[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

Ryan Dewhurst ryandewhurst at gmail.com
Wed Apr 19 14:12:51 UTC 2017


Unvalidated redirects is quite popular on Skype, see our recent discussion
on Twitter (Google and Baidu)
https://twitter.com/antisnatchor/status/849207427148939264

On Wed, Apr 19, 2017 at 4:07 PM, <bradcausey at gmail.com> wrote:

> To add to that, Tim. Unvalidated redirect attacks are extremely rare in
> the wild, because of what you describe.
>
>
>
> Sent from my iPhone
>
> > On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org>
> wrote:
> >
> > Hi Grigorios,
> >
> >> From what I have seen in different projects, dropping "A10 – Unvalidated
> >> Redirects and Forwards" will be perceived (misunderstood) as an
> >> "insignificant" security issue,
> >> while, it can be used to spawn a number of attacks. If an attacker
> manages
> >> to redirect/forward a user to a fraudulent website (that looks exactly
> like
> >> the legitimate one), then it is game-over for that user.
> >
> > Have you ever performed a spear phishing attack against users?  You'll
> quickly
> > find that in most orgs, users easily fall for simple link deception
> attacks
> > (e.g. an image with text that shows http://example.com/, but actually
> points to
> > http://example.com.evil.com/ when clicked).  With that in mind, is an
> > unvalidated redirect really *that* much better for the attacker?  If
> users
> > don't look at the URL of the site they are on, then does it matter if the
> > initial site starts at the valid domain?  The added risk is fairly
> > insignificant because so many other phishing techniques still work so
> well.
> >
> > The same goes for clickjacking... why invest so much in building a
> clickjacking
> > attack when a scraped login form on a malicious domain works even better?
> >
> > tim
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/74aff0da/attachment-0001.html>


More information about the Owasp-topten mailing list