... that's a jpeg

For some dumb reason "you can just add Szechuan pepper to the sauce" had never occurred to me before this conversation. Freshly pounded peppercorns, laoganma crispy chilli oil, black vinegar, soy + a pack of hoisin duck dumplings straight from the freezer. Took less than 10 minutes to cook

I had this or v similar mid-year, it fuckin suuuuuucks. Thoughts are with you. Oxymetazoline spray helped me a lot

Putting the OWASP Top 10 together is hard work, and everyone's a critic. It's still a very useful list, and I have massive respect to everyone who contributes to OWASP 💜 Including their awesome cheatsheet on how to create secure File Upload components! cheatsheetseries.owasp.org/cheatsheets/...

In fact, a developer could invest a bunch of time learning the Top10 in depth, but if asked "what are some common real-world scenarios that devs need to worry about?" would be unlikely to say "Insecure File Uploads", despite them being a common source of critical vulns. This is a problem.

...if you can upload executables that run on the webserver, it's a Broken Access Control. If I can overwrite a binary, it's a Software Integrity Failure etc. etc. While this categorisation is academically interesting, it's not helpful to a developer trying to understand what they need to worry about

So which OWASP Top10 category do Insecure File Uploads fall into? Well the answer is "it's complicated and depends...". What it depends on is often the impact - if the file upload leads to XSS, it's an Injection vuln. If it can bypass file type check controls, it's a Security Misconfiguration...

To give a concrete example - my team did some work earlier in the year analysing data from about 2.5k pentest reports. Looking at critical issues found during webapp pentesting, this mostly matched the OWASP Top10. But there was one standout difference - our #2 issue was File Upload Vulns...

...This is OWASP's own summary of the Top10. The goal is not just abstract/academic categorisation - it's to provide an *actionable resource* to devs about what they need to be concerned about. "Be concerned about this abstract category" is not as useful advice as something more concrete would be...

"absolutely no idea who chewed that blue thing up"

Yeah, a bunch of little reasons for me. A lot of my meetings are with clients outside of my organisation, but are set up by other people in my org. This gives those people more meeting slots to choose from. I don't care when I eat, as long as I can get a break

I don't disagree that this would be useful advice for those people, but if the scope of what they're going for is "what do normies with normie threat models need to hear?", this pretty much nails it for 90% of people IMO (which is in itself a sad story - we need more low-key activists in this world)

I've actually found a pretty good supply of high-zing peppercorns, but sometimes if I'm having a quick meal (frozen dumplings), I ain't got time for the mortar and pestle season. The oil sounds perfect

Ohhhh shit, I didn't realise Szechuan pepper oil was a thing. This is a revelation

Anyway, I just did this for the 3rd time over the space of about a decade (on two different cars!). It's so bloody annoying. Lead acid batteries don't like being fully discharged, so it was new battery time again. I got out some aviation snips and permanently disabled the always-on switch position