[Owasp-topten] Statistics to Support "A10 - Unvalidated Redirects and Forwards"

Christian Heinrich christian.heinrich at cmlh.id.au
Fri May 31 04:07:05 UTC 2013


Yes, it was Figure 18 not 20 - dam copy and paste :)

Can you expand on what else Insufficient Input Validation represents?
Is this listed on http://cwe.mitre.org/data/definitions/601.html as

On Fri, May 31, 2013 at 1:37 PM, Chris Eng <ceng at veracode.com> wrote:
> Hi Christian,
> I think you're looking at the wrong chart. The 1% you cite is from Figure 18, which is the percentage of all flaws detected. This doesn't tell you much about prevalence, just volume. There are so many XSS flaws (by count) that it dwarfs all the other categories.
> Figure 20 is much more meaningful because it shows the percentage of apps affected by each flaw category.  In this chart, Insufficient Input Validation (i.e. Unvalidated Redirects plus other CWEs) affects 24% of web applications.
> If you'd like to look at Volume 5 you can find it here: https://www.veracode.com/images/pdf/soss/state-of-software-security-report-volume5.pdf
> Figure 26 in Volume 5 might be of interest.  Again, generally focus more on the charts that depict Percent of Applications Affected and less on the ones that depict Share of Total Vulnerabilities.

Christian Heinrich


More information about the Owasp-topten mailing list