Incomplete view: OWASP Top Ten 2013 A1 - Injection

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Incomplete view: OWASP Top Ten 2013 A1 - Injection

Chris Eng

Any reason why this view (CWE-929) doesn’t include the following Injection-related CWEs?

 

88, 90, 91, 98, 99, 117

 

Thanks,

-chris

 

 

 

Chris Eng
Vice President, Research
Veracode, Inc.
Office: 339.674.2828

Mobile: 617.501.3280
[hidden email]

 

 

Reply | Threaded
Open this post in threaded view
|

RE: Incomplete view: OWASP Top Ten 2013 A1 - Injection

Christey, Steven M.
Chris,

Thank you for asking.  tl;dr, we will update the view in the next CWE version.

When we first constructed the OWASP Top Ten 2013 view (including the A1 category / CWE-929), we initially chose only to map to the CWE IDs that were explicitly stated in the Top Ten.

We thought this was sufficient at the time because CWE-77 / Command Injection, which is referenced in A1 and mentioned in CWE-929, is a high-level CWE entry.  CWE-77 is a parent of many other injection-related weaknesses, including CWE-88 (argument injection), CWE-90 (LDAP injection), and CWE-91 (XML injection), which you asked about.  It's also a parent of CWE-89 (SQL injection), which was directly referenced by OWASP and therefore mapped.

CWE-77 is at a high level (Class), but the CWEs you mention are a little bit lower level - i.e., they are Bases - which is probably the "right" level of abstraction for developer education.   Since the CWEs you suggested are effectively mentioned in the "Security Weakness" section of OWASP's A1 page, we will update the CWE-939 view in the next CWE version to reflect these additional mappings, and we will review the other categories from the most recent OWASP Top Ten.

I hope that answers your question!


Steve Christey Coley
CWE Technical Lead
Reply | Threaded
Open this post in threaded view
|

RE: Incomplete view: OWASP Top Ten 2013 A1 - Injection

Serafín Raya
Good afternoon,

I've received this email in my mailbox, but I don't know you're writing
about.

I guess this message shouldn't be sent to me.

Please, don't send me messages like this anymore.

Thanks a lot,

Regards.





-----Mensaje original-----
De: [hidden email]
[mailto:[hidden email]] En nombre de Christey,
Steven M.
Enviado el: viernes, 21 de febrero de 2014 16:58
Para: Chris Eng; cwe-research-list CWE Research Discussion
Asunto: RE: Incomplete view: OWASP Top Ten 2013 A1 - Injection

Chris,

Thank you for asking.  tl;dr, we will update the view in the next CWE
version.

When we first constructed the OWASP Top Ten 2013 view (including the A1
category / CWE-929), we initially chose only to map to the CWE IDs that were
explicitly stated in the Top Ten.

We thought this was sufficient at the time because CWE-77 / Command
Injection, which is referenced in A1 and mentioned in CWE-929, is a
high-level CWE entry.  CWE-77 is a parent of many other injection-related
weaknesses, including CWE-88 (argument injection), CWE-90 (LDAP injection),
and CWE-91 (XML injection), which you asked about.  It's also a parent of
CWE-89 (SQL injection), which was directly referenced by OWASP and therefore
mapped.

CWE-77 is at a high level (Class), but the CWEs you mention are a little bit
lower level - i.e., they are Bases - which is probably the "right" level of
abstraction for developer education.   Since the CWEs you suggested are
effectively mentioned in the "Security Weakness" section of OWASP's A1 page,
we will update the CWE-939 view in the next CWE version to reflect these
additional mappings, and we will review the other categories from the most
recent OWASP Top Ten.

I hope that answers your question!


Steve Christey Coley
CWE Technical Lead