[Owasp-topten] RC1 comments

Chris Eng ceng at veracode.com
Mon Feb 18 16:31:34 UTC 2013

My statements about many PHP apps on the Internet not being subject to regulatory requirements?  It’s a guess, but an educated one I think.  A large number of the PHP apps on the web are probably forums or blogs that aren’t subject to PCI or other regulations.  Or websites owned by individuals.

The way to traverse a CWE view is to look at all the CWE IDs that are listed as a direct relationship to that view, then traverse down to all the children of those nodes.  2010-A4 is CWE-813, which includes CWEs 22, 434, 639, 829, 862, and 863.  CWE-829 is a category called “Inclusion of Functionality from Untrusted Control Sphere”, and one of its children is CWE-98 “Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')”.


This is how I have been interpreting the CWE OWASP views since they were introduced, and I’ve confirmed with the CWE maintainers that this is the correct way to do it.

Therefore CWE-98 is already included in the OWASP Top Ten 2010.  Using the CWE views, it was also part of 2007-A3 and 2004-A6 (interestingly, considered part of “Injection” at that time).

I don’t know if this changes your opinion at all, knowing that RFI *is* in fact within scope of the OWASP Top Ten.  Or are you pushing for it to be a top-level category?

From: Paweł Krawczyk [mailto:pawel.krawczyk at hush.com]
Sent: Monday, February 18, 2013 6:32 AM
To: Chris Eng; owasp-topten at lists.owasp.org
Subject: RE: [Owasp-topten] RC1 comments

On 17/2/2013 at 9:47 PM, "Chris Eng" <ceng at Veracode.com<mailto:ceng at Veracode.com>> wrote:
It’s also worth thinking about who’s using the OWASP Top Ten.  In theory it’s enterprise developers.  In practice it’s enterprise risk management (CISO/CIO), some enterprise developers, and some penetration testers (if they’re being used to satisfy PCI requirements, for example).  Neither of those groups includes Bob’s Open Source PHP Guestbook.
An example of Joomla usage in enterprise environment http://www.veracode.com/index.php?option=com_sefservicemap&Itemid=68
While there is some truth to the Imperva post, measuring the percentage of server-side programming languages “out there on the Internet” isn’t exactly the most accurate way to measure enterprise risk either.  Many or most of those PHP apps may not be subject to any regulatory requirements and most of them probably don’t house any sensitive data.
And these statements are based on what?
  In other words there’s a lot of RFI out there in places that are pretty irrelevant.  Our (Veracode) data is a reflection of what enterprises are using, not the sum total of all servers on the Internet.
What I did provide though was measure of attack methods used to compromise real websites on Internet. File Inclusion remains the most prevalent cause.
Incidentally, in the 2010 Top Ten, RFI was included in part of 2010-A4 (Insecure Direct Object References) according to the CWE hierarchy. So it should continue to be included in audit criteria as part of 2013-A4. Despite the Imperva post, it absolutely is part of the OWASP Top Ten, just not one of the top-level categories. To me this seems appropriate.
OWASP Top 10 2010 item A4 itself has two CWE references, none of them related to File Inclusion:

 *   CWE-639: Authorization Bypass Through User-Controlled Key
 *   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There's a separate CWE entry on MITRE page that goes into more details:

 *   CWE-813: OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
and it contains a FI related attack vector:

 *   CWE-434: Unrestricted Upload of File with Dangerous Type

but it's not FI itself, which has a separate entry:

 *   CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130218/33bd414c/attachment-0001.html>

More information about the Owasp-topten mailing list