[Owasp-topten] Statistics to Support "A10 - Unvalidated Redirects and Forwards"

Chris Eng ceng at veracode.com
Thu May 30 21:56:04 UTC 2013

Hi Christian,

We flag Unvalidated Redirects as CWE-601, which, in the SoSS reports, gets lumped into "Insufficient Input Validation" with a handful of other categories.  So you can't easily isolate the Unvalidated Redirects using that report.  However, with the raw data I can.

I don't have the raw data from SoSS volume 4 readily available, but I do have some of the raw data from SoSS volume 5, which we released a couple months ago.  Looking at a 12-month slice of that data set (April 2011 to March 2012), we find through static analysis that around 12% of the roughly 6,000 applications had at least one Unvalidated Redirect flaw.  So it is reasonably prevalent.  

Does this help?


-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at cmlh.id.au] 
Sent: Wednesday, May 29, 2013 8:09 PM
To: Chris Eng
Cc: OWASP TopTen
Subject: Statistics to Support "A10 - Unvalidated Redirects and Forwards"


Neil e-mail had me thinking about exploring other entries in the OWASP Top Ten which are considered odd yet based on the OWASP Risk Assessment Methodology proposed by Aspect Security i.e. "Unvalidated Redirects and Forwards" included in the 2010 Release.

My commentary that negates "Unvalidated Redirects and Forwards"  as an unknown residual or inherent risk is available from http://lists.owasp.org/pipermail/owasp-testing/2013-May/002140.html

How does Veracode list A10 - "Unvalidated Redirects and Forwards"
since the rows  "Indicate categories that are in the OWASP Top 10" of "Figure 20: Top Vulnerability Categories (Percent of Applications Affected for Web Applications)" within http://info.veracode.com/rs/veracode/images/VERACODE-SOSS-V4.PDF

I'll assume these are correct and absolute based on

I have not encountered a redirect and forward in a web application that I have audited since the publication of the OWASP T10 2010 release but they might exist outside of Google.

I would welcome Trustwave, Minded Security, Whitehat, Softtek, HP, to also indicate if they have documented statistics supporting "Unvalidated Redirects and Forwards" too?

On Thu, May 30, 2013 at 12:40 AM, Neil Smithline <neil.smithline at owasp.org> wrote:
> But for the 2013 T10, neither the process nor the format and contents 
> of the
> T10 should have been a surprise. They are identical to the 2010 T10. 
> As such, I think that the time to propose significant changes to the 
> T10 should have occurred over the past 3 years, not now.

Christian Heinrich


More information about the Owasp-topten mailing list