tag:blogger.com,1999:blog-13756280.post6232808395220442371..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: WASC Threat Classification to OWASP Top Ten RC1 MappingJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-13756280.post-62369136428928776222010-04-12T05:26:54.789-07:002010-04-12T05:26:54.789-07:00Hy,
I would like to know if there is a mapping be...Hy, <br />I would like to know if there is a mapping between wasc TC-v2 attacks and weaknesses. The classification dont tell anything about relations between attacks and weaknesses. They are outlined separately. Is there a reason for not mapping weakness and attacks.<br /><br />Thanks,Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81570022270944294632010-02-04T11:52:27.712-08:002010-02-04T11:52:27.712-08:00@Dusty glad you found the content useful. Gotta ke...@Dusty glad you found the content useful. Gotta keep making this stuff visible and easier to digest.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11988478135973165272010-02-04T11:29:08.997-08:002010-02-04T11:29:08.997-08:00Jeremiah--I appreciate and agree with your comment...Jeremiah--I appreciate and agree with your comments about the learning curve for newcomers. I'm an MSIA student with very little non-academic InfoSec experience. <br /><br />I feel I pretty much have to spend every minute of my spare time reading, and scouring the web for documents like this to feel like I have will be relevant in the industry by the time I graduate. Thank you for making this information more readily available! (I may not have found it if I hadn't subscribed to your RSS....)Dusty E.noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-88436445900803229632010-01-13T08:51:27.318-08:002010-01-13T08:51:27.318-08:00I agree with Dan about WASC-13 Information Leakage...I agree with Dan about WASC-13 Information Leakage being a sub-category covered under the OWASP A6 - Security Misconfiguration section. I brought up this same rationale on the OWASP top ten project list and everyone agreed. <br /><br />The best example I can give is with ASP.NET's detailed stack dump error pages. If you look at the html source - it even warns the user that they should reconfigure the customerrors mode setting in their web.config file in order to not send this sensitive/technical data to the client.Ryan Barnetthttps://www.blogger.com/profile/12300602630139148313noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39129019749536360992010-01-12T20:53:21.968-08:002010-01-12T20:53:21.968-08:00@DanAnderson, probably none of the above since non...@DanAnderson, probably none of the above since none of the definitions match appropriately. Since, the top ten is not meant to be all inclusive, per its very nature, not everything in it needs to have a WASC association.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-86403334395464611682010-01-12T18:20:58.009-08:002010-01-12T18:20:58.009-08:00I suppose SSI Injection is a bit different. Altho...I suppose SSI Injection is a bit different. Although, I generally consider "Injection Attacks" to be more generic.<br /><br />I prefer the way Mitre does it (<a href="http://capec.mitre.org/data/definitions/152.html" rel="nofollow">http://capec.mitre.org/data/definitions/152.html</a>.) Which includes SSI Injection as a child of injection (<a href="http://capec.mitre.org/data/definitions/253.html" rel="nofollow">http://capec.mitre.org/data/definitions/253.html</a>.)<br /><br />I'm not sure about WASC's approach. They seem to specify an incomplete list of specific types of injection attacks (i.e. no code injection (asp, jsp, php, etc), html/link/image injection, etc). <br /><br />They might have been better off with a generic "Injection Attack" (attack) or "Injection Flaw" (weakness).<br /><br />So... If you had to categorize SSI Injection (or code injection for that matter) into one of the 10 boxes that OWASP gives us, or "None of the above", would you categorize it as "Injection" or "None of the above"?Anonymoushttps://www.blogger.com/profile/03730177947678680397noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76313224135270728642010-01-10T16:20:19.188-08:002010-01-10T16:20:19.188-08:00@DanAnderson Thanks for clarifying. I see where yo...@DanAnderson Thanks for clarifying. I see where you are going now. With respect to WASC 13 (information leakage), I think including this in A6 might lead us to a bit too broad of a definition. However, do you think it be safe to assume that a large portion of information leakage issues are a direct result of misconfigured settings like you described? If so, then I'd be inclined to add it. Just don't want to add an relative edge case.<br /><br />Either way, I'll be adding WASC-16 to the mapping.<br /><br />Others also asked why I didn't map SSI Injection to A!. A1 says,<br />"Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusteddata is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter <br />into executing unintended commands or accessing unauthorized data."<br /><br />Which to me is not at all how SSI injection works, despite the word "injection" in the title.<br /><br />yes, lets not perfect get in the way of good, but we can fine tune over time. