[Owasp-topten] Mass assignment and A9

Neil Smithline neil.smithline at owasp.org
Fri Feb 15 16:00:16 UTC 2013

I know there's been discussion about having mass assignment as one of the
T10. The decisions was no. I'm not trying to reopen that discussion and
don't feel that I have enough data to even form an opinion.

The above notwithstanding, I think it would be better if mass assignment
were mentioned someone in the T10. Delegated to being just an extra risk at
the end of the document gives it a much smaller presence as one must assume
that additional risks gets less attention than the T10.

I'm wondering if mass assignment could be mentioned in A9. I think it could
fit in the example section or in the references section with a mass
reference link.

I understand that A9 cannot mention every vulnerability in every framework.
But mass assignment seems special. It is caused by a faulty design pattern
that has been used in multiple frameworks in cooperation with a specific
use of an implementation of that design pattern.

I think that just mentioning it would be enough to cause tools such as
Fortify to include mass assignment in their OWASP filter. Seems a good

Just my two cents,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/b0e6b1b5/attachment.html>

More information about the Owasp-topten mailing list