[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

bradcausey at gmail.com bradcausey at gmail.com
Wed Apr 19 14:18:53 UTC 2017


No doubt. I think, though, they are comparatively rare when compared to attacks like SQLi, etc. 

There are certainly security impacts, no doubt, but I'm not sure if it should be a top 10. After all we are targeting users who are blindly clicking links from unexpected messages.

Just my .02


Sent from my iPhone

> On Apr 19, 2017, at 9:12 AM, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:
> 
> Unvalidated redirects is quite popular on Skype, see our recent discussion on Twitter (Google and Baidu) https://twitter.com/antisnatchor/status/849207427148939264
> 
>> On Wed, Apr 19, 2017 at 4:07 PM, <bradcausey at gmail.com> wrote:
>> To add to that, Tim. Unvalidated redirect attacks are extremely rare in the wild, because of what you describe.
>> 
>> 
>> 
>> Sent from my iPhone
>> 
>> > On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org> wrote:
>> >
>> > Hi Grigorios,
>> >
>> >> From what I have seen in different projects, dropping "A10 – Unvalidated
>> >> Redirects and Forwards" will be perceived (misunderstood) as an
>> >> "insignificant" security issue,
>> >> while, it can be used to spawn a number of attacks. If an attacker manages
>> >> to redirect/forward a user to a fraudulent website (that looks exactly like
>> >> the legitimate one), then it is game-over for that user.
>> >
>> > Have you ever performed a spear phishing attack against users?  You'll quickly
>> > find that in most orgs, users easily fall for simple link deception attacks
>> > (e.g. an image with text that shows http://example.com/, but actually points to
>> > http://example.com.evil.com/ when clicked).  With that in mind, is an
>> > unvalidated redirect really *that* much better for the attacker?  If users
>> > don't look at the URL of the site they are on, then does it matter if the
>> > initial site starts at the valid domain?  The added risk is fairly
>> > insignificant because so many other phishing techniques still work so well.
>> >
>> > The same goes for clickjacking... why invest so much in building a clickjacking
>> > attack when a scraped login form on a malicious domain works even better?
>> >
>> > tim
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/796fbf9b/attachment.html>


More information about the Owasp-topten mailing list