[Owasp-topten] Fwd: About SSRF's order in the Top 10

Ryan Dewhurst ryandewhurst at gmail.com
Fri Oct 28 12:59:48 UTC 2016


You could categorise it as 'Injection' as the issue can be remediated with
proper input sanitisation/validation, and you're "injecting" into the
backend HTTP client.

It could also maybe be catagorised as a Security Misconfiguration as you
could argue that the backend HTTP client should be configured to not permit
requests to internal hosts. But maybe in some circumstances this is
required behaviour (a feature).

I'm not sure how SSRF relates to CSRF but there may be ignorant on some
aspects.

Personally, I would catagoreise the issues as an Injection issue, but happy
to be persuaded otherwise :)

On Fri, Oct 28, 2016 at 2:49 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> I suspect that SSRF on its own wouldn't make the list, but it does make
> sense to me to include it as a new variant of CSRF. I plan to raise some
> awareness of SSRF in this manner in the new Top 10. Thanks for your note.
>
> -Dave
>
>
> On Fri, Oct 28, 2016 at 5:18 AM, Ziyahan ALBENiZ <ziyahanalbeniz at gmail.com
> > wrote:
>
>> Hi there,
>>
>> Now I am working on SSRF now  and I've wanted to consult you about that,
>> what do you think about classification of SSRF? If you were a one who tries
>> to put SSRF a place in Top 10 list, which one would be your preference?
>>
>> Unvalidated Redirect and Forward sometimes sounds suitable. But I am with
>> the Missing Function Level Access.
>>
>> Thanks in advance.
>>
>> --
>> Ziyahan Albeniz
>> Bilgisayar Programcısı / Computer Programmer / Komputila Programisto
>>
>> *GSM :* +90 533 637 1572
>> *Skype :* ziyahanalbeniz
>> *Web    : *http://ziyahanalbeniz.blogspot.com
>> *Twitter*: @ziyaxanalbeniz <https://twitter.com/ziyaxanalbeniz>
>> *LinkedIn :* http://www.linkedin.com/in/ziyahanalbeniz
>> *PGP* :  0xA6A34AFD   / https://keybase.io/ziyahan
>>
>>
>>
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20161028/95b2d855/attachment.html>


More information about the Owasp-topten mailing list