Cenzic 232 Patent
Paid Advertising
web application security lab

OWASP AppSecDC Top 10 Changes

Well, I’m finally back with a mess load of blog posts that I’ll have to write up over the next several days. But I wanted to get this one out first. The conference was a lot of fun and very professionally put together, but like always, I’d like to see more developers attending OWASP. I talked a lot with Dinis Cruz about this, and I’d love to hear any thoughts people have on how we could get more developers and/or managers who have budget to throw at the problem to the conferences. I love talking to a lot of experts, but we’re not pushing the industry forward unless we get more people to attend. So thoughts are welcome.

On an unrelated note Dave Wichers from Aspect Security did a presentation on the next release candidate for the OWASP top 10. The most important change in my mind is that now unvalidated redirects and forwards are now within the top 10 release candidate. I expect this to be a contentious issue, but it could mean trouble for a lot of companies. For instance, let’s take these two URLs Google. Consider the following URLs:

https://www.google.com/accounts/ServiceLogin?service=sierra&continue=https%3A%2F%2Fcheckout.google.com%2Fmain%3Fupgrade%3Dtrue&hl=en_US&nui=1&ltmpl=default&gsessionid=8zA6kaO2BqY

And:

http://www.google.com/search?/accounts/ServiceLogin?service=sierra&continue=https%3A%2F%2Fcheckout.google.com%2Fmain%3Fupgrade%3Dtrue&hl=en_US&nui=1&ltmpl=default&gsessionid=8zA6kaO2BqY&source=hp&q=rsnake&btnI=

This is a sloppy example, but you can see that both the login for Google Checkout and the open redirect in “Feeling Lucky” fall on the same domain and thus could easily confuse an unwitting user. So Feeling Lucky could turn into a PCI liability depending on both a) if this version of the OWASP top 10 is ratified and b) if Google’s hopefully unbiased QSA/Bank agree that this is an issue. I’ve always thought redirects were dangerous (especially because Google’s redirects have been actively used by phishers and spammers for years now). But does it belong on the top 10? It’s an interesting question. Another interesting question is if they are on different ports (443 vs 80 like the previous example) should that matter? It could be equally confusing to a consumer regardless of the protocol, and ultimately that’s the how this attack is useful - attacking a user’s perception. If you have an opinion one way or another, I’m sure the OWASP review team would love to hear your thoughts. Anyway, it’ll be interesting to see how this pans out - one way or another.

10 Responses to “OWASP AppSecDC Top 10 Changes”

  1. ChosenOne Says:

    same “problem” at AppSec Europe: a great improvement would be more hardcore tech-guys and hackers and less business-guys talking about their shiny product ;)

  2. RSnake Says:

    @ChosenOne - I don’t think OWASP needs to turn into yet another hacker con. I agree, I don’t think it should become a vendor conference either, but it should be about educating the community. How do we get more less experienced (or zero experienced) people to come and listen too?

  3. Ams Says:

    The main problem is that knowledge of some basic security concepts in most cases is not required as necessary. People should understand that it is not only field of security experts. This question will remain opened until knowledge of basic security concepts will become as obligatory.
    For inexperienced developers such conferences does not differ much (in their minds) from visiting cinema. If they don’t wish, they won’t come. So, they should be someway affected through their source of money, I mean work.
    Another way of attracting people is to promote them, stimulate. Sorry for such comparison, but like dogs with cookies for any action :)

  4. sirdarckcat Says:

    some time ago google fixed their open redirection on im feeling lucky.. but they un-fixed it a couple of months ago..

    their previous fix was to whitelist I’m feeling lucky to the referrer of www.google.something, and if it didnt have a referer, then it showed the normal search results.

    Obviously that meant that the Im feeling lucky thingy was completely broken if you work with referrers disabled.. and since aparently google has no record of which tlds they have, I could use www.google.p42.us or google.sirdarckcat.net etc.. to bypass their whitelist.

    Anyway.. now it works with or without referrer.. but I wanted to point out that google tried to fix it.. anyway, it failed.

    http://twitter.com/sirdarckcat/status/1219781135

    Greetz!!

  5. crazy_lil_white_guy Says:

    I believe there is a point that is thinly veiled within the post, mainly how to make non-security folk, attend or at least take notice of the problem. Really what that breaks down to is cold hard cash.

    If I’m some exec and I got my nerds/geeks/dorks coming to me and saying “this is really bad, we have to fix it”, my first response would be “why?”

    It’s about the bottom line, from the nerd/geek/dork perspective I always want 110% security, realistically that never happens.

    The best thing a security guy can do is look at it from a business perspective… what is the potential impact of a realized security threat? How can I put that into a monetary impact against the business, and can I accept(or manipulate) the outcome when the business justification outweighs the security concerns.

    When us security ppl have to communicate up the chain to make the decision makers take notice, put it in terms they can understand. Don’t expect perceptions to change overnight, plant the seed, and see if it takes root.

    To make your higher up’s take notice say “This could be a serious problem that may represent a risk to our bottom line, here are a bunch of numbers(qualitative and quantitative) to support that view”… and 67.8% of statistics are completely fabricated :)

    It sucks, but tis necessary.

  6. ChosenOne Says:

    @RSnake: I wasn’t aware that OWASP’s self-conception was about educating the less-experienced members of the community.
    Gonna visit the hackercons instead then…. ;)

    No flame intended - I just appreciate an advanced standard, when it’s called Web Application Security

  7. RSnake Says:

    @ChosenOne - no Flame taken. Not every group can please every person. But from their website:

    Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

    If you’re past that point, then good for you, but we still have a lot more people to get up to speed!

  8. Christian Says:

    I said the exact same thing about the lack of developers at OWASP AppSec Australia 2008.

  9. Barry Says:

    I tried promoting OWASP AppSec DC (which I helped organize) among developers - most of them unfortunately aren’t interested in attending such a specialized conference. This is because mainstream dev conferences better address the spectrum of their interests in the limited time they can be away.

    It’s more effective to go where the developers are. I’m active in the dev/tech/web communities and I’ve presented on security at dev events with strong attendance. I think many of the OWASP AppSec speakers and sessions would do well at dev conferences.

    Having said that we should still try to attract those developers who are interested in security to OWASP events - just don’t expect large numbers.

  10. Tom Brennan Says:

    What are the Top 10 Developer Conferences (play on words of course..) in the world?

    I am sure that OWASP if invited can staff a table with our 100% volunteer team to raise awareness and if asked even provide speakers!!! Ok.. so maybe OWASP will have to pay for the hotel and airfare for the people to get the job done but we are cool for that… and even have a budget for it.

    (Examples of course..)

    http://www.devconnections.com

    http://javasymposium.techtarget.com

    http://vslive.com

    Join the mission