[OT] FW: OWASP Update
Not sure if this should really be considered off topic, as it should be required reading. Anyway, go to owasp *now*, and read all the COV's you can get through. These should be required knowledge for any web developer, and the site seems to have detailed the various possible vulnerabilities really well. http://www.owasp.org/projects/cov/index.htm (and no, I'm not affiliated in any way - just excited to see all this stuff explicitly detailed so succinctly). -Original Message- From: Mark Curphey [mailto:[EMAIL PROTECTED]] Sent: 29 October 2001 07:40 To: [EMAIL PROTECTED] Subject: OWASP Update Prepare for the avalanche ! OWASP folks have been quiet authoring content for the OWASP (http://www.owasp.org) Classes of Vulnerabilities (COV) project and we are pleased to say we are about to start sending DRAFT content to the list for comment. The first 15 will be sent out tonight and others will follow this week and next. The classes of vulnerabilities (COV) project is a basic reference for much of the work at OWASP. It's aim is to define classes of vulnerabilities that web applications can be vulnerable to; and the attacks components (AC) that exploit these vulnerabilities. An attack on a system may be (and is typically) composed of several components spanning multiple classes of vulnerabilities. The COV will not catalogue individual vulnerabilities like Nimba or ISAPI overflows. Instead it describes generic attacks on web applications and services. It does offer a clear definition of each attack component and a common unambiguous naming scheme to avoid duplication or mis-interpretation through semantics. It enables security professionals to unambiguously talk the same language. It does offers the building blocks to describe complicated chained attacks of sequences of using the attack components described and the UML models that will be provided. UML sequence diagrams will be added after content is finalized. Each COV has a description and a list of associated AC's. Each attack component will have A Name A Description An Analysis A UML Description Link to How to Test for this Problem Typical Countermeasures Example Take for example the security issues associated with the Phone Book Script. We use this example as its well known, one of the simplest applications (single CGI) and well documented. The attack usually is described by an example URL; http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd The script itself uses the escape_shell_cmd() fucntion which does not check input with the new line character \n adequately. This is described in OWASP-IV-MC-1. In practice an attacker would first determine if the script itself exists. This would be done by using file application enumeration as described in OWASP-FAE-1. If successful an attacker could use the result to chain one of several other attacks (the payload) such as executing direct operating system commands (OWASP-IV-DOSCI-1) or Direct database calls (OWASP-IV-DSQLI-1). Each draft will be sent to the list with a subject (the OWASP name)heading and a link to the web site. We had hoped to have our navigation working by this time and each draft linked to our new style sheet but we haven't had time. That will be done by the end of the week. This is an open community effort and so are looking for all positive feedback that will improve the write-ups. These are first DRAFTS and we know the English language can be improved. We are most concerned now with the technical content. Just reply to the list with your comments about the relevant section and the feedback / discussion will be noted and if appropriate incorporated. The first 14 or so DRAFTS will go out tonight and will be finalized next Sunday night (12pm Pacific). It seems to me that the list of issues identified as the original classes of vulnerabilities are very black-box orientated and we would welcome more debate about other classes we should include and of course people to help author the content. Candidates are run time issues like open API's, SUID programming etc.. Kind regards, Mark _ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Scanning Service. For further information visit http://www.star.net.uk/stats.asp or alternatively call Star Internet for details on the Virus Scanning Service. _ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Scanning Service. For further information visit http://www.star.net.uk/stats.asp or alternatively call Star Internet for details on the Virus Scanning Service.
Re: [OT] FW: OWASP Update
only me that get 404 Not Found ? both on http://www.owasp.org/projects/cov/index.htm and http://www.owasp.org is this the beginning of a new word? the site has been modperled :) /jon Matt Sergeant wrote: Not sure if this should really be considered off topic, as it should be required reading. Anyway, go to owasp *now*, and read all the COV's you can get through. These should be required knowledge for any web developer, and the site seems to have detailed the various possible vulnerabilities really well. http://www.owasp.org/projects/cov/index.htm (and no, I'm not affiliated in any way - just excited to see all this stuff explicitly detailed so succinctly). snip
Re: [OT] FW: OWASP Update
On Mon, Oct 29, 2001 at 12:07:09PM +0100, Jon Molin wrote: only me that get 404 Not Found ? both on http://www.owasp.org/projects/cov/index.htm and http://www.owasp.org No, the site has some bad javascript and it tries to load http://www.owasp.org/Templates/_js/default.js which gives the 404. Try either turning off javascript in your browser, or using a different, more tolerant, browser. James is this the beginning of a new word? the site has been modperled :) /jon Matt Sergeant wrote: Not sure if this should really be considered off topic, as it should be required reading. Anyway, go to owasp *now*, and read all the COV's you can get through. These should be required knowledge for any web developer, and the site seems to have detailed the various possible vulnerabilities really well. http://www.owasp.org/projects/cov/index.htm (and no, I'm not affiliated in any way - just excited to see all this stuff explicitly detailed so succinctly). snip -- James Stalker Senior Web Developer - Project Ensembl - http://www.ensembl.org
