WebApp Sec mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: Saqib Ali <docbook.xml () gmail com>
Date: Sun, 10 Jul 2005 22:54:45 -0700
Create a set of T10's that are fit for purpose; T10 - Attack Patterns T10 - Common Vulnerabilities T10 - Root Causes of Insecure Web Applications T10 - Things a company should have as part of its software security program T10 - Things to look for in a protection system T10 - Things to look for in an assessment system
I would like to add: T10 - Prevention against Google Hacks Google can be used to gather information about website. The information can be used in a possible hack. These top 10 should include ways to prevent these simple ways to gather information. e.g.: 0) Do not put backup files (.bak) in the world accessible directories. Try: http://www.google.com/search?hl=en&q=%2Bfiletype%3Abak+%2B%22php%22+%2Bmysql_connect 1) Disable directory listing. Try: http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+%22orgchart.pdf%22 2) Prevent caching of dynamic data by google. 3) Prevent robots from entering sensitive sites. Try: http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+inurl%3A%22Documents+and+Settings%22&btnG=Search etc .... Some of these might be redundant, and may be found in other T10, but i think these are easy fixes, and no web application should be exploited due to these. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Ralf Durkee (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Andrew van der Stock (Jul 09)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Pete Herzog (Jul 10)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 10)
- Re: OWASP Top Ten - My Case For Updating It Saqib Ali (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It James E. Powell (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Frank O'Dwyer (Jul 13)
- <Possible follow-ups>
- Re: OWASP Top Ten - My Case For Updating It Jeff Williams (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Jeff Robertson (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: OWASP Top Ten - My Case For Updating It Dean H. Saxe (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It Mark Curphey (Jul 11)
- Re: Re: OWASP Top Ten - My Case For Updating It rajeshkumardilli (Jul 11)
- RE: OWASP Top Ten - My Case For Updating It maburns (Jul 12)
- Re: OWASP Top Ten - My Case For Updating It focus (Jul 13)