[Owasp-topten] Proposal to merge similar vulnerabilities under Authorisation

Dave Wichers dave.wichers at owasp.org
Fri Jan 13 05:14:22 UTC 2017

Yes. In fact we plan to do exactly that for the last two items in your list
to make room for 1 new vulnerability category. I hadn't thought about
including Mass Assignment in the access control category as well. We'll
have to think about that.


On Thu, Jan 12, 2017 at 2:20 PM, Donato Capitella <d.capitella at gmail.com>

> Hi all,
> This is my first post to this list, I apologise if this has already been
> discussed. For the OWASP 2017, have you considered merging the following
> three vulnerabilities under 'Missing Authorisation Controls' ?
> - Mass-Assignment
> - Insecure Direct Object Reference
> - Missing Function Level Access Control
> I think these are all the same issue, that is, authorisation has not been
> performed properly server side.
> What do you think?
> Cheers,
> Donato
> --
> It is not in the stars to hold our destiny, but in ourselves.
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170113/51d0b2ca/attachment.html>

More information about the Owasp-topten mailing list