[OT] FW: OWASP Update

[Matt Sergeant <ms...@startechgroup.co.uk>]

Not sure if this should really be considered off topic, as it should be
required reading. Anyway, go to owasp *now*, and read all the COV's you can
get through. These should be required knowledge for any web developer, and
the site seems to have detailed the various possible vulnerabilities really
well.

http://www.owasp.org/projects/cov/index.htm

(and no, I'm not affiliated in any way - just excited to see all this stuff
explicitly detailed so succinctly).

-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com]
Sent: 29 October 2001 07:40
To: webappsec@securityfocus.com
Subject: OWASP Update


Prepare for the avalanche !

OWASP folks have been quiet authoring content for the OWASP
(http://www.owasp.org) Classes of Vulnerabilities (COV) project and we are
pleased to say we are about to start sending DRAFT content to the list for
comment. The first 15 will be sent out tonight and others will follow this
week and next.

The classes of vulnerabilities (COV) project is a basic reference for much
of the work at OWASP. It's aim is to define classes of vulnerabilities that
web applications can be vulnerable to; and the attacks components (AC) that
exploit these vulnerabilities. An attack on a system may be (and is
typically) composed of several components spanning multiple classes of
vulnerabilities. The COV will not catalogue individual vulnerabilities like
Nimba or ISAPI overflows. Instead it describes generic attacks on web
applications and services.

It does offer a clear definition of each attack component and a common
unambiguous naming scheme to avoid duplication or mis-interpretation through
semantics. It enables security professionals to unambiguously talk the same
language.
It does offers the building blocks to describe complicated chained attacks
of sequences of using the attack components described and the UML models
that will be provided. UML sequence diagrams will be added after content is
finalized.

Each COV has a description and a list of associated AC's.

Each attack component will have

A Name
A Description
An Analysis
A UML Description
Link to "How to Test for this Problem"
Typical Countermeasures

Example
Take for example the security issues associated with the Phone Book Script.
We use this example as its well known, one of the simplest applications
(single CGI) and well documented. The attack usually is described by an
example URL;
http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
The script itself uses the escape_shell_cmd() fucntion which does not check
input with the new line character "\n" adequately. This is described in
OWASP-IV-MC-1. In practice an attacker would first determine if the script
itself exists. This would be done by using file & application enumeration as
described in OWASP-FAE-1. If successful an attacker could use the result to
chain one of several other attacks (the payload) such as executing direct
operating system commands (OWASP-IV-DOSCI-1) or Direct database calls
(OWASP-IV-DSQLI-1).

Each draft will be sent to the list with a subject (the OWASP name)heading
and a link to the web site. We had hoped to have our navigation working by
this time and each draft linked to our new style sheet but we haven't had
time. That will be done by the end of the week.

This is an open community effort and so are looking for all positive
feedback that will improve the write-ups. These are first DRAFTS and we know
the English language can be improved. We are most concerned now with the
technical content. Just reply to the list with your comments about the
relevant section and the feedback / discussion will be noted and if
appropriate incorporated. The first 14 or so DRAFTS will go out tonight and
will be finalized next Sunday night (12pm Pacific).

It seems to me that the list of issues identified as the original classes of
vulnerabilities are very "black-box" orientated and we would welcome more
debate about other classes we should include and of course people to help
author the content. Candidates are run time issues like open API's, SUID
programming etc..

Kind regards,

Mark





_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.

Re: [OT] FW: OWASP Update

[James Stalker <jw...@sanger.ac.uk>]

On Mon, Oct 29, 2001 at 12:07:09PM +0100, Jon Molin wrote:
> only me that get 404 Not Found ? 
> both on http://www.owasp.org/projects/cov/index.htm and
> http://www.owasp.org

No, the site has some bad javascript and it tries to load http://www.owasp.org/Templates/_js/default.js which gives the 404.  Try either turning off javascript in your browser, or using a different, more tolerant, browser.

James

> is this the beginning of a new word? the site has been modperled :)
> 
> /jon
> 
> 
> 
> Matt Sergeant wrote:
> > 
> > Not sure if this should really be considered off topic, as it should be
> > required reading. Anyway, go to owasp *now*, and read all the COV's you can
> > get through. These should be required knowledge for any web developer, and
> > the site seems to have detailed the various possible vulnerabilities really
> > well.
> > 
> > http://www.owasp.org/projects/cov/index.htm
> > 
> > (and no, I'm not affiliated in any way - just excited to see all this stuff
> > explicitly detailed so succinctly).
> 
>  snip

-- 
James Stalker
Senior Web Developer - Project Ensembl - http://www.ensembl.org

Re: [OT] FW: OWASP Update

[Jon Molin <Jo...@resfeber.se>]

only me that get 404 Not Found ? 
both on http://www.owasp.org/projects/cov/index.htm and
http://www.owasp.org

is this the beginning of a new word? the site has been modperled :)

/jon



Matt Sergeant wrote:
> 
> Not sure if this should really be considered off topic, as it should be
> required reading. Anyway, go to owasp *now*, and read all the COV's you can
> get through. These should be required knowledge for any web developer, and
> the site seems to have detailed the various possible vulnerabilities really
> well.
> 
> http://www.owasp.org/projects/cov/index.htm
> 
> (and no, I'm not affiliated in any way - just excited to see all this stuff
> explicitly detailed so succinctly).

 snip