Well, I’m finally back with a mess load of blog posts that I’ll have to write up over the next several days. But I wanted to get this one out first. The conference was a lot of fun and very professionally put together, but like always, I’d like to see more developers attending OWASP. I talked a lot with Dinis Cruz about this, and I’d love to hear any thoughts people have on how we could get more developers and/or managers who have budget to throw at the problem to the conferences. I love talking to a lot of experts, but we’re not pushing the industry forward unless we get more people to attend. So thoughts are welcome.
On an unrelated note Dave Wichers from Aspect Security did a presentation on the next release candidate for the OWASP top 10. The most important change in my mind is that now unvalidated redirects and forwards are now within the top 10 release candidate. I expect this to be a contentious issue, but it could mean trouble for a lot of companies. For instance, let’s take these two URLs Google. Consider the following URLs:
https://www.google.com/accounts/ServiceLogin?service=sierra&continue=https%3A%2F%2Fcheckout.google.com%2Fmain%3Fupgrade%3Dtrue&hl=en_US&nui=1<mpl=default&gsessionid=8zA6kaO2BqY
And:
http://www.google.com/search?/accounts/ServiceLogin?service=sierra&continue=https%3A%2F%2Fcheckout.google.com%2Fmain%3Fupgrade%3Dtrue&hl=en_US&nui=1<mpl=default&gsessionid=8zA6kaO2BqY&source=hp&q=rsnake&btnI=
This is a sloppy example, but you can see that both the login for Google Checkout and the open redirect in “Feeling Lucky” fall on the same domain and thus could easily confuse an unwitting user. So Feeling Lucky could turn into a PCI liability depending on both a) if this version of the OWASP top 10 is ratified and b) if Google’s hopefully unbiased QSA/Bank agree that this is an issue. I’ve always thought redirects were dangerous (especially because Google’s redirects have been actively used by phishers and spammers for years now). But does it belong on the top 10? It’s an interesting question. Another interesting question is if they are on different ports (443 vs 80 like the previous example) should that matter? It could be equally confusing to a consumer regardless of the protocol, and ultimately that’s the how this attack is useful - attacking a user’s perception. If you have an opinion one way or another, I’m sure the OWASP review team would love to hear your thoughts. Anyway, it’ll be interesting to see how this pans out - one way or another.