20070131

OWASP Top 10 2007 Update RC1 - A1 A2

Link

A1. Cross Site Scripting (XSS)
While this is probably the most widespread of attacks against websites, it's actually just that - an attack or threat. And it falls under the category (IMO) of Command Injection. Well, okay, to be fair, Cross-site scripting would imply injecting script from another site into a different one. What we call Cross-site Scripting is probably more accurately called HTML injection or script injection. But we stick with the name we're given, which somehow implies it's a different concern than command injection. This misnaming is not OWASP's fault. And it's probably not their fault it's mis-classified.

Because it's so serious, maybe it ought to be in its own category...

I agree with the fixes (finally! whitelist, and output filtering!), but the encoding needs to take place at two levels:

  1. (X)HTML (or whatever presentation format) encoding, meaning encode dynamic markup into the appropriate entities.
  2. Specify output encoding. It seems this gets lost in the shuffle, but there are PoC's now for applications that expect or accept one encoding and either don't specify the output encoding or specify the wrong one.
This is probably as close as we're going to get in a summary document like the Top 10. And because the whole industry calls it Cross-site Scripting (even when it's not), the name needs to stay the same so developers can find solutions. (I'm assuming a search for "Cross-site Scripting" will return a bunch more hits than "HTML Injection").

A2. Injection Flaws
Injection Flaws is the bucket for all the remaining (not XSS) injection flaws. This includes SQL, command, LDAP, XSLT, you name it. Because of SQL injection alone I can see this as #2 on the list. Not necessarily second-most dangerous, but it can still be found semantically, or with google dorks.

Again, the recommendations are almost spot-on. But there's not much detail they can go into without breaking down the different types of injection. I really don't like the statement that "validation is still recommended in order to detect attacks". Validation should be used to determine anything that isn't what we expect, not to try to find attacks.

More on A3-A10 later...

0 comments: