[Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10

G.Fragkos gfragkos at gmail.com
Wed Apr 19 15:28:54 UTC 2017


Dear Tim,

In general, what I am trying to say is that Underprotected APIs fall under
Injections risk, and that Unvalidated Redirects and Forwards are a real
risk with security impacts,
based on my personal experience. Especially, when there are online payments
involved.

What you described in your example is what I tried to briefly mention that
companies see it as a "two-stage attack", and
companies are *happy to shift the responsibility* to the end-user (put the
blame on what it was clicked), instead of ensuring that such risk is not
present.

Yes, users should not be clicking on malicious links (and have the
appropriate awareness training), but in our case we are discussing
what are the risks from the application security perspective, not trying to
solve the human behavioural factor in this case.

>From my end, I tried to explain why we see these as being "rare", and it is
not because they do not exist, but because very little attention is paid to
these, due to the fact
it is not on as a hot topic on the news that someone managed to steal
100-1000 card payment details (using that method), compared to the presence
of an SQLi vulnerability
that lead to a data breach that revealed user passwords (in some cases
properly encrypted).

These are my thoughts (.02) and please do not see these as me trying to say
I am right, or as disagreeing with you.
It is simply something I believe it should have been shared with OWASP as a
couple of thoughts, and to also hear other people's input on the matter.

Kind Regards,



On Wed, Apr 19, 2017 at 3:18 PM, <bradcausey at gmail.com> wrote:

> No doubt. I think, though, they are comparatively rare when compared to
> attacks like SQLi, etc.
>
> There are certainly security impacts, no doubt, but I'm not sure if it
> should be a top 10. After all we are targeting users who are blindly
> clicking links from unexpected messages.
>
> Just my .02
>
>
> Sent from my iPhone
>
> On Apr 19, 2017, at 9:12 AM, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:
>
> Unvalidated redirects is quite popular on Skype, see our recent discussion
> on Twitter (Google and Baidu) https://twitter.com/antisnatchor/status/
> 849207427148939264
>
> On Wed, Apr 19, 2017 at 4:07 PM, <bradcausey at gmail.com> wrote:
>
>> To add to that, Tim. Unvalidated redirect attacks are extremely rare in
>> the wild, because of what you describe.
>>
>>
>>
>> Sent from my iPhone
>>
>> > On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org>
>> wrote:
>> >
>> > Hi Grigorios,
>> >
>> >> From what I have seen in different projects, dropping "A10 –
>> Unvalidated
>> >> Redirects and Forwards" will be perceived (misunderstood) as an
>> >> "insignificant" security issue,
>> >> while, it can be used to spawn a number of attacks. If an attacker
>> manages
>> >> to redirect/forward a user to a fraudulent website (that looks exactly
>> like
>> >> the legitimate one), then it is game-over for that user.
>> >
>> > Have you ever performed a spear phishing attack against users?  You'll
>> quickly
>> > find that in most orgs, users easily fall for simple link deception
>> attacks
>> > (e.g. an image with text that shows http://example.com/, but actually
>> points to
>> > http://example.com.evil.com/ when clicked).  With that in mind, is an
>> > unvalidated redirect really *that* much better for the attacker?  If
>> users
>> > don't look at the URL of the site they are on, then does it matter if
>> the
>> > initial site starts at the valid domain?  The added risk is fairly
>> > insignificant because so many other phishing techniques still work so
>> well.
>> >
>> > The same goes for clickjacking... why invest so much in building a
>> clickjacking
>> > attack when a scraped login form on a malicious domain works even
>> better?
>> >
>> > tim
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/1ee697ea/attachment.html>


More information about the Owasp-topten mailing list