[Owasp-topten] RC1 comments

Paweł Krawczyk pawel.krawczyk at hush.com
Mon Feb 18 11:32:25 UTC 2013

On 17/2/2013 at 9:47 PM, "Chris Eng"  wrote:
	It’s also worth thinking about who’s using the OWASP Top Ten.  In
theory it’s enterprise developers.  In practice it’s enterprise
risk management (CISO/CIO), some enterprise developers, and some
penetration testers (if they’re being used to satisfy PCI
requirements, for example).  Neither of those groups includes Bob’s
Open Source PHP Guestbook.  An example of Joomla usage in enterprise

	While there is some truth to the Imperva post, measuring the
percentage of server-side programming languages “out there on the
Internet” isn’t exactly the most accurate way to measure
enterprise risk either.  Many or most of those PHP apps may not be
subject to any regulatory requirements and most of them probably
don’t house any sensitive data.And these statements are based on
	  In other words there’s a lot of RFI out there in places that are
pretty irrelevant.  Our (Veracode) data is a reflection of what
enterprises are using, not the sum total of all servers on the
Internet.What I did provide though was measure of attack methods used
to compromise real websites on Internet. File Inclusion remains the
most prevalent cause.

	Incidentally, in the 2010 Top Ten, RFI was included in part of
2010-A4 (Insecure Direct Object References) according to the CWE
hierarchy. So it should continue to be included in audit criteria as
part of 2013-A4. Despite the Imperva post, it absolutely is part of
the OWASP Top Ten, just not one of the top-level categories. To me
this seems appropriate.OWASP Top 10 2010 item A4 itself has two CWE
references, none of them related to File Inclusion:

	*CWE-639: Authorization Bypass Through User-Controlled Key	*CWE-22:
Improper Limitation of a Pathname to a Restricted Directory ('Path

There's a separate CWE entry on MITRE page that goes into more
	*CWE-813: OWASP Top Ten 2010 Category A4 - Insecure Direct Object

and it contains a FI related attack vector:
	*CWE-434: Unrestricted Upload of File with Dangerous Type
but it's not FI itself, which has a separate entry:
	*CWE-98: Improper Control of Filename for Include/Require Statement
in PHP Program ('PHP File Inclusion')
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130218/73a2fc2c/attachment.html>

More information about the Owasp-topten mailing list