[Owasp-topten] Statistics to Support "A10 - Unvalidated Redirects and Forwards"

Christian Heinrich christian.heinrich at cmlh.id.au
Fri May 31 03:07:13 UTC 2013


On Fri, May 31, 2013 at 7:56 AM, Chris Eng <ceng at veracode.com> wrote:
> We flag Unvalidated Redirects as CWE-601, which, in the SoSS reports, gets lumped into
> "Insufficient Input Validation" with a handful of other categories.  So you can't easily isolate
> the Unvalidated Redirects using that report.  However, with the raw data I can.

"Insufficient Input Validation" is listed as 1% within figure "Figure
20: Top Vulnerability Categories (Percent of Applications Affected for
Web Applications)" for Volume 4.

I would be interested to know if Veracode noticed an increase in
requests to test for "Unvalidated Redirects and Forwards" and a
subsequent reduction in the number of vulnerable applications based on
its inclusion in the Top Ten 2010 release?

On Fri, May 31, 2013 at 7:56 AM, Chris Eng <ceng at veracode.com> wrote:
> I don't have the raw data from SoSS volume 4 readily available, but I do have some of the raw data from SoSS volume 5, which we released a couple months ago.  Looking at a 12-month slice of that data set (April 2011 to March 2012), we find through static analysis that around 12% of the roughly 6,000 applications had at least one Unvalidated Redirect flaw.  So it is reasonably prevalent.

I haven't registered to download the latest SoSS release.

Christian Heinrich


More information about the Owasp-topten mailing list