Posts

Showing posts from November, 2009

'Information Leakage-Improper Error Handling' dropped

From Owasp Top 10 2010 List, the issue 'Information Leakage-Improper Error Handling' has been dropped. But it's not the final list,its child release actually. Bu I feel it shouldn't be set aside because its still the one of the prevalent issues these days. That's why I mailed to Dave Wicher:
Hi Dave,

Excellent work, Congrats!

Just one little query- Don't you think that Information Leakage & Improper
Error Handling still deserves to be in Top 10?
Dave replied:

This topic is clearly a very prevalent issue that deserves attention by
most organizations. However, the typical impact of such a flaw is usually very low. Therefore, the overall risk of this type of flaw is lower than the other items in the top 10, which is why it was replaced in this update with one of the 2 new items.
Regarding dropping Info Leak/Error handling - It is incredibly

prevalent, no question. But their impact is typically very low, so the

overall risk is low, which is why it fell out of this new r…

OWASP Top 10 2010 (Candidate 1) released !

Image
The release candidate for the OWASP Top Ten for 2010 has been officially released at the OWASP AppSec DC Conference today (Nov 13, 2009). This document is now up for open comment until Dec 31, 2009. The document will be updated and released with a final version in early 2010, hopefully January.

The new additions are:
Security MisconfigurationUnvalidated Redirects and Forwards- This I was expecting that sometimes it may be included in OWASP Top 10 because the last year itself I had detected many Open Re directions on various reputed sites. Even after reporting to them they were not paying much attention to it. I think now they can think about it as it made a place in Top 10.But to my surprise they have excluded Information Leakage for the list which I think is more prevalent than SSL issues.



More information on:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Content Security Policy of Firefox

Firefox support for Content Security Policy (CSP) has been in the news and is now available in test builds for web developers to try. Support for CSP isn’t slated for Firefox 3.6 but is likely to be included in the release after 3.6, mostly likely called 3.7.

This post is targeted at web developers and gives a quick overview of the three kinds of attacks that CSP helps to mitigate and also gives some quick examples so developers can get a sense of how it will work for them.

In case you don’t know what our Content Security Policy code is – and based on anecdotal evidence a lot of people don’t – it’s a set of easy to use tools that allow a web site owner to tell the browser where it should or should not load resources from. In particular it aims to prevent three different classes of common attacks we see on the web today: cross-site scripting, clickjacking and packet sniffing attacks.

Cross-site scripting attacks are largely the result of a mistake made on backend web servers where someone…

The right combination of HTTP/HTTPS and GET/POST

Image
I came across an excellent article where all the combination of HTTP/HTTP and GET/POST were compared to each other. It was in form of Metrics. It shows different problems with different combination.


The safest option for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.