO complicated
> deal with across a large application portfolio and it's SO EASY to
> reintroduce it even if you think you made it go away.
> So, again, I think both topics are extremely important and each need
> their own visibility in the Top 10.
> -Dave
> -----Original Message-----
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Tyler
> Sent: Tuesday, November 17, 2009 10:51 AM
> To: Ty Miller
> Cc: owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] RFI taken out
> >From my point of view, I was fairly neutral on the removal of
> "Malicious File Execution" but I would like to continue a statement
> I'd made previously on this list. If it continues to deserve a spot on
> the list, this is the perfect time to roll XSS into Injection and open
> up a spot. After all XSS, at a basic level, is just HTML Injection...
> and if we've already got SQL Injection, LDAP Injection and OS Command
> Injection, why not bring this one into the injection pile as well?
> Tyler.
> On Tue, Nov 17, 2009 at 4:55 AM, Ty Miller <tyronmiller at gmail.com>
> wrote:
> > Hey guys,
> >
> > You know this comment would be coming (if it hasn't already and I
> > missed it) ... But, here goes ... and to put it clearly so there are
> > no misunderstandings ...
> >
> > "What were you guys smoking when you took RFI out of the top 10???"
> >
> > I understand that RFI mainly affects php about 99.99% of the time,
> > this vuln is out there and organisations are getting smashed with
> >
> > I am the CTO of a pen testing company who also does digital
> > when clients ring up in a panic saying "OMG, we've been hacked! What
> > do we do?"
> >
> > The top two ways that organisations were being hacked via their web
> > apps that we saw was SQLi followed very closely by RFI.
> >
> > I was expecting this vuln to be moved up the ranks, especially when
> > read about the focus being more concentrated on the risk rather than
> > how common the vuln is ... But to my extreme suprise, it was gone!
> >
> > If I had the choice between RFI and XSS to exploit and weigh up the
> > risks, RFI would win hands down.
> >
> > BTW, doc looks good.
> >
> > Ty
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list