WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OWASP Top Ten - My Case For Updating It

From: Saqib Ali <docbook.xml () gmail com>
Date: Sun, 10 Jul 2005 22:54:45 -0700
Create a set of T10's that are fit for purpose;

T10 - Attack Patterns
T10 - Common Vulnerabilities
T10 - Root Causes of Insecure Web Applications
T10 - Things a company should have as part of its software security program
T10 - Things to look for in a protection system
T10 - Things to look for in an assessment system


I would like to add:
T10 - Prevention against Google Hacks

Google can be used to gather information about website.  The
information can be used in a possible hack. These top 10 should
include ways to prevent these simple ways to gather information. e.g.:

0) Do not put backup files (.bak) in the world accessible directories. Try:
http://www.google.com/search?hl=en&q=%2Bfiletype%3Abak+%2B%22php%22+%2Bmysql_connect

1) Disable directory listing. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+%22orgchart.pdf%22

2) Prevent caching of dynamic data by google.

3) Prevent robots from entering sensitive sites. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+inurl%3A%22Documents+and+Settings%22&btnG=Search

etc ....

Some of these might be redundant, and may be found in other T10, but i
think these are easy fixes, and no web application should be exploited
due to these.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Previous By Date Next
Previous By Thread Next

Current thread: