Arshad Noor wrote: > A more optimal solution is to have this vulnerability accepted by > the OWASP community as a "Top 10" security vulnerability; it will > have the appropriate intended effect since mitigation to the OWASP > defined vulnerabilities is required in PCI-DSS: > > "6.5 Develop all web applications based on secure coding guidelines > such as the Open Web Application Security Project guidelines" >
Isn't this vulnerability already in the Top 10, specifically "A7 - Broken Authentication and Session Management" ( http://www.owasp.org/index.php/Top_10_2007-A7)? >From the "Protection" section for A7: "Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks." Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
