Re: OWASP Top Ten - My Case For Updating It

> Create a set of T10's that are fit for purpose;
>
> T10 - Attack Patterns
> T10 - Common Vulnerabilities
> T10 - Root Causes of Insecure Web Applications
> T10 - Things a company should have as part of its software security program
> T10 - Things to look for in a protection system
> T10 - Things to look for in an assessment system

I would like to add:
T10 - Prevention against Google Hacks

Google can be used to gather information about website. The
information can be used in a possible hack. These top 10 should
include ways to prevent these simple ways to gather information. e.g.:

0) Do not put backup files (.bak) in the world accessible directories. Try:
http://www.google.com/search?hl=en&q=%2Bfiletype%3Abak+%2B%22php%22+%2Bmysql_connect

1) Disable directory listing. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+%22orgchart.pdf%22

2) Prevent caching of dynamic data by google.

3) Prevent robots from entering sensitive sites. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+inurl%3A%22Documents+and+Settings%22&btnG=Search

etc ....

Some of these might be redundant, and may be found in other T10, but i
think these are easy fixes, and no web application should be exploited
due to these.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/