Indeed was draft Dennis...but I did also do some rationalizing. One I used
also didn't have 51 in so I must have used the wrong list (another problem
with too many emails, sorry) You are too sharp ;-) Actually what I did was
to take things that were essentially the same or ambiguous like samples
hacking or forced browsing and compound them. For example if forced browsing
is done to find if a particular file / app exists on a system then samples
are surely an example of that. They themselves could be samples that contain
buffer overflows etc..

I agree about client and server and I definitely think that we should add it
in. However how about the point of the attack in the description. You point
out about the description of a web application and that is very true. I
think given we wanted this to be able to apply to all web applications just
saying server is misleading. Imagine an online e-tailer. When you buy
something you will often be using 10 / 15 applications in middleware
(including visa / MasterCard / whoever for credit card auth) and several
data stores. If you follow the notion of presentation / application and data
layers then maybe that's a good distinction and also means the IIS issues
get pushed to presentation. Presentation may also include XSLT problems like
calling third-party helper apps that haven't been covered here yet (cool
potential for next breed of css attacks I reckon).

So lets leave the classes open over the weekend and a definition of a web
application / web service would be a great idea !!

Sorry if I dropped the ball.

-----Original Message-----
From: Dennis Groves [mailto:dwgmac.com]
Sent: Friday, September 28, 2001 10:48 PM
To: Mark Curphey; www mobile code
Subject: Re: OWASP - Classes of Vulnerabilities

I assume this is a semi complete draft, since the method that I purposed was
a 3x9x51 array, yours is 8x32.

Frankly between you and me, I like yours better. I am also to tired to give
any constructive criticism.

However, I am also think that the most simple model of a web application is
a client, a server, and the communication between them. I am concerned that
we not abandon that model - we are going to need to educate many people who
do not have our understanding of Web Application Security, and when things
are simple even technical people communicate better.

I think that the unix method was correct, many small simple programs that do
one thing and one thing only. This leads to a world of complexity. Yet any
part may be examined and understood by one person.

So perhaps we need a "white paper" that defines web application security -
that phrase is itself somewhat ambiguous, since application is rather
difficult to nail down. Further while everyone on the list has heard of it
and has an idea what it is, I rather imagine that everyone visiting OWASP
does not - or they will carry with them also some preconceived ideas that we
need to destroy to get them on our page. This would also be a good
Collaborative document candidate since everyone of us has different Ideas
about what it is, and the whole of it would give a fair definition to
newbies.

Dennis

> Classes of Vulnerabilities
>
> Informational
> “This class of vulnerabilities describes issues that allow an attacker to
> obtain more information about the system than is intended or desired”.
> Comments
> Identifying Characteristics
> Error Codes
> Forceful Browsing
>
> Input Validation
> “This class of vulnerabilities describes issues that allow an attacker to
> create input to a system which will be processed to his/her advantage”.
> Circumventing Validation (client side manipulation)
> Unicode Encoded Strings
> URL Encoded Strings
> OS Commands
> Direct SQL Commands
> Buffer Overflows
> Path Traversal
> Cross-Site Scripting
> Format Strings
> Null Characters
> Meta Characters
> URL Manipulation
> Hidden Form Field Manipulation
> Cookie Manipulation
> Serialized Object Manipulation
>
> Session Management
> “This class of vulnerabilities describes issues that arise from improperly
> designed session management systems.”
> Page Sequencing
> Session Hi-Jacking
> Session Replay
> Man in the Middle Attacks
>
> Authentication
> “This class of vulnerabilities describes issues that arise from improperly
> designed authentication systems.”
> Brute Force
>
> Privacy Violations
> “This class of vulnerabilities describes issues where users personal data
> maybe visible to others than the intended user.”
> Browser Cache
> Browser History
> Auto-completes
>
> Mis-configurations
> “This class of vulnerabilities describes issues resulting from improperly
> configured settings for any component in the system.”
> Vendor Patches
> Default Accounts
>
> Backdoors
> “This class of vulnerabilities describes using additional functionality of
a
> system not designed to be accessed by regular users.”
> Debug Commands
> Covert Channels
>
> Trojans
> “This class of vulnerabilities describes components designed to subvert
the
> system or user security”.
> Malicious mobile code
> Application Trojans
> Data Tainting

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]