[Owasp-topten] Statistics to Support "A10 - Unvalidated Redirects and Forwards"

Chris Eng ceng at veracode.com
Fri May 31 03:37:37 UTC 2013

Hi Christian,

I think you're looking at the wrong chart. The 1% you cite is from Figure 18, which is the percentage of all flaws detected. This doesn't tell you much about prevalence, just volume. There are so many XSS flaws (by count) that it dwarfs all the other categories.

Figure 20 is much more meaningful because it shows the percentage of apps affected by each flaw category.  In this chart, Insufficient Input Validation (i.e. Unvalidated Redirects plus other CWEs) affects 24% of web applications.

If you'd like to look at Volume 5 you can find it here: https://www.veracode.com/images/pdf/soss/state-of-software-security-report-volume5.pdf

Figure 26 in Volume 5 might be of interest.  Again, generally focus more on the charts that depict Percent of Applications Affected and less on the ones that depict Share of Total Vulnerabilities.


From: Christian Heinrich [christian.heinrich at cmlh.id.au]
Sent: Thursday, May 30, 2013 11:07 PM
To: Chris Eng
Cc: OWASP TopTen
Subject: Re: Statistics to Support "A10 - Unvalidated Redirects and Forwards"


On Fri, May 31, 2013 at 7:56 AM, Chris Eng <ceng at veracode.com> wrote:
> We flag Unvalidated Redirects as CWE-601, which, in the SoSS reports, gets lumped into
> "Insufficient Input Validation" with a handful of other categories.  So you can't easily isolate
> the Unvalidated Redirects using that report.  However, with the raw data I can.

"Insufficient Input Validation" is listed as 1% within figure "Figure
20: Top Vulnerability Categories (Percent of Applications Affected for
Web Applications)" for Volume 4.

I would be interested to know if Veracode noticed an increase in
requests to test for "Unvalidated Redirects and Forwards" and a
subsequent reduction in the number of vulnerable applications based on
its inclusion in the Top Ten 2010 release?

On Fri, May 31, 2013 at 7:56 AM, Chris Eng <ceng at veracode.com> wrote:
> I don't have the raw data from SoSS volume 4 readily available, but I do have some of the raw data from SoSS volume 5, which we released a couple months ago.  Looking at a 12-month slice of that data set (April 2011 to March 2012), we find through static analysis that around 12% of the roughly 6,000 applications had at least one Unvalidated Redirect flaw.  So it is reasonably prevalent.

I haven't registered to download the latest SoSS release.

Christian Heinrich


More information about the Owasp-topten mailing list