[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

Timothy D. Morgan tim.morgan at owasp.org
Wed Apr 19 13:45:26 UTC 2017

Hi Grigorios,

> From what I have seen in different projects, dropping "A10 – Unvalidated
> Redirects and Forwards" will be perceived (misunderstood) as an
> "insignificant" security issue,
> while, it can be used to spawn a number of attacks. If an attacker manages
> to redirect/forward a user to a fraudulent website (that looks exactly like
> the legitimate one), then it is game-over for that user.

Have you ever performed a spear phishing attack against users?  You'll quickly
find that in most orgs, users easily fall for simple link deception attacks
(e.g. an image with text that shows http://example.com/, but actually points to
http://example.com.evil.com/ when clicked).  With that in mind, is an
unvalidated redirect really *that* much better for the attacker?  If users
don't look at the URL of the site they are on, then does it matter if the
initial site starts at the valid domain?  The added risk is fairly
insignificant because so many other phishing techniques still work so well.

The same goes for clickjacking... why invest so much in building a clickjacking
attack when a scraped login form on a malicious domain works even better?


More information about the Owasp-topten mailing list