[Owasp-topten] Mass assignment and A9

Christey, Steven M. coley at mitre.org
Fri Feb 15 20:57:17 UTC 2013

I hate that CWE and want it to die.  I wish I never thought of it.

<SEND> - no, wait...

I mean, that CWE has some problems, one of which is how generic it is, and how it emphasizes almost the "syntax" level of an issue instead of the "logic" level, and the psychological state of the programmer's assumption.  For example, a common attack against insecure direct object reference would be to manipulate a web parameter, and injection attacks are often against a parameter that the programmer assumed would never be changed.  CWE has a mixture of weaknesses operating at different conceptual levels and perspectives, which isn't necessarily a big problem because of the various audiences that CWE serves, but if only we could be better about modeling these differences...  But I digress.

At any rate, I see that Mass Assignment is mentioned at the end of the Top 10 draft without a link; we will have CWE-915 for it, which will point to various other references.  We will release a new CWE version next week, so http://cwe.mitre.org/data/definitions/915.html will be live at that time.

- Steve

From: Chris Eng [mailto:ceng at Veracode.com]
Sent: Friday, February 15, 2013 3:46 PM
To: Christey, Steven M.; Neil Smithline; OWASP TopTen
Subject: RE: [Owasp-topten] Mass assignment and A9

FWIW, Steve, we use CWE-472 (External Control of Assumed-Immutable Web Parameter) for Mass Assignment. I think it's a pretty good fit.

From: owasp-topten-bounces at lists.owasp.org<mailto:owasp-topten-bounces at lists.owasp.org> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Christey, Steven M.
Sent: Friday, February 15, 2013 3:30 PM
To: Neil Smithline; OWASP TopTen
Subject: Re: [Owasp-topten] Mass assignment and A9

I've given mass assignment some thought - our next version of CWE will have an entry for it.  I'm thinking that mass assignment is effectively an instance of Insecure Direct Object Reference, which itself is effectively an authorization problem.

It feels to me like we're going to have an explosion of issues involving deserialization in general, of which mass assignment is one specific technique, so at least mentioning it - if it fits in an existing category - seems reasonable to me.

- Steve

From: owasp-topten-bounces at lists.owasp.org<mailto:owasp-topten-bounces at lists.owasp.org> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Neil Smithline
Sent: Friday, February 15, 2013 11:00 AM
To: OWASP TopTen
Subject: [Owasp-topten] Mass assignment and A9

I know there's been discussion about having mass assignment as one of the T10. The decisions was no. I'm not trying to reopen that discussion and don't feel that I have enough data to even form an opinion.

The above notwithstanding, I think it would be better if mass assignment were mentioned someone in the T10. Delegated to being just an extra risk at the end of the document gives it a much smaller presence as one must assume that additional risks gets less attention than the T10.

I'm wondering if mass assignment could be mentioned in A9. I think it could fit in the example section or in the references section with a mass reference link.

I understand that A9 cannot mention every vulnerability in every framework. But mass assignment seems special. It is caused by a faulty design pattern that has been used in multiple frameworks in cooperation with a specific use of an implementation of that design pattern.

I think that just mentioning it would be enough to cause tools such as Fortify to include mass assignment in their OWASP filter. Seems a good thing.

Just my two cents,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130215/4cb24a46/attachment-0001.html>

More information about the Owasp-topten mailing list