Closed tghosth closed 1 hour ago
elarlang
commented
2 hours ago I agree it fits better to V10.4.
I think the requirement text itself needs some touch as well
Verify that the application protects against mass parameter assignment attacks, and has countermeasures against unsafe parameter assignment.
(can be even shorter, as those 2 parts seems like a duplicates)
tghosth
commented
2 hours ago Proposal which hopefully clarifies the issue
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 10.4.4 | [GRAMMAR, MOVED FROM 5.1.2] Verify that the application has countermeasures to protect against mass assignment attacks where sensitive parameters values are set based on an untrusted source, such as marking fields private or similar. | ✓ | ✓ | ✓ | 915 |
elarlang
commented
2 hours ago Maybe a bit different direction?
Verify that the application has countermeasures to protect against mass assignment attacks by limiting allowed fields per controller and action, e. g. it is not possible to insert or update a field value when it was not intended to be part of that action.
tghosth
commented
1 hour ago Yeah I agree with that
tghosth
commented
1 hour ago Opened #2117
Mass Assignment currently sits in the Input Validation section.
I don't think it quite fits here. The countermeasure isn't really about validating input as such but rather correct configuration of objects or whatever so that they cannot be arbitrarily written.
I would propose moving it to section 10.4 Defensive Coding.
Thoughts @elarlang @jmanico ?