[Owasp-topten] UNSUBSCRIBE - RE:

M L mb_l at msn.com
Thu Nov 19 04:45:54 EST 2009

UNSUBSCRIBE  owasp-topten at lists.owasp.org________________________________________
Date: Thu, 19 Nov 2009 03:33:44 -0500
From: rd at rd1.net
To: dave.wichers at aspectsecurity.com
CC: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] RFI taken out


I think it would be helpful to include a couple of sentences in the
intro to educate people that the attacks are combined, and give a quick

-- Ralph Durkee

Dave Wichers wrote:


You are always thinking outside the box, and that is good, but I think the audience for the Top 10 is far more basic and so they need the obvious (to us) steps first.


-----Original Message-----
From: andreg at gmail.com [mailto:andreg at gmail.com] On Behalf Of Andre Gironda
Sent: Wednesday, November 18, 2009 12:01 PM
To: owasp-topten at lists.owasp.org
Cc: Dave Wichers; Chris Eng
Subject: Re: [Owasp-topten] RFI taken out

On Wed, Nov 18, 2009 at 9:13 AM, Chris Eng <ceng at veracode.com> wrote:
     As all of the pen testers here are well aware, info leakage vulnerabilities are often combined or used as a stepping stone to more serious exploits which otherwise may not have been discovered.
  The #1 in the OWASP Top Ten should be "Attack Chaining", because it's
rare to find people who get this concept. Thus, concepts like using
XSS to bypass CSRF protections can be discussed. Also, using log/error
files or other writable local files can turn a LFI into an RFI. Source
code disclosure can lead to very advanced (e.g. logic) attacks with

OWASP T10 is mostly a marketing tool. What SANS/CWE Top 25 and many
other marketing tools don't show is that the problems aren't meant to
be solved one-at-a-time. One vulnerability isn't as "prevalent" or
"severe" as any other, especially because multiple vulnerabilities are
almost always present in any given large web application.

We're not recommending controls with the T10; we're trying to
demonstrate the attack principles -- the inherent weaknesses in the
system. Yet we forget that the system can be attacked like a system.
The Orange book calls them "object reuse" and "covert channels".

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

Bing brings you maps, menus, and reviews organized in one place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/0b22b4c2/attachment.html 

More information about the Owasp-topten mailing list