Saturday 26 January 2013

Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:

    It has to be more prevalent than other issues, plus introduce as much, or more risk. The Risk methodology in the Top 10 is very explicit.

    I just looked through ALL the stats provided as input to the OWASP Top 10 for 2013 and I find zero mention of AutoBinding or Mass Assignment.

    I know Aspect has found some of these vulns, in the past few years, but we are talking about a handful that we’ve found out of 1000s of issues total.

    Clickjacking hasn’t even made it into the Top 10 and its way more prevalent, I assume.

    That said, doesn’t mean we can’t start some kind of awareness campaign at OWASP about new issues like Mass Assignment and Expression Language Injection, and anything else new/cool you are aware of.

    1st steps would be to create an article about each vulnerability, and then get the code review and testing guides to cover those topics, and also maybe a Prevention Cheat Sheet for each too. The article and Cheat Sheet are the easiest things to knock out first.

My view is that it should be in the next OWASP Top 10,  so I guess we need to start adding info about this vulnerability to the guides and cheat sheets :)

I will also help if we have data about how big this issue is, namely how many apps are vulnerable to it.

To see two practical examples of this vulnerability, take a look at:

Mass Assignment Vulnerability references:
Auto-Binding Vulnerability references (another name for Mass Assignment):