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42660947288077739492010-01-09T01:10:33.419-08:002010-01-09T01:10:33.419-08:00You'll have to excuse me, I'm having an on...You'll have to excuse me, I'm having an ontological crisis. :)<br /><br />For the subject at hand:<br />-A6 addresses configurations of the various components in a web application that may present security risks when improperly/inconsistently configured<br /><br />-WASC 14 and 15 address these improper configurations within servers and applications<br /><br />-WASC 13 (information leakage) and WASC 16 (directory indexing) are often specific instances of WASC 14 (server) and/or 15 (application). <br /><br />-Specifically, if you are running a tomcat server and you do not change your web.xml to specify an error-page then you will expose stack traces in the default error page (which are useful for WASC-45(fingerprinting)).<br /><br />-Similarly, if you are running apache and you do not turn-off directory indexing, this is a security misconfiguration that enables WASC 16.<br /><br />I think my larger issue is that WASC and OWASP are (IMO) kind of inconsistent. For example, the WASC threat classification includes attacks, weakness categories and individual instances of weaknesses. OWASP has similar issues.<br /><br />There are perhaps other things in this mapping that might be worth discussing, i.e. why no SSI Injection linked to A1? Add WASC-1,2,14,15,42 to A9? Add WASC-14,15 to A10? etc... <br /><br />On the other hand, maybe at some point it is "good enough".Anonymoushttps://www.blogger.com/profile/03730177947678680397noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-26768189149187131372010-01-08T08:56:14.920-08:002010-01-08T08:56:14.920-08:00@DanAnderson hmm, on the face of it, that could on...@DanAnderson hmm, on the face of it, that could only be a very loose connection. Could you describe an example so I can better understand what you're looking at?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80671153553227579942010-01-06T23:07:38.696-08:002010-01-06T23:07:38.696-08:00How about WASC-13 to A6? While this has fallen off...How about WASC-13 to A6? While this has fallen off the current OWASP Top 10 (and legitimately not everything can be in the top 10) I still get a lot of intelligence value from inappropriately verbose error messages. IMO, dumping db errors, stack traces, etc back to the user should at least be considered a misconfiguration (i.e. no custom error page configured).Anonymoushttps://www.blogger.com/profile/03730177947678680397noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8506768770831709562010-01-06T00:30:44.263-08:002010-01-06T00:30:44.263-08:00@Mr. Grossman, it's such a useful document. Th...@Mr. Grossman, it's such a useful document. Thank you. We really needed one. :)Monica Vermahttps://www.blogger.com/profile/00189857601828683945noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42040123815538325472010-01-05T08:51:31.567-08:002010-01-05T08:51:31.567-08:00@Ryan, with those examples, now it makes good sens...@Ryan, with those examples, now it makes good sense. Image updated.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20527739467921467872010-01-05T08:42:15.618-08:002010-01-05T08:42:15.618-08:00The current OWASP Top 10 view for A7 is narrow in ...The current OWASP Top 10 view for A7 is narrow in scope and solely focused on a binary decision of whether or not a client should be allowed to access a resource or not. What was discussed on the topten mail-list was that the scope should be expanded to include not just if a client should have access but also at what velocity. This leads to anti-automation defenses to combat brute forcing, DoS and Scraping types of attacks.Ryan Barnetthttps://www.blogger.com/profile/12300602630139148313noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14547561948805270242010-01-05T07:59:47.615-08:002010-01-05T07:59:47.615-08:00@Ryan, I suspect your probably right, but I'm ...@Ryan, I suspect your probably right, but I'm having trouble thinking of examples. Can you give me a for instance linking Brute Force and/or Denial of Service to A7?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76008952951294314432010-01-05T07:43:29.206-08:002010-01-05T07:43:29.206-08:00This isn't reflected in your graphic mapping b...This isn't reflected in your graphic mapping but there is also a link between Insufficient Anti-Automation in the TCv2 and A7 - Failure to Restrict URL Access. Specifically, Brute Force and Denial of Service attacks would also be subcategories of A7. Most people think of only the insufficient auth category where people use security-through-obscurity and post sensitive data on a website and fail to properly restrict access by implementing some form of ACL.Ryan Barnetthttps://www.blogger.com/profile/12300602630139148313noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8962173422106189832010-01-05T07:20:19.549-08:002010-01-05T07:20:19.549-08:00Nice graphic to help people connect the dots ;)Nice graphic to help people connect the dots ;)Tom Brennanhttps://www.blogger.com/profile/17763780984670281558noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58838734984191815812010-01-04T13:30:38.519-08:002010-01-04T13:30:38.519-08:00@kingthorin, the web security industry is growing ...@kingthorin, the web security industry is growing dramatically. As such, there is a steep learning curve for the new comers. We should do as much as we can to make the assimilation and utilization of knowledge as easy as possible.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43146021963639244492010-01-04T12:32:10.964-08:002010-01-04T12:32:10.964-08:00It kind of scares me that such a document needs to...It kind of scares me that such a document needs to be created for the industry. Anyone dealing with these things should be able to come up with the same thing within about 5 sec of staring at the two lists (maybe A4 is the exception...but still).kingthorinnoreply@blogger.com