Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:

It has to be more prevalent than other issues, plus introduce as much, or more risk. The Risk methodology in the Top 10 is very explicit.

I just looked through ALL the stats provided as input to the OWASP Top 10 for 2013 and I find zero mention of AutoBinding or Mass Assignment.

I know Aspect has found some of these vulns, in the past few years, but we are talking about a handful that we’ve found out of 1000s of issues total.

Clickjacking hasn’t even made it into the Top 10 and its way more prevalent, I assume.

That said, doesn’t mean we can’t start some kind of awareness campaign at OWASP about new issues like Mass Assignment and Expression Language Injection, and anything else new/cool you are aware of.

1st steps would be to create an article about each vulnerability, and then get the code review and testing guides to cover those topics, and also maybe a Prevention Cheat Sheet for each too. The article and Cheat Sheet are the easiest things to knock out first.

My view is that it should be in the next OWASP Top 10,  so I guess we need to start adding info about this vulnerability to the guides and cheat sheets :)

I will also help if we have data about how big this issue is, namely how many apps are vulnerable to it.

To see two practical examples of this vulnerability, take a look at:

• Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform 
• "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)

Mass Assignment Vulnerability references:

• Mass assignment in Rails applications « blog.mhartl | Michael Hartl's tech blog and Finding and fixing mass assignment problems in Rails applications « blog.mhartl | Michael Hartl's tech blog
• #26 Hackers Love Mass Assignment – RailsCasts
• Ruby on Rails Guides: Ruby On Rails Security Guide
• http://en.wikipedia.org/wiki/Mass_assignment_vulnerability
• 6 Ways To Avoid Mass Assignment in ASP.NET MVC
• On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
• OWASP Heiko Webers Ruby on Rails Security (pdf)
• Newest 'mass-assignment' Questions - Stack Overflow

Auto-Binding Vulnerability references (another name for Mass Assignment):

• Why ASP.NET MVC is 'insecure by design' , just like Spring MVC (and why SAST can help)
• Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
• Solution for fixing Spring's JPetStore AutoBinding vulnerabilities
• Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
• Finally ... here is how I have been analysing Spring MVC apps using O2
• Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
• Starting to use the O2 Spring MVC viewer on ThreadFix
• ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)