[Owasp-topten] [Fwd: [Owasp Source Flaws Top 10] CSRF]

Matt Tesauro matt.tesauro at owasp.org
Tue Feb 23 09:01:19 EST 2010


Moving accidental mis-post to the right list:

-------- Forwarded Message --------
From: Michael Brooks <firealwaysworks at gmail.com>
Reply-to: OWASP Source Code Flaws Top 10 Project
<owasp-source-code-flaws-top-10 at lists.owasp.org>
To: Owasp-source-code-flaws-top-10 at lists.owasp.org
Subject: [Owasp Source Flaws Top 10] CSRF
Date: Tue, 23 Feb 2010 00:17:31 -0700

I have read over the OWASP top 10 for 2010 and I like it. However, I
disagree that CSRF (A5)  should be higher on the list in OWASP 2010.

 According to the United States Department Of Homeland Security the
most dangerous CSRF vulnerability ranks in at the 908th most dangerous
software bug ever found
(http://www.kb.cert.org/CERT_WEB%5Cservices%5Cvul-notes.nsf/bymetric?open&start=908)
. Other Severity Metrics have been issued for CSRF vulnerabilities
that result in remote code execution with root
privileges(http://www.kb.cert.org/vuls/id/584089) . As well as
compromise of a root certificate which will completely undermine a
Public Key Infrastructure (http://www.kb.cert.org/vuls/id/264385).
(Both the Motorola and the cPanel vulnerabilities are from my
research, Michael Brooks ;) The reason why the Motorola vulnerability
given such a high score is because it disrupts a large part of the
internet infrastructure.   CSRF has the unique ability to access
restricted network resources to deliver devastating attacks.   CSRF
can extend attackers abilities and go to places where nothing else
can.

I encourage you to look over the severity metric list. I can't find a
single severity metric assigned to a vulnerability in this category:
"A3 –Broken Authentication and Session Management".   I don't think
you'll ever find an A3 vulnerability that will be given a severity
metric of 13.50 (http://www.kb.cert.org/vuls/id/643049).     Also as
an active security researcher I can tell you from first hand
experience that there is a lot more CSRF in the wild than Broken
authentication. (http://www.milw0rm.com/author/677).

Thanks,
Michael Brooks
_______________________________________________

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site





More information about the Owasp-topten mailing list