Closed kerberosmansour closed 6 years ago
vanderaj
commented
6 years ago @infosecdad As this is to do with the data analysis, can you please reply.
I'm okay if we end up mentioning this in XSS or injections, but the data as far as I can tell is not there for this any more. I'll leave it with you
kerberosmansour
commented
6 years ago Thanks @vanderaj, @infosecdad I echo @vanderaj suggestion to mention it as a client side attack elsewhere in the top ten. It is a tough one as its hard to get data on it (I could go in more detail), but consider the two attacks below:
1) During US election Open Redirects were used to in GMail as part of a disinformation campaign https://motherboard.vice.com/en_us/article/mbqzq8/russian-hackers-are-using-googles-own-infrastructure-to-hack-gmail-users
2) The UK Tax Authority HMRC (their equivalent of the IRS) also had an issue with redirects: http://www.bbc.co.uk/news/technology-41188008
jmanico
commented
6 years ago It might be too late, but I’d suggest changing XSS to “Client Insecurity” and cover XSS, Open Redirect, CSRF and Improper client side storage of sensitive data....
-- Jim Manico @Manicode
On Oct 21, 2017, at 6:51 PM, kerberosmansour notifications@github.com wrote:
Thanks @vanderaj, @infosecdad I echo @vanderaj suggestion to mention it as a client side attack elsewhere in the top ten. It is a tough one as its hard to get data on it (I could go in more detail), but consider the two attacks below:
During US election Open Redirects were used to in GMail as part of a disinformation campaign https://motherboard.vice.com/en_us/article/mbqzq8/russian-hackers-are-using-googles-own-infrastructure-to-hack-gmail-users
The UK Tax Authority HMRC (their equivalent of the IRS) also had an issue with redirects: http://www.bbc.co.uk/news/technology-41188008
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
securestep9
commented
6 years ago @vanderaj - Unvalidated Redirect is still very much a MASSIVE PROBLEM for the online payment/e-commerce industry which is using redirects by definition (e.g. click on a button to get redirect to pay with paypal.com but the open redirect is abused to redirect the user to malware site) .
When you say the data is not there - it is simply not true - there were far more incidents involving Unvalidated Redirect than XXE, yet XXE got a separate line on OWASP top 10 for some reason, but not open redirect. Here is the extract of the Top 10 data:
Fortify: Number of Unchecked Redirect Vulnerabilities Found (CWE-601) - 29494 Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611) - 27864 Result: 1630 more incidents involving Unvalidated Redirect than XXE
Veracode: URL Redirection to Untrusted Site (Unvalidated Redirect) (CWE-601) - 56029 Improper Restriction of XML External Entity Reference (XXE) (CWE-611) - 41673
Result: 14356 more incidents involving Unvalidated Redirect than XXE
Synopsys: CWE-601 (Unvalidated Redirect) = 36 incidents CWE-611 (XXE) =3 incidents
Result = 33 more incidents involving Unvalidated Redirect.
Based on the above Unvalidated Redirect deserve its place in top ten as it had more incidents than XXE
kerberosmansour
commented
6 years ago It might be too late, but I’d suggest changing XSS to “Client Insecurity” and cover XSS, Open Redirect, CSRF and Improper client side storage of sensitive data....
@jmanico I am with you 100% on this! Happy to help where I can. @vanderaj?
kerberosmansour
commented
6 years ago @vanderaj & @infosecdad I went through the data and can confirm @securestep9 's findings.
Fortify: Number of Unchecked Redirect Vulnerabilities Found (CWE-601) - 29494 Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611) - 27864 Result: 1630 more incidents involving Unvalidated Redirect than XXE
Veracode: URL Redirection to Untrusted Site (Unvalidated Redirect) (CWE-601) - 56029 Improper Restriction of XML External Entity Reference (XXE) (CWE-611) - 41673
Result: 14356 more incidents involving Unvalidated Redirect than XXE
Synopsys: CWE-601 (Unvalidated Redirect) = 36 incidents CWE-611 (XXE) =3 incidents
Result = 33 more incidents involving Unvalidated Redirect.
infosecdad
commented
6 years ago Yes, if you look at the frequency data, that is correct. But, we are not looking at frequency data for the Top 10 this time around. There are many issues with frequency data, many times a small number of applications can really skew the numbers.
If you look at the incidence rate between CWE-601 (Redirect) and CWE-611 (XXE) they are very close to each other. Incidence rate is counting the number of applications that had one or more instances of a vulnerability.
Fortify: CWE-601 (Redirect): 728 or 10.27% of applications tested CWE-611 (XXE): 693 or 9.78% of applications tested
Redirect and XXE were within .5% of each other.
Veracode: 2014 CWE-601 (Redirect): 2224 or 11.28%% of applications tested CWE-611 (XXE): 693 or 9.78% of applications tested
2015 CWE-601 (Redirect): 2755 or 8.80% of applications tested CWE-611 (XXE): 2570 or 8.21% of applications tested
2016 CWE-601 (Redirect): 3146 or 6.80% of applications tested CWE-611 (XXE): 4641 or 10.03% of applications tested
Veracode is showing Redirect incidence rate dropping by half and XXE climbing. In 2016 almost half again more applications had XXE than were found with Redirect.
Overall, the data shows 8.8% (10050) of applications with Redirect and 8.36% (9557) of applications with XXE. That's less than .5% difference over 100k+ applications.
So we also took into account that redirect is well known and XXE isn't as much. In the data, 75% of the contributors found Redirect (CWE-601) and only 46% found XXE (CWE-611).
Keep in mind that incidence rate is only part of the overall equation. With detectability similar, and both Exploitability and Impact are higher for XXE, XXE is ranked higher.
kerberosmansour
commented
6 years ago Thanks @infosecdad, as @vanderaj suggested can Open Redirects be mention elsewhere in the top ten? I have looked at the average number to incidents per app, but I did not see the calculations for Exploitability and Impact.
infosecdad
commented
6 years ago Open Redirects are now mentioned in the +RF page as things that are important to consider but not currently part of the Top 10.
kerberosmansour
commented
6 years ago Thank you @infosecdad
I (and a few of my peers) have serious concerns with this issue going away, this has a major impact for online fraud. My biggest fear is that AppSec engineers in large organisations will need to move away from the OWASP top ten as a best practice in order to keep Unvalidated Redirects and Forwards as an issue developers need protect against. I have seen organisations already switch to https://cwe.mitre.org/top25/ & if PCI or another compliance institutions no longer finds the OWASP top 10 suitable as a best practice it might be removed from the references, and it starts be auditors noticing OWASP top ten being used less and less.
I do not know what the data is telling us, but keep in mind we should be the collective wisdom of AppSec, if the know the data we have collected is imperfect the guidance should be adjusted with the wisdom & consent of the community to reflect that.