[Owasp-topten] Statistics to Support "A10 - Unvalidated Redirects and Forwards"

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 30 00:08:46 UTC 2013


Chris,

Neil e-mail had me thinking about exploring other entries in the OWASP
Top Ten which are considered odd yet based on the OWASP Risk
Assessment Methodology proposed by Aspect Security i.e. "Unvalidated
Redirects and Forwards" included in the 2010 Release.

My commentary that negates "Unvalidated Redirects and Forwards"  as an
unknown residual or inherent risk is available from
http://lists.owasp.org/pipermail/owasp-testing/2013-May/002140.html

How does Veracode list A10 - "Unvalidated Redirects and Forwards"
since the rows  "Indicate categories that are in the OWASP Top 10" of
"Figure 20: Top Vulnerability Categories (Percent of Applications
Affected for Web Applications)" within
http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF

I'll assume these are correct and absolute based on
https://www.owasp.org/index.php/Quote-Veracode_Provides_Visibility_into_Their_Verification_Process_for_the_OWASP_Top_10

I have not encountered a redirect and forward in a web application
that I have audited since the publication of the OWASP T10 2010
release but they might exist outside of Google.

I would welcome Trustwave, Minded Security, Whitehat, Softtek, HP, to
also indicate if they have documented statistics supporting
"Unvalidated Redirects and Forwards" too?

On Thu, May 30, 2013 at 12:40 AM, Neil Smithline
<neil.smithline at owasp.org> wrote:
> But for the 2013 T10, neither the process nor the format and contents of the
> T10 should have been a surprise. They are identical to the 2010 T10. As
> such, I think that the time to propose significant changes to the T10 should
> have occurred over the past 3 years, not now.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-topten mailing list