[Owasp-topten] 'A7 Insufficient Attack Protection' and conflicts of interest

Christian Folini christian.folini at netnea.com
Wed Apr 26 07:09:22 UTC 2017

Hey James,

On Tue, Apr 25, 2017 at 06:45:30PM +0100, James Kettle wrote:
> > I am sure Anti-CSRF tokens make it a lot harder for pentesters to report
> CSRF vulnerabilities.
> I don't think you've fully understood Eduardo's comment. CSRF tokens don't
> make it harder to find the vulnerability, they remove the vulnerability.
> This is a huge and extremely important difference.

Of course I see this difference. I just do not think it is extremely
important if you look at the security of a system with the eyes of an
attacker. If you face a well configured WAF (which is a rare sight, I
admit) then the vulnerability is effectively removed. Unless you manage
to exploit the WAF first which is similar to exploiting the CSRF code

There is a conceptual difference. But if you look at the
effective security of the whole system, the difference becomes smaller.

> > you want easy access to the vulnerabilities and you do not mind leaving
> the door open for the bad guys as well.
> As every pentester who has encountered a WAF knows, all WAFs tend to do is
> slow down the process of finding and exploiting vulnerabilities.

That is a very bold claim. I could second it, if you would have said
"often", but "every pentester" and "all WAFs" take it too far.

PM to get an URL if you think you can proof it true.

> that's being audited via a pentest or bug bounty hunters, this leads to
> vulnerabilities being missed and remaining unfixed.

I guess we can all agree on fixing a vulnerability in the source code of
the application is the golden path. But 20-40 years of experience have
shown that this advice has not solved the security problem for the vast
majority of sites and applications: it's the same vulnerabilities
popping up again and again.

New ideas are needed. A7 is such a new idea.

And I am far from claiming that A7 should replace the sound
advice of fixing your code. But I think that adding sufficient
attack protection to your setup is a big improvement that buys you
time. If you are smart, you use that time to fix your code.

Very often, new ideas face fierce opposition first. The question is
if they can stand the test of time.

I am not entirely happy with the wording of A7 so far.
But it is a good start and refining it will make a useful
contribution to Top10 in my eyes.



It ought to be remembered that there is nothing more difficult to
take in hand, more perilous to conduct, or more uncertain in its
success, than to take the lead in the introduction of a new order of
--- Niccolò Machiavelli

More information about the Owasp-topten mailing list