Saturday, 26 January 2013

Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:

    It has to be more prevalent than other issues, plus introduce as much, or more risk. The Risk methodology in the Top 10 is very explicit.

    I just looked through ALL the stats provided as input to the OWASP Top 10 for 2013 and I find zero mention of AutoBinding or Mass Assignment.

    I know Aspect has found some of these vulns, in the past few years, but we are talking about a handful that we’ve found out of 1000s of issues total.

    Clickjacking hasn’t even made it into the Top 10 and its way more prevalent, I assume.

    That said, doesn’t mean we can’t start some kind of awareness campaign at OWASP about new issues like Mass Assignment and Expression Language Injection, and anything else new/cool you are aware of.

    1st steps would be to create an article about each vulnerability, and then get the code review and testing guides to cover those topics, and also maybe a Prevention Cheat Sheet for each too. The article and Cheat Sheet are the easiest things to knock out first.

My view is that it should be in the next OWASP Top 10,  so I guess we need to start adding info about this vulnerability to the guides and cheat sheets :)

I will also help if we have data about how big this issue is, namely how many apps are vulnerable to it.

To see two practical examples of this vulnerability, take a look at:

Mass Assignment Vulnerability references:
Auto-Binding Vulnerability references (another name for Mass Assignment):


Ryan said...

What would you replace to fit it in?

Dinis Cruz said...

for example with "Unvalidated Redirects and Forwards"

Leonardo said...

Hi Dinis.

So, I'm not a developer but isn't Mass Assignment too much of a language oriented vulnerability? Where else you can find it other than Ruby and ASP.Net?
Shouldn't the TOP 10 be language agnostic?
I think the MA vuln could be input for Ruby and ASP.Net Cheat Sheets. What do you think?

Dinis Cruz said...

actually Mass Assignment is a pattern and very common in most languages/frameworks (specially the MVC ones)

And if you look at the 'Autobinding' links (in the references section) you will see that most are about the Spring MVC (which is Java based)