FYI!! OWASP Top 10 –2007 (Previous) A2 –Injection Flaws A1 –CrossSite Scripting (XSS) A7 –Broken Authentication and Session Management A4 –Insecure Direct Object Reference A5 –Cross Site Request Forgery (CSRF)
A8 –Insecure Cryptographic Storage A10 –Failure to Restrict URL Access A9 –InsecureCommunications A3–Malicious File Execution A6 –Information Leakage and Improper Error Handling OWASP Top 10 –2010 (New) A1 –Injection A2 –Cross-Site Scripting (XSS) A3 –Broken Authentication and Session Management A4 –Insecure Direct Object References A5 –Cross-Site Request Forgery (CSRF) A6 –Security Misconfiguration(NEW) A7 –Insecure Cryptographic Storage A8 –Failure to Restrict URL Access A9 –Insufficient Transport Layer Protection A10 –UnvalidatedRedirects and Forwards (NEW) I was looking at the new OWASP top ten for 2010. I think that I agree with most of the findings. I find it interesting that OWASP has dropped SQL injection and changed it to injection. There are command injection findings that I see consulting from the code review level but I have never seen it from a pen test level. I have also seen LDAP query injection from both a code review level and pen test level. I agree that Cross Site Scripting is one of the most prevalent attacks in web application security today. Many of the developers that I interact with still do not see this as a risk. This is a huge vulnerability especially in phishing schemes. Broken Authentication and Session management is something I see out in the wild all the time. Many of the cookies that I see on web sites are not marked as secure and are not random. This allows for attackers to steal the session or even guess another person’s session leading to information disclosure of another user. This could be devastating in high risk environments like banks. Insecure object redirects is a vulnerability that I just started to see this year on my penetration testing engagements. I have yet to find this vulnerability in a code review. Has any one found this vulnerability in a code review? Cross Site Request Forgery is a hard vulnerability to explain to developers and even harder to exploit. I would imagine that this vulnerability is only exploited by the highly funded and well organized and motivated attackers and not the script kiddies. Security Misconfiguration is something I see on a daily basis in penetration testing whether the server is Apache or IIS. Insecure Cryptographic Storage are vulnerabilities that I have only found doing a code review. Many times I see people have plain text production database passwords inside of the web.config file. I also see people use insecure hashing algorithms like MD5 and SHA-1. Reference : http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-top-10-in.html -- Regards, Mohd Fazli Azran
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
