Update CWE mapping on MASWE elements of MASVS-PLATFORM #3149
Conversation
| profiles: [L1, L2] | ||
| mappings: | ||
| masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] | ||
| cwe: [79, 20, 829] |
There was a problem hiding this comment.
20 is DISCOURAGED.
79 is about the injection and execution of malicious scripts in a web page, while 829 is about the risks associated with incorporating untrusted code or functionality, which can sometimes lead to various security problems but is not, by itself, defined as cross-site scripting.
829 seems like a good fit.
There was a problem hiding this comment.
CWE-830: Inclusion of Web Functionality from an Untrusted Source is a variant of CWE-829: Inclusion of Functionality from Untrusted Control Sphere; it can be a substitute but I wouldn't put both of them.
In the Example 1 of CWE-830 it says:
This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79).
I think then MASWE-0070 may lead in the same way to weakness CWE-79 and it should be listed.
Ok removing CWE-20 since better fitting option are available.
Add CWE-926 to integrate not only Improper Verification of Broadcast Receiver, but also Improper Export of Android Application Components Co-authored-by: Carlos Holguera <[email protected]>
Removed CWE-276 after feedback received on bad application of the weakness.
Removed discouraged CWE
Removed iOS from platform list since the MASWE is related specifically to Android elements.
truerick
left a comment
truerick
left a comment
There was a problem hiding this comment.
Every comment has been discussed or answered.
| profiles: [L1, L2] | ||
| mappings: | ||
| masvs-v2: [MASVS-PLATFORM-2, MASVS-CODE-4] | ||
| cwe: [79, 20, 829] |
There was a problem hiding this comment.
CWE-830: Inclusion of Web Functionality from an Untrusted Source is a variant of CWE-829: Inclusion of Functionality from Untrusted Control Sphere; it can be a substitute but I wouldn't put both of them.
In the Example 1 of CWE-830 it says:
This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79).
I think then MASWE-0070 may lead in the same way to weakness CWE-79 and it should be listed.
Ok removing CWE-20 since better fitting option are available.
… to enhance draft topics and CWE mappings
2 participants
This PR is related to issue OWASP/maswe#30 .