[Owasp-topten] OWASP Top 10 - 2017 Release Candidate - Comments

Soroush Dalili soroush.dalili at owasp.org
Wed Apr 12 10:10:04 UTC 2017

Hi List,
I thought I should forward this here as well as I had forgotten to do so (I
had sent it to Dave Wichers on 10/04/2017):

*A1: Perhaps adding template injection at least as a reference*
Although template injections are similar to expression language injections,
they are different and should be treated differently. We see them more
these days because of all the new frameworks and the good job PortSwigger
team did on researching them.

*A7: Insufficient Attack Protection – what is the definition for
It is good to include this as a risk especially with all automated tools
against all the applications but at the moment someone may argue that this
is not a problem that developers can solve (to pass the ball)! As its
definition is vague, it can be considered an issue for network teams to
firewall an application. Also, is IP/attacker blocking the main part of
this issue? Or is it more about detecting the attacks by raising some
alarms. Shall we for example report an issue like this if it does not block
attackers for a period of time but stop some certain requests? Shall we
count technologies such as .net request validation an insufficient attack
protection technique considering it is only useful for a portion of XSS
issue? Does blocking an attacker for 5 minutes after sending 20 malicious
requests consider as an insufficient technique?
I just wanted to say that perhaps we need more clarification on this to be
able to measure it when a solution is there but is not sufficient.

*A10: Unprotected API subject is vague and confusing*
In new modern days of testing web applications, APIs are part of web
applications and should not be considered as separate pieces. For example
we see a lot of websites these days that can be a simple HTML pages using
extensive APIs.
IMHO practically it is wrong to say unprotected API as a separate subject.
API on its own can be vulnerable to any of the OWASP top 10 for example. So
if we find one issue on an API, shall we say it was an unprotected API? Or
this is only related to access control issues (A4) but for the APIs?
Additionally, who will decide what is an API and what is a web application?
Shall we consider anything that doesn’t include HTML in their responses
APIs? Or shall we work this out using the requests or perhaps if we have a
restful application only? These days many of the APIs can be like a normal
web page and response differently depends on the request.

*What are the stats on SSRF and others?*
With having all cloud services and lots of solutions to host different
resources on different servers, we see more SSRF attacks these days with
which attackers can target another server or another internal port and so
on. I thought we should see SSRF now in OWASP top 10 but you have all the
stats so it might be good to

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170412/0030e182/attachment.html>

More information about the Owasp-topten mailing list