once more, with feeling.

Darren Lasko dlasko at us.fujitsu.com
Mon Sep 8 17:10:47 EDT 2008


Arshad Noor wrote:
> A more optimal solution is to have this vulnerability accepted by
> the OWASP community as a "Top 10" security vulnerability; it will
> have the appropriate intended effect since mitigation to the OWASP
> defined vulnerabilities is required in PCI-DSS:
> 
> "6.5 Develop all web applications based on secure coding guidelines
> such as the Open Web Application Security Project guidelines"
> 

Isn't this vulnerability already in the Top 10, specifically "A7 - Broken 
Authentication and Session Management" (
http://www.owasp.org/index.php/Top_10_2007-A7)?

>From the "Protection" section for A7:

"Do not allow the login process to start from an unencrypted page. Always 
start the login process from a second, encrypted page with a fresh or new 
session token to prevent credential or session stealing, phishing attacks 
and session fixation attacks."

Best regards,
Darren Lasko
Principal Engineer
Advanced Development Group, Storage Products
Fujitsu Computer Products of America

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list