[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

bradcausey at gmail.com bradcausey at gmail.com
Wed Apr 19 14:07:48 UTC 2017

To add to that, Tim. Unvalidated redirect attacks are extremely rare in the wild, because of what you describe. 

Sent from my iPhone

> On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:
> Hi Grigorios,
>> From what I have seen in different projects, dropping "A10 – Unvalidated
>> Redirects and Forwards" will be perceived (misunderstood) as an
>> "insignificant" security issue,
>> while, it can be used to spawn a number of attacks. If an attacker manages
>> to redirect/forward a user to a fraudulent website (that looks exactly like
>> the legitimate one), then it is game-over for that user.
> Have you ever performed a spear phishing attack against users?  You'll quickly
> find that in most orgs, users easily fall for simple link deception attacks
> (e.g. an image with text that shows http://example.com/, but actually points to
> http://example.com.evil.com/ when clicked).  With that in mind, is an
> unvalidated redirect really *that* much better for the attacker?  If users
> don't look at the URL of the site they are on, then does it matter if the
> initial site starts at the valid domain?  The added risk is fairly
> insignificant because so many other phishing techniques still work so well.
> The same goes for clickjacking... why invest so much in building a clickjacking
> attack when a scraped login form on a malicious domain works even better?
> tim
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten

More information about the Owasp-topten mailing list