[Owasp-topten] RC1 comments (LFI/RFI and Mass Assignment)

Paweł Krawczyk pawel.krawczyk at hush.com
Mon Feb 18 17:10:58 UTC 2013


On 18/2/2013 at 5:31 PM, "Chris Eng"  wrote:
	My statements about many PHP apps on the Internet not being subject
to regulatory requirements?  It’s a guess, but an educated one I
think.  A large number of the PHP apps on the web are probably forums
or blogs that aren’t subject to PCI or other regulations.  Or
websites owned by individuals.Chris, I fully agree that large number
of PHP apps are unregulated, but why should this be any criteria for
inclusion? This is irrelevant to the Top10. Citing its introduction
paragraph from our own page:
_The OWASP Top Ten provides a powerful awareness document for web
application security. The OWASP Top Ten represents a broad consensus
about what the most critical web application security flaws are. _
It doesn't say anything about Top10 being limited to PCI regulated
applications only. We should either build Top10 on evidence based
impact of vulnerabilities, or change the description to reflect the
assumed audit/enterprise focus. Which would be bad idea, as Top10 is
not only used as audit base, but also as a reference in articles,
books, trainings or syllabuses on application security.
	I don’t know if this changes your opinion at all, knowing that RFI
*is* in fact within scope of the OWASP Top Ten.  Or are you pushing
for it to be a top-level category?Yes, I think LFI/RFI deserves to be
in top-level category, taking into account large and quantifiable
impact it has on Internet security.
Here's another interesting case study supporting the observation that
current choice of sources for Top10 is flawed: Should Mass Assignment
be an OWASP Top 10 Vulnerability? And main argument for not including
Mass Assignment being:
_I just looked through ALL the stats provided as input to the OWASP
Top 10 for 2013 and I find zero mention of AutoBinding or Mass
Assignment._ 
I'm not arguing that MA should be in Top10 because I haven't really
looked at its real-life impact. But current vulnerability prevalence
sources listed in RC1 is composed of 7 pentesting or scanner vendors,
whose results are interesting but limited by their ability to actually
recognize all vulnerabilities as vulnerabilities. At the same time it
does not include WHID or Zone-H, both of them recording
vulnerabilities that someone has actually found and exploited. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130218/cef95f17/attachment.html>


More information about the Owasp-topten mailing list