After a nine month process, starting with a visit to a pho restaurant with Raoul Endres in Melbourne Australia, and ending with me working in a hotel room in Pennsylvania, USA, the Top 10 2007 is really done. It’s 35 pages packed to the rafters of good advice. The document will be launched at OWASP…
Category: OWASP
Automated detection of CSRF
I’ve been finishing the OWASP Top 10. One of the things I profess I know little about is automated tools. Up until recently, they’ve created more work (false positives, false negatives) than is actually justified in running the tool. However, they are getting better. After discussions with Jeremiah Grossman of White Hat Security and WASC…
On CSRF
Many folks are failing to understand CSRF properly, and how to protect against it. Let’s do this from the beginning and look at what works, and why. Click for full size version. Cross-site request forgeries are simple at heart; force the victim to use the victim’s session and credentials to perform authorized work. This almost…
On injections
A fair number of years ago, I had the “pleasure” of reviewing an application written in ASP. Unfortunately, it had over 2000 SQL injections. I do not know what happened to the company, which produced legal case management software, but it would have taken a great deal of work to re-engineer the code to be…
Top 10 2007 is done
The document is a complete re-write from scratch, and is totally up to date. It’s 34 pages of goodness wrapped in a shiny new document format. Essentially it’s over all bar the shouting… which comes next! 🙂 The document will be uploaded to our Wiki in the next week (post-board approval). If you want your…
The usual suspects and what to do about them
I’ve been busy on the Top 10 2007 with Dave Wichers and Jeff Williams. I’m very close to finalizing a draft release right now. This process made me think, how can we eliminate these issues? Why should every developer have to learn how to fix the same problem? We know On some frameworks, some classes…
Research time
A few weeks ago, the announcement of the PDF hole made it clear that the age of stupid XSS vulnerabilities is still with us. Is it time for me to surf in a read only sandbox? XSS is so old school, and yet so damaging. It is so SIMPLE to prevent, but so HARD to…
Rebutting MJR’s rant
It was nice to see Marcus Ranum (who has an interesting slant to the security industry) get some press again. This time it’s on responsible / full / no disclosure. In a probably unrelated attack, his site is defaced by a SEO blackhat. Irony, eh? If only he had patched or used software which has…
OWASP Top 10 2007 nearly done
This edition’s headings: A1. Cross-site scripting A2. Injections A3. Insecure Remote File Include A4. Insecure direct object reference A5. Cross-site request forgeries A6. Information leakage and improper error handling A7. Malformed input A8. Broken authorization A9. Insecure cryptography and communication A10. Privilege escalation Note what’s missing? Note what’s new? 😉 If you want to review…
WebAppSec Past and Future
All the cool kids get the press for the wrong reasons. It’s much easier to destroy than to create. Therefore, my 2006 and 2007 lists will only highlight those things which I think have helped create safer web apps, not made it harder for us to protect against them. 2006 Highlights IE 7.0 released. Seriously….