[Owasp-topten] RFI taken out

Christian Heinrich christian.heinrich at owasp.org
Mon Jan 4 20:42:03 EST 2010


Dave,

I agree with Chris Eng in relation to "Information Leakage and Error
Handling" in the context for exploiting SQLi, etc and consider this
more of a business risk (considering their (i.e. injection) proposed
ranking in the OWASP Top Ten 2010 RC) then "Unvalidated Redirects and
Forwards".

I would prefer that "Unvalidated Redirects and Forwards" was separated
into two discreet entries as this has tended to confuse people who
consider that it is referring to the same vulnerability (i.e.
redirects) prior to any further reading.

I would be interested to know how "Unvalidated Redirects" and
"Unvalidated Forwards" are listed in the other statistics considered
for the OWASP Top Ten? e.g. it is a known vulnerability that frequency
is increasing overtime of that of all other vulnerabilities, etc

I can understand the business risk of phishing to the financial
services and Web 2.0 verticals but then shouldn't phishing be listed
rather then "Unvalidated Redirects" considering the target audience
and "Unvalidated Redirects" and other vulnerabilities could be listed
in the notes of this Top Ten entry?

On Thu, Nov 19, 2009 at 10:37 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:
> I also agree with XSS and SQL injection being very different, which is
> another reason to keep them separate.
>
> Regarding dropping Info Leak/Error handling - It is incredibly
> prevalent, no question. But their impact is typically very low, so the
> overall risk is low, which is why it fell out of this new risk focused
> top 10. It doesn't mean this isn't important, but the other items in our
> opinion introduce more risk.
>
> We'd rather have people spend more time fixing the actual flaws than
> focusing on fixing info leak/error handling that help them find actual
> flaws.
>
> Unchecked redirects for many clients are majorly dangerous because they
> facilitate phishing attacks and driving people to malware sites. In
> fact, for some of my clients, an unchecked redirect is their biggest or
> almost their biggest concern. (but again, that is with my client base,
> and the risk perception of this certainly varies significantly from org
> to org).
>
> Unvalidated forwards are certainly far less prevalent than unvalidated
> redirects, but it gives us a chance to raise that issue at the same time
> as raising the far more prevalent unvalidated redirect. Its interesting
> though that defending against an unvalidated forward is probably much
> trickier than an unvalidated redirect. (see my OWASP presentation as to
> why I think this is the case).
>
> -Dave
>
> -----Original Message-----
> From: Chris Eng [mailto:ceng at Veracode.com]
> Sent: Wednesday, November 18, 2009 11:14 AM
> To: Dave Wichers; owasp-topten at lists.owasp.org
> Subject: RE: [Owasp-topten] RFI taken out
>
> I like keeping XSS separate not so much because of its complexity
> (though that is a valid point) but because it is so fundamentally
> different from the other types of injection flaws, not only with regard
> to the exploit mechanism but also in how the flaws are remediated.
>
> I'm surprised that nobody is discussing the addition of "Unvalidated
> Redirects and Forwards".  Adding this category came at the cost of
> removing "Information Leakage and Error Handling", which at a glance,
> feels misguided to me.  According to the recent WASS study, Information
> Leakage problems accounted for 32% of all vulnerabilities and appeared
> in 65% of sites surveyed.  As all of the pen testers here are well
> aware, info leakage vulnerabilities are often combined or used as a
> stepping stone to more serious exploits which otherwise may not have
> been discovered.  The problem is far from being solved.
>
> Open redirects on the other hand are not that serious in my opinion.
> Yes, it's generally a bad practice, but if it's a true 301 redirect the
> worst that happens is somebody gets sent to a malicious page or a
> phishing site, which can happen by clicking on ANY link if the user is
> not paying attention.  If, on the other hand, the vulnerable site is
> fetching the contents of the unvalidated URL and embedding that content
> in its 200 response, then clearly THAT is dangerous but I think it's a
> much less common scenario.  Unvalidated internal forwards are an
> interesting category and probably under-studied.  In my experience the
> prevalence of these issues is low.  I haven't found much data to suggest
> otherwise but would be interested in hearing if anybody has some.
>
>
> -chris
>
>
>
> Chris Eng
> Senior Director, Security Research
> Veracode, Inc.
> Office: 781.418.3828
> Mobile: 617.501.3280
> ceng at veracode.com

-- 
Regards,
Christian Heinrich - http://www.linkedin.com/in/ChristianHeinrich
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://bit.ly/cmlh_speaking_schedule


More information about the Owasp-topten mailing list