Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update RailsGoat to OWASP Top Ten 2017 version #305

Closed
jasnow opened this issue Feb 16, 2018 · 11 comments
Closed

Update RailsGoat to OWASP Top Ten 2017 version #305

jasnow opened this issue Feb 16, 2018 · 11 comments
Projects

Comments

@jasnow
Copy link
Contributor

jasnow commented Feb 16, 2018

@jasnow
Copy link
Contributor Author

jasnow commented Feb 16, 2018

Is OWASP Top 10 - 2017 version official?

@cktricky cktricky added this to To do in GSoC 2018 Feb 20, 2018
@jasnow
Copy link
Contributor Author

jasnow commented Mar 18, 2018

shaddygarg [Today at 8:50 AM] in #project-railsgoat
Hey, I was working on the proposal for the OWASP top ten project but I am unsure about some points. What does the project OWASP top ten exactly include?? I read the relevant issue and It mentions that support needs to be added for the 2017 version and back support for the 2010 version!! How is one supposed to start doing this?? I plan to open a WIP request and build upon that in the coming GSoC. Can you point out some relevant links??

Al [20 minutes ago]
(1) What does the project OWASP top ten exactly include??
-- Have you googled "OWASP Top 10 2017" or "OWASP Top 10 2013 2017"?
(2) How is one supposed to start doing this (backport to 2010)?
-- Yes, what are the different approaches to do that?
(3) Can you point out some relevant links??"
-- What do you have now?
-- Also OWASP's #project-top-10 channel can be a resource.
-- You can also post questions to the OWASP Google Group and
#project-railsgoat Slack channel.

shaddygarg [14 minutes ago]
Sorry for being very vague in my question. Yes, I have read about the top ten and most of the vulnerabilities are the same for 2010, 2013 and 2017. So, what exactly is meant by adding the support. Does this mean that the new vulnerabilities that were included in 2017 need to be added into the railsgoat project. For the backsupport to 2010, vulnerabilities were merged into 2013. So, what exactly needs to be done for 2010? (edited)

shaddygarg [14 minutes ago]
I have joined the #project-top-10 channel and the two pdfs are what I am refering :

  1. https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf
  2. https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf (edited)

@jasnow
Copy link
Contributor Author

jasnow commented Mar 18, 2018

shaddygarg [9:02 AM]
uploaded and commented on this image: OWASP.PNG

The vulnerabilities A7, A9, A8 are merged into some other vulnerabilities of 2013 and other vulnerabilities are the same.
Source: https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf

Al [9:06 AM]
"2010 and 2013 support after adding 2017 support" - I have not thought thru this but the idea is not to lose the vulnerabilities that were removed from 2010 and 2013. There is probably multiple ways to support ("no lose the information"/source code) for these old vulnerabilities.

@shaddygarg
Copy link

shaddygarg commented Mar 18, 2018

2013 and 2017 can co-exist as they are farely independent of each other. The following are the new vulnerabilities that exist in 2017 which were not there in 2013:

  • XML External Entity (XXE)
  • Broken Access Control
  • Insecure Deserialization
  • Insufficient Logging & Monitoring

Following were removed from 2013:

  • Missing Function Level Access Control
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Unvalidated Redirects and Forwards

These vulnerabilities can co-exist together. So, if we add support for the 2017 version, it should not be a problem as it won't interfere with any other vulnerability. Do tell me if I am on the right track. For 2010, I am currently researching.

@jasnow
Copy link
Contributor Author

jasnow commented Mar 18, 2018

@shaddygarg -- Where would you find the RailsGoat code supporting 2010 vulnerabilities?

@shaddygarg
Copy link

@jasnow -- I am currently researching for the differences between the 2010 and 2017 vulnerabilities so that for adding the 2017 vulnerabilities, I can have a better perspective of developing the vulnerabilities in such a way that they don't interfere. This way we can both preserve the vulnerabilities of 2017 along with 2013 and 2010.

@cktricky
Copy link
Contributor

cktricky commented Mar 18, 2018 via email

@jasnow
Copy link
Contributor Author

jasnow commented Mar 18, 2018

Why would we want to maintain 2010/2013 support?

@cktricky - if you want just the latest, I will change my description.

@cktricky
Copy link
Contributor

cktricky commented Mar 18, 2018 via email

@jasnow jasnow changed the title Add support for multiple OWASP Top Ten versions plus add OWASP Top Ten 2017 version Update RailsGoat to OWASP Top Ten 2017 version Mar 19, 2018
@jasnow
Copy link
Contributor Author

jasnow commented Mar 19, 2018

@shaddygarg - FYI: Note that this GitHub idea issue has been changed to only cover the 2017 vulnerabilities.

@jasnow
Copy link
Contributor Author

jasnow commented Jul 19, 2019

Spring Cleaning

@jasnow jasnow closed this as completed Jul 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
GSoC 2018
  
To do
Development

No branches or pull requests

3 participants