Although you may argue that A2 is broad enough to cover it, CSRF certainly deserves a point of it’s own. It’s one of the top three web app problems (behind SQL and XSS injections) and has very different mitigation techniques from any other bullet on the list..

If someone who’s logged into their bank account goes to visit my website, with an image embedded pointing to http://bank.com/index.php?cmd=changepass&newpass=WideOpen .. thats a wide open hole.

It’s a fairly comprehensive list otherwise though .. and when limited to only 10 points, i find it more than adequate.

-maluc

Good to see you have a life :)

I can totally understand your point of view. Life’s balancing act is always a challenge. However, the project states that it is “sponsored” by Aspect Security. I expect outdated material from open source projects, but I would have expected “sponsored” material to be a little better?

Your totally right and we are aware that the Top 10 needs updating. Behind the scenes we are doing just that. I am currently working on the ASP.NET Top 10 and others are updating it to reflect todays web applications and their insecurities.

As with many organisations that rely on people’s free time to do the work, progress is slow. I have a day job and also a life. We would love to see all these companies adopting it offering some support for us to move forward and actually spend more time, but in reality that wont happen.

The Top 10 does have a place in todays web enabled Internet and we are fully aware of the need to get it updated ASAP!

Daniel
OWASP