[Owasp-topten] Proposal to merge similar vulnerabilities under Authorisation

Donato Capitella d.capitella at gmail.com
Fri Jan 13 08:09:08 UTC 2017


Thank you guys for answering and explaning. Just to give you some
background, I was a software developer and I am now a security consultant.
As part of what I do, I (try to) teach web security to developers. One
common issue I find some devs may have with the current OWASP Top 10 is the
confusion around Missing Function Level Access Control and Insecure Direct
Object Referece, as they are both authorisation issues, in different forms.

I would really argue that Mass Assignment is really an Improper
Authorisation issue. However, I understand isolating it makes it stand out
and maybe this is good, given that the data points to an increase in the
occurrence of this issue.

On Fri, 13 Jan 2017, 05:14 Dave Wichers, <dave.wichers at owasp.org> wrote:

> Yes. In fact we plan to do exactly that for the last two items in your
> list to make room for 1 new vulnerability category. I hadn't thought about
> including Mass Assignment in the access control category as well. We'll
> have to think about that.
>
> -Dave
>
>
> On Thu, Jan 12, 2017 at 2:20 PM, Donato Capitella <d.capitella at gmail.com>
> wrote:
>
> Hi all,
>
> This is my first post to this list, I apologise if this has already been
> discussed. For the OWASP 2017, have you considered merging the following
> three vulnerabilities under 'Missing Authorisation Controls' ?
>
> - Mass-Assignment
> - Insecure Direct Object Reference
> - Missing Function Level Access Control
>
> I think these are all the same issue, that is, authorisation has not been
> performed properly server side.
>
> What do you think?
>
> Cheers,
> Donato
>
> --
> It is not in the stars to hold our destiny, but in ourselves.
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170113/765578ed/attachment.html>


More information about the Owasp-topten mailing list