[Owasp-topten] RFI taken out

Dave Wichers dave.wichers at aspectsecurity.com
Wed Nov 18 18:38:13 EST 2009


Dre,

You are always thinking outside the box, and that is good, but I think the audience for the Top 10 is far more basic and so they need the obvious (to us) steps first.

-Dave

-----Original Message-----
From: andreg at gmail.com [mailto:andreg at gmail.com] On Behalf Of Andre Gironda
Sent: Wednesday, November 18, 2009 12:01 PM
To: owasp-topten at lists.owasp.org
Cc: Dave Wichers; Chris Eng
Subject: Re: [Owasp-topten] RFI taken out

On Wed, Nov 18, 2009 at 9:13 AM, Chris Eng <ceng at veracode.com> wrote:
>  As all of the pen testers here are well aware, info leakage vulnerabilities are often combined or used as a stepping stone to more serious exploits which otherwise may not have been discovered.

The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
rare to find people who get this concept. Thus, concepts like using
XSS to bypass CSRF protections can be discussed. Also, using log/error
files or other writable local files can turn a LFI into an RFI. Source
code disclosure can lead to very advanced (e.g. logic) attacks with
full-knowledge.

OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
other marketing tools don't show is that the problems aren't meant to
be solved one-at-a-time. One vulnerability isn't as "prevalent" or
"severe" as any other, especially because multiple vulnerabilities are
almost always present in any given large web application.

We're not recommending controls with the T10; we're trying to
demonstrate the attack principles -- the inherent weaknesses in the
system. Yet we forget that the system can be attacked like a system.
The Orange book calls them "object reuse" and "covert channels".

dre


More information about the Owasp-topten mailing list