[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

G.Fragkos gfragkos at gmail.com
Wed Apr 19 12:34:30 UTC 2017

I understand the importance of highlighting the Unprotected APIs (A10), and
I do agree with the importance of it.
However, to my eyes this is another stage during a security assessment
while  engaging into testing for different types of Injections (A1).

I believe Injections (A1) should include the Unprotected APIs. (especially
based on the example attack scenarions given in the PDF page 17 for the Top
10 RC).

>From what I have seen on several real-world projects, Unvalidated Redirects
and Forwards, is a very common security issue (when you manage to identify
where it is hiding)
but it is not highlighted in reports that often (and that is the reason it
seems/fills like it is not that popular as a finding).
One of the main reasons is because businesses (business perspective) see
this highlighted risk as a two-step attack, so, instead of addressing it,
they simply "accept the risk".

>From what I have seen in different projects, dropping "A10 – Unvalidated
Redirects and Forwards" will be perceived (misunderstood) as an
"insignificant" security issue,
while, it can be used to spawn a number of attacks. If an attacker manages
to redirect/forward a user to a fraudulent website (that looks exactly like
the legitimate one), then it is game-over for that user.

Just to mention a couple very recent examples: punicode
or the unvalidated redirect on linkedin, which allowed to download malware
from linkedin redirects (even though they were hashing the urls).

So, in my humble opinion, A1 should be Injections that include calls to
Unprotected APIs: A1 - Injections, including Unprotected APIs
and keep A10 - Unvalidated Redirects and Forwards.

Grigorios Fragkos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/5653ef05/attachment.html>

More information about the Owasp-topten mailing list