|
WebApp Sec
mailing list archives
Re: OWASP Top Ten - My Case For Updating It
From: Saqib Ali <docbook.xml () gmail com>
Date: Sun, 10 Jul 2005 22:54:45 -0700
Create a set of T10's that are fit for purpose;
T10 - Attack Patterns
T10 - Common Vulnerabilities
T10 - Root Causes of Insecure Web Applications
T10 - Things a company should have as part of its software security program
T10 - Things to look for in a protection system
T10 - Things to look for in an assessment system
I would like to add:
T10 - Prevention against Google Hacks
Google can be used to gather information about website. The
information can be used in a possible hack. These top 10 should
include ways to prevent these simple ways to gather information. e.g.:
0) Do not put backup files (.bak) in the world accessible directories. Try:
http://www.google.com/search?hl=en&q=%2Bfiletype%3Abak+%2B%22php%22+%2Bmysql_connect
1) Disable directory listing. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+%22orgchart.pdf%22
2) Prevent caching of dynamic data by google.
3) Prevent robots from entering sensitive sites. Try:
http://www.google.com/search?hl=en&lr=&q=intitle%3A%22Index+of+%2F%22++%2B%22Parent+Directory%22+inurl%3A%22Documents+and+Settings%22&btnG=Search
etc ....
Some of these might be redundant, and may be found in other T10, but i
think these are easy fixes, and no web application should be exploited
due to these.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
 By Date 
By Thread
Current thread:
- Re: OWASP Top Ten - My Case For Updating It, (continued)
| 
Intro
