[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10
bradcausey at gmail.com
bradcausey at gmail.com
Wed Apr 19 14:18:53 UTC 2017
No doubt. I think, though, they are comparatively rare when compared to attacks like SQLi, etc.
There are certainly security impacts, no doubt, but I'm not sure if it should be a top 10. After all we are targeting users who are blindly clicking links from unexpected messages.
Just my .02
Sent from my iPhone
> On Apr 19, 2017, at 9:12 AM, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:
> Unvalidated redirects is quite popular on Skype, see our recent discussion on Twitter (Google and Baidu) https://twitter.com/antisnatchor/status/849207427148939264
>> On Wed, Apr 19, 2017 at 4:07 PM, <bradcausey at gmail.com> wrote:
>> To add to that, Tim. Unvalidated redirect attacks are extremely rare in the wild, because of what you describe.
>> Sent from my iPhone
>> > On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:
>> > Hi Grigorios,
>> >> From what I have seen in different projects, dropping "A10 – Unvalidated
>> >> Redirects and Forwards" will be perceived (misunderstood) as an
>> >> "insignificant" security issue,
>> >> while, it can be used to spawn a number of attacks. If an attacker manages
>> >> to redirect/forward a user to a fraudulent website (that looks exactly like
>> >> the legitimate one), then it is game-over for that user.
>> > Have you ever performed a spear phishing attack against users? You'll quickly
>> > find that in most orgs, users easily fall for simple link deception attacks
>> > (e.g. an image with text that shows http://example.com/, but actually points to
>> > http://example.com.evil.com/ when clicked). With that in mind, is an
>> > unvalidated redirect really *that* much better for the attacker? If users
>> > don't look at the URL of the site they are on, then does it matter if the
>> > initial site starts at the valid domain? The added risk is fairly
>> > insignificant because so many other phishing techniques still work so well.
>> > The same goes for clickjacking... why invest so much in building a clickjacking
>> > attack when a scraped login form on a malicious domain works even better?
>> > tim
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten