[Owasp-topten] question about RC1

Brad Causey bradcausey at gmail.com
Wed Feb 17 11:44:39 EST 2010


before I start. I love the top ten, use it all the time. So take my question
in that context, as a user.

This may just be a fundamental difference in views, and if so, I'll keep my
further thoughts to myself.

The items listed in the top ten have varying level of specificity. For
example:

A2 - XSS really has two individual types, and I can understand why you might
combine them as they both have similar effects, and causes.

However,

A3 - Broken Authentication and Session Management, incorporates 15
individual findings and covers two entire finding types (from the testing
guide). This is extremely vague. Now I agree that these are important
topics, but wouldn't it make sense to focus on a few of the most problematic
ones?

A1 - Same as A3, there are at least 8 dramatically different 'injection'
type flaws in circulation (by my count). Wouldn't it serve us best to say
"SQL Injection" or 'XPath Injection".

Regarding A8 - There is a major lack of useful information for someone
looking to get help. The OWASP article referenced is all but empty. The
ESAPI is awesome for this, but many folks just need guidance.
The entry ignores the fix that I see the most which is destination host
checking. For example:

requests from yoursite.com?redir.php=mysite.com/path.html

would not be accepted, where as

yoursite.com?redir.php=yoursite.com/path.html

would.

Now in full disclosure, it LOVE the fact that redirects were added to the
Top ten because they are definitely a problem.

I guess what I'm getting at on this one is that we need to put more back-end
prep work on something new like A8, to ensure when people start freaking
(and trust me, they will) , that they have enough information to do so
sanely.

Now, feel free to flame me. =)



-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100217/fde7b671/attachment.html 


More information about the Owasp-topten mailing list