mk at mk.am
Thu Apr 20 13:46:46 UTC 2017
On Apr 20, 2017, 16:01 +0400, owasp-topten-request at lists.owasp.org, wrote:
> Send Owasp-topten mailing list submissions to
> owasp-topten at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> owasp-topten-request at lists.owasp.org
> You can reach the person managing the list at
> owasp-topten-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-topten digest..."
> Today's Topics:
> 1. Re: OWASP Top 10 RC - thoughts on A1 & A10 (G.Fragkos)
> Message: 1
> Date: Wed, 19 Apr 2017 16:28:54 +0100
> From: "G.Fragkos" <gfragkos at gmail.com
> To: bradcausey at gmail.com
> Cc: OWASP TopTen <owasp-topten at lists.owasp.org
> Subject: Re: [Owasp-topten] OWASP Top 10 RC - thoughts on A1 & A10
> <CAHuBfqENsR9EMKdvUt0gbg0bQ_QRLhQPXQ8hzYntRXiyFyo8-g at mail.gmail.com
> Content-Type: text/plain; charset="utf-8"
> Dear Tim,
> In general, what I am trying to say is that Underprotected APIs fall under
> Injections risk, and that Unvalidated Redirects and Forwards are a real
> risk with security impacts,
> based on my personal experience. Especially, when there are online payments
> What you described in your example is what I tried to briefly mention that
> companies see it as a "two-stage attack", and
> companies are *happy to shift the responsibility* to the end-user (put the
> blame on what it was clicked), instead of ensuring that such risk is not
> Yes, users should not be clicking on malicious links (and have the
> appropriate awareness training), but in our case we are discussing
> what are the risks from the application security perspective, not trying to
> solve the human behavioural factor in this case.
> > From my end, I tried to explain why we see these as being "rare", and it is
> not because they do not exist, but because very little attention is paid to
> these, due to the fact
> it is not on as a hot topic on the news that someone managed to steal
> 100-1000 card payment details (using that method), compared to the presence
> of an SQLi vulnerability
> that lead to a data breach that revealed user passwords (in some cases
> properly encrypted).
> These are my thoughts (.02) and please do not see these as me trying to say
> I am right, or as disagreeing with you.
> It is simply something I believe it should have been shared with OWASP as a
> couple of thoughts, and to also hear other people's input on the matter.
> Kind Regards,
> On Wed, Apr 19, 2017 at 3:18 PM, <bradcausey at gmail.com> wrote:
> > No doubt. I think, though, they are comparatively rare when compared to
> > attacks like SQLi, etc.
> > There are certainly security impacts, no doubt, but I'm not sure if it
> > should be a top 10. After all we are targeting users who are blindly
> > clicking links from unexpected messages.
> > Just my .02
> > Sent from my iPhone
> > On Apr 19, 2017, at 9:12 AM, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:
> > Unvalidated redirects is quite popular on Skype, see our recent discussion
> > on Twitter (Google and Baidu) https://twitter.com/antisnatchor/status/
> > 849207427148939264
> > On Wed, Apr 19, 2017 at 4:07 PM, <bradcausey at gmail.com> wrote:
> > > To add to that, Tim. Unvalidated redirect attacks are extremely rare in
> > > the wild, because of what you describe.
> > >
> > >
> > >
> > > Sent from my iPhone
> > >
> > > > On Apr 19, 2017, at 8:45 AM, Timothy D. Morgan <tim.morgan at owasp.org
> > > wrote:
> > > >
> > > > Hi Grigorios,
> > > >
> > > > > From what I have seen in different projects, dropping "A10 ?
> > > Unvalidated
> > > > > Redirects and Forwards" will be perceived (misunderstood) as an
> > > > > "insignificant" security issue,
> > > > > while, it can be used to spawn a number of attacks. If an attacker
> > > manages
> > > > > to redirect/forward a user to a fraudulent website (that looks exactly
> > > like
> > > > > the legitimate one), then it is game-over for that user.
> > > >
> > > > Have you ever performed a spear phishing attack against users? You'll
> > > quickly
> > > > find that in most orgs, users easily fall for simple link deception
> > > attacks
> > > > (e.g. an image with text that shows http://example.com/, but actually
> > > points to
> > > > http://example.com.evil.com/ when clicked). With that in mind, is an
> > > > unvalidated redirect really *that* much better for the attacker? If
> > > users
> > > > don't look at the URL of the site they are on, then does it matter if
> > > the
> > > > initial site starts at the valid domain? The added risk is fairly
> > > > insignificant because so many other phishing techniques still work so
> > > well.
> > > >
> > > > The same goes for clickjacking... why invest so much in building a
> > > clickjacking
> > > > attack when a scraped login form on a malicious domain works even
> > > better?
> > > >
> > > > tim
> > > > _______________________________________________
> > > > Owasp-topten mailing list
> > > > Owasp-topten at lists.owasp.org
> > > > https://lists.owasp.org/mailman/listinfo/owasp-topten
> > > _______________________________________________
> > > Owasp-topten mailing list
> > > Owasp-topten at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-topten
> > >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170419/1ee697ea/attachment-0001.html
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> End of Owasp-topten Digest, Vol 84, Issue 33
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten