[Owasp-topten] RFI taken out

Ralph Durkee rd at rd1.net
Thu Nov 19 03:33:44 EST 2009

I think it would be helpful to include a couple of sentences in the 
intro to educate people that the attacks are combined, and give a quick 

-- Ralph Durkee

Dave Wichers wrote:
> Dre,
> You are always thinking outside the box, and that is good, but I think the audience for the Top 10 is far more basic and so they need the obvious (to us) steps first.
> -Dave
> -----Original Message-----
> From: andreg at gmail.com [mailto:andreg at gmail.com] On Behalf Of Andre Gironda
> Sent: Wednesday, November 18, 2009 12:01 PM
> To: owasp-topten at lists.owasp.org
> Cc: Dave Wichers; Chris Eng
> Subject: Re: [Owasp-topten] RFI taken out
> On Wed, Nov 18, 2009 at 9:13 AM, Chris Eng <ceng at veracode.com> wrote:
>>  As all of the pen testers here are well aware, info leakage vulnerabilities are often combined or used as a stepping stone to more serious exploits which otherwise may not have been discovered.
> The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
> rare to find people who get this concept. Thus, concepts like using
> XSS to bypass CSRF protections can be discussed. Also, using log/error
> files or other writable local files can turn a LFI into an RFI. Source
> code disclosure can lead to very advanced (e.g. logic) attacks with
> full-knowledge.
> OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
> other marketing tools don't show is that the problems aren't meant to
> be solved one-at-a-time. One vulnerability isn't as "prevalent" or
> "severe" as any other, especially because multiple vulnerabilities are
> almost always present in any given large web application.
> We're not recommending controls with the T10; we're trying to
> demonstrate the attack principles -- the inherent weaknesses in the
> system. Yet we forget that the system can be attacked like a system.
> The Orange book calls them "object reuse" and "covert channels".
> dre
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/24a94ab7/attachment.html 

More information about the Owasp-topten mailing list