[Owasp-topten] RC1 comments

Paweł Krawczyk pawel.krawczyk at hush.com
Sun Feb 17 17:05:10 UTC 2013

On 17/2/2013 at 3:32 PM, "Abbas Naderi"  wrote:	*Scenario #3 in
Example attack scenarios - this has little to do with session and
authentication.	*A3 Cross-Site Scripting (XSS) - same as above. It's
easy to spot and very frequent in applications, but it doesn't deserve
such a high rank.Actually it does. I'm a known hacker and XSS is
always the second choice.Choice, but for what?
	*A5 Security Misconfiguration - this seems to be catch-all category,
but I believe it's fully justified and should probably have higher
rank, taking into account how frequently it's used to compromise
sites.	*A7- rename to "Broken Access Level Controls" or something like
that.As I suggested earlier, this has to be mixed with A4, as
insufficient access control. We're really forgetting that security is
mostly Authentication and Authorization, and authorization is so
undermined in Web.Fully agree here.
	*A9 rename to "Infrastructure and Server Vulnerabilities"Why ??Naming
probably needs some more work but it's not really about 3rd party
libraries - it's about any application parts that are under your
control. This includes libraries, frameworks, servers, infrastructure
and DNS.	*Not sure which category would catch Remote File Inclusion,
which still seems to be most popular way of compromising websites.
Would it go under A1 Injection?

RFI is not number one. Since 2007, 80% of flawed websites are immune
to RFI.Ok, but among Zone-H defacement methods cited below LFI is
still number one. This seems to be consistent with other findings
(like Imperva http://net-security.org/secworld.php?id=12678).
  File Inclusion 36.884%  SQL Injection 13.021%  known vulnerability
(i.e. unpatched system) 9.777%  undisclosed (new) vulnerability 6.875%
 Other Web Application bug 6.264%  Other Server intrusion 5.094% 
configuration / admin. mistake 3.187%  Web Server intrusion 2.739% 
URL Poisoning 2.728%  brute force attack 2.605%  Remote administrative
panel access through bruteforcing 1.466%  Web Server external module
intrusion 1.424%  SSH Server intrusion 1.002%  Shares misconfiguration
0.999%  FTP Server intrusion 0.942%  Telnet Server intrusion
0.808%Attack against the administrator/user (password
stealing/sniffing) 0.750%  social engineering 0.740%  RPC Server
intrusion 0.595%  Mail Server intrusion 0.454%  Rerouting after
attacking the Firewall 0.378%  Rerouting after attacking the Router
0.283%  Remote service password bruteforce 0.223%  Cross-Site
Scripting 0.168%  Remote service password guessing 0.144%  DNS attack
through cache poisoning 0.121%  DNS attack through social engineering
0.121%  Access credentials through Man In the Middle attack 0.100% 
Remote administrative panel access through password guessing 0.071% 
Remote administrative panel access through social engineering
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/57261776/attachment.html>

More information about the Owasp-topten mailing list