'[Owasp-dotnet] Re: Web Security Threat Classification'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-dotnet
Subject:    [Owasp-dotnet] Re: Web Security Threat Classification
From:       Jeremiah Grossman <jeremiah () whitehatsec ! com>
Date:       2005-10-17 21:52:02
Message-ID: 3A9C0161-2ECD-43F0-9540-5FA9F0033F08 () whitehatsec ! com
[Download RAW message or body]

According to others, we also forgot "social engineering", "active x",  
"SSL", and "walking off with the server".  Plus, what do you do with  
Smuggling, Splitting, all the XSS variants, fingerprinting, CSRF, etc  
etc..

By "Insecure Run Time environment", did you mean Windows? Either way,  
I do not know how that could be considered a "threat" speaking  
strictly by definition.

If your saying the Threat Classification could use improvement or we  
weren't precisely consistent with our names/descriptions, we're well  
aware of it. Many have provided the same criticism. We'll try to take  
yours as constructive.


Regards,

Jeremiah-
Black Hat Japan

On Oct 15, 2005, at 1:25 PM, Dinis Cruz wrote:

> FYI, http://www.webappsec.org/projects/threat/
>
> "...The Web Security Threat Classification is a cooperative effort  
> to clarify and organize the threats to the security of a web site.  
> The members of the Web Application Security Consortium have created  
> this project to develop and promote industry standard terminology  
> for describing these issues. Application developers, security  
> professionals, software vendors, and compliance auditors will have  
> the ability to access a consistent language for web security  
> related issues..."
>
> "...
> Classes of Attack
>
> Abuse of Functionality
> Brute Force
> Buffer Overflow
> Content Spoofing
> Credential/Session Prediction
> Cross-site Scripting
> Denial of Service
> Directory Indexing
> Format String Attack
> Information Leakage
> Insufficient Anti-automation
> Insufficient Authentication
> Insufficient Authorization
> Insufficient Process Validation
> Insufficient Session Expiration
> LDAP Injection     OS Commanding
> Path Traversal
> Predictable Resource Location
> Session Fixation
> SQL Injection
> SSI Injection
> Weak Password
> Recovery Validation
> XPath Injection
> * Fingerprinting
> * HTTP Response Splitting
> ..."
>
>
> [Dinis again]
>
> Where is 'Insecure RunTime environment' or 'poor sandboox'?
>
> 80% to 90% of these 'classes of attack' would be 'simple' bugs if  
> the malicious request was executed in a 'secure run-time environemnt'
>
> Dinis Cruz
> Owasp-dotNet



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic