[Owasp-topten] RC1 comments

Paweł Krawczyk pawel.krawczyk at hush.com
Sun Feb 17 14:15:07 UTC 2013


Several comments to the RC1 draft of proposed OWASP Top 10 2013
version:
	*The rank seems to be highly impacted by vulnerability prevalence,
which is in turn based on data provided by a number of vendors. The
question is - how much are vendor observed potential vulnerabilities
related to vulnerabilities being actively exploited in wild? As this
is rather complex topic, I'm moving the discussion to the bottom of
these general comments.	*Wording - we should probably give this to
someone unrelated to security for proof reading. We should really pay
attention to readability of the text - sentences like "application
functions related to authentication and session management are often
not implemented correctly" (page 7) can be significantly simplified
with little loss of formal correctness.Statements like "many web
applications" or "virtually all applications" just inflate text
volume, without really bringing information value.	*OWASP ESAPI is
recommended in almost every "How do I prevent" section, but ESAPI
really does exist for Java, so in case of other popular environments
we're sending people to nowhere. We should reference Cheat Sheets, as
these in turn frequently reference specific solutionss on specific
platforms.	*A2 Broken Authentication and Session Management - it has
very high rank, but how frequently this is actually being used to
compromise websites and users?	*Section header "Am I Vulnerable to
Hijacking?" - hijacking of what?	*Scenario #3 in Example attack
scenarios - this has little to do with session and authentication.	*A3
Cross-Site Scripting (XSS) - same as above. It's easy to spot and very
frequent in applications, but it doesn't deserve such a high rank.	*A5
Security Misconfiguration - this seems to be catch-all category, but I
believe it's fully justified and should probably have higher rank,
taking into account how frequently it's used to compromise sites.	*A7-
rename to "Broken Access Level Controls" or something like that.	*A9
rename to "Infrastructure and Server Vulnerabilities"	*Not sure which
category would catch Remote File Inclusion, which still seems to be
most popular way of compromising websites. Would it go under A1
Injection?

Now going back to the vulnerability prevalence - my comment above is
based on the observation that severity of vulnerabilities reported by
vendors, especially based on automated scans, is not always relevant
to actual chances of them being exploited in wild. Real world
intrusion data is not very available, which makes statistical analysis
difficult but there are still some hints out there. I have been
recently working on a research project that focused on that topic and
analysed ~300k website defacement reports (courtesy of Zone-H).
Distribution of methods was as follows:
  File Inclusion 36.884%  SQL Injection 13.021%  known vulnerability
(i.e. unpatched system) 9.777%  undisclosed (new) vulnerability 6.875%
 Other Web Application bug 6.264%  Other Server intrusion 5.094% 
configuration / admin. mistake 3.187%  Web Server intrusion 2.739% 
URL Poisoning 2.728%  brute force attack 2.605%  Remote administrative
panel access through bruteforcing 1.466%  Web Server external module
intrusion 1.424%  SSH Server intrusion 1.002%  Shares misconfiguration
0.999%  FTP Server intrusion 0.942%  Telnet Server intrusion
0.808%Attack against the administrator/user (password
stealing/sniffing) 0.750%  social engineering 0.740%  RPC Server
intrusion 0.595%  Mail Server intrusion 0.454%  Rerouting after
attacking the Firewall 0.378%  Rerouting after attacking the Router
0.283%  Remote service password bruteforce 0.223%  Cross-Site
Scripting 0.168%  Remote service password guessing 0.144%  DNS attack
through cache poisoning 0.121%  DNS attack through social engineering
0.121%  Access credentials through Man In the Middle attack 0.100% 
Remote administrative panel access through password guessing 0.071% 
Remote administrative panel access through social engineering 0.037%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/69d55f1a/attachment.html>


More information about the Owasp-topten mailing list