[Owasp-topten] Mass assignment and A9

Chris Eng ceng at veracode.com
Fri Feb 15 20:46:11 UTC 2013


FWIW, Steve, we use CWE-472 (External Control of Assumed-Immutable Web Parameter) for Mass Assignment. I think it's a pretty good fit.



From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christey, Steven M.
Sent: Friday, February 15, 2013 3:30 PM
To: Neil Smithline; OWASP TopTen
Subject: Re: [Owasp-topten] Mass assignment and A9

I've given mass assignment some thought - our next version of CWE will have an entry for it.  I'm thinking that mass assignment is effectively an instance of Insecure Direct Object Reference, which itself is effectively an authorization problem.

It feels to me like we're going to have an explosion of issues involving deserialization in general, of which mass assignment is one specific technique, so at least mentioning it - if it fits in an existing category - seems reasonable to me.

- Steve



From: owasp-topten-bounces at lists.owasp.org<mailto:owasp-topten-bounces at lists.owasp.org> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Neil Smithline
Sent: Friday, February 15, 2013 11:00 AM
To: OWASP TopTen
Subject: [Owasp-topten] Mass assignment and A9

I know there's been discussion about having mass assignment as one of the T10. The decisions was no. I'm not trying to reopen that discussion and don't feel that I have enough data to even form an opinion.

The above notwithstanding, I think it would be better if mass assignment were mentioned someone in the T10. Delegated to being just an extra risk at the end of the document gives it a much smaller presence as one must assume that additional risks gets less attention than the T10.

I'm wondering if mass assignment could be mentioned in A9. I think it could fit in the example section or in the references section with a mass reference link.

I understand that A9 cannot mention every vulnerability in every framework. But mass assignment seems special. It is caused by a faulty design pattern that has been used in multiple frameworks in cooperation with a specific use of an implementation of that design pattern.

I think that just mentioning it would be enough to cause tools such as Fortify to include mass assignment in their OWASP filter. Seems a good thing.

Just my two cents,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/428c09a4/attachment.html>


More information about the Owasp-topten mailing list