[Owasp-topten] Concerns about the Top 10 RC

Timothy D. Morgan tim.morgan at owasp.org
Tue Apr 11 19:13:05 UTC 2017


Hello,

I've heard a lot of criticism about the proposed OWASP top ten from the
pentesting community:  

The biggest is that A7 sounds like a thinly-veiled ploy to promote IPS/WAF
products.  Other people's paraphrased words, not mine, but I do tend to agree.
I seem to recall similar concerns were raised about A9 last time around, since
there were commercial products that tackle this problem being sold by some
involved in the project.  Do we want the pentesting community to see the top 10
as being hijacked by commercial interests?


Other things I take issue with.  Some syntax, some semantics, some about
priorities:

The description for A1 reads:  "Injection flaws, such as SQL, OS, XXE, and LDAP
injection occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper authorization."

Two problems with this:

- What is OS injection? Is that where you take a VM and insert it into a host
  OS?  Or maybe it has something to do with containers?  I think what you mean
  to say is "shell command injection".

- XXE isn't an injection flaw.  I happen to be an SME on this.  It's not an
  injection, really.  XML injection is an injection, but that's a different kind
  of bug.  XXE is also extremely common in modern applications and deserves to
  have a much higher profile than being lumped in with a bunch of things that
  are very different.


Another concern I have is that there's very little emphasis placed on
cryptographic flaws in web applications.  Maybe 1/3 of all web applications I
look at have some kind of broken crypto in URL tokens and other tokens exposed
to users.  Broken "Bearer" tokens in OAuth, POA vulnerabilities in password
reset tokens, etc.  It is disappointing that the top 10 still mention these
anywhere, because awareness is needed.  To be clear, I'm not talking about TLS
ciphers and password hashing.  I'm talking about application crypto
vulnerabilities that are much more serious and practically exploitable.

Finally, what exactly is A10?  Um... it's almost like an answer to a
*different* question.  The top 10 has traditionally been an answer to "what
kinds of flaws might affect my application".  This is an answer to the question
"where in my application might there be flaws".  It seems like filler.  why not
call out deserialization bugs here instead?  People get badly owned by
those.  They actually matter.  

Thanks for considering these opinions.
tim


More information about the Owasp-topten mailing list