[Owasp-topten] RC1 comments

Abbas Naderi abbas.naderi at owasp.org
Sun Feb 17 17:09:42 UTC 2013


Hi again!
We are progressing...
On ۲۹ بهمن ۱۳۹۱, at ۲۰:۳۵, "Paweł Krawczyk" <pawel.krawczyk at hush.com> wrote:

> On 17/2/2013 at 3:32 PM, "Abbas Naderi" <abbas.naderi at owasp.org> wrote:
> Scenario #3 in Example attack scenarios - this has little to do with session and authentication.
> A3 Cross-Site Scripting (XSS) - same as above. It's easy to spot and very frequent in applications, but it doesn't deserve such a high rank.
> Actually it does. I'm a known hacker and XSS is always the second choice.
> Choice, but for what?
Oh, I meant choices to start hacking a website by. After injections, XSS is most easy and effective one.
> A5 Security Misconfiguration - this seems to be catch-all category, but I believe it's fully justified and should probably have higher rank, taking into account how frequently it's used to compromise sites.
> A7- rename to "Broken Access Level Controls" or something like that.
> As I suggested earlier, this has to be mixed with A4, as insufficient access control. We're really forgetting that security is mostly Authentication and Authorization, and authorization is so undermined in Web.
> Fully agree here.
Then lets do it!
> A9 rename to "Infrastructure and Server Vulnerabilities"
> Why ??
> Naming probably needs some more work but it's not really about 3rd party libraries - it's about any application parts that are under your control. This includes libraries, frameworks, servers, infrastructure and DNS.
Yeah we need a good title for this one. Lets make another thread for this.
> Not sure which category would catch Remote File Inclusion, which still seems to be most popular way of compromising websites. Would it go under A1 Injection?
> 
> 
> RFI is not number one. Since 2007, 80% of flawed websites are immune to RFI.
> Ok, but among Zone-H defacement methods cited below LFI is still number one. This seems to be consistent with other findings (like Imperva http://net-security.org/secworld.php?id=12678).

Well LFI, yes, but LFI has such low impact (though there are many ways to convert it to RFI) that nobody cares.
-Abbas
> 
>   File Inclusion 36.884%
>   SQL Injection 13.021%
>   known vulnerability (i.e. unpatched system) 9.777%
>   undisclosed (new) vulnerability 6.875%
>   Other Web Application bug 6.264%
>   Other Server intrusion 5.094%
>   configuration / admin. mistake 3.187%
>   Web Server intrusion 2.739%
>   URL Poisoning 2.728%
>   brute force attack 2.605%
>   Remote administrative panel access through bruteforcing 1.466%
>   Web Server external module intrusion 1.424%
>   SSH Server intrusion 1.002%
>   Shares misconfiguration 0.999%
>   FTP Server intrusion 0.942%
>   Telnet Server intrusion 0.808%
> Attack against the administrator/user (password stealing/sniffing) 0.750%
>   social engineering 0.740%
>   RPC Server intrusion 0.595%
>   Mail Server intrusion 0.454%
>   Rerouting after attacking the Firewall 0.378%
>   Rerouting after attacking the Router 0.283%
>   Remote service password bruteforce 0.223%
>   Cross-Site Scripting 0.168%
>   Remote service password guessing 0.144%
>   DNS attack through cache poisoning 0.121%
>   DNS attack through social engineering 0.121%
>   Access credentials through Man In the Middle attack 0.100%
>   Remote administrative panel access through password guessing 0.071%
>   Remote administrative panel access through social engineering 0.037%
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/9be09f32/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/9be09f32/attachment-0001.bin>


More information about the Owasp-topten mailing list