You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trust Boundary Violation is one of the most noisy rule. The main reason that stop me from eliminating most of the occurrence is that OWASP Benchmark look mostly for low risk TBV.
Two distinct TBV can be identify :
1. Attribute name altered : This seems to be the most dangerous case. It has some potential messing with the application internal state.
req.getSession().setAttribute(input,"true");
2. Attribute value alter : This is the most common and less likely to introduce a vulnerability by itself.
req.getSession().setAttribute("user", user);
Instead of removing the second type, I would vote for setting it priority (confidence) to LOW at worst.
This way this "FP producer" will not pollute day to day review by developers.
The text was updated successfully, but these errors were encountered:
Trust Boundary Violation is one of the most noisy rule. The main reason that stop me from eliminating most of the occurrence is that OWASP Benchmark look mostly for low risk TBV.
Two distinct TBV can be identify :
1. Attribute name altered : This seems to be the most dangerous case. It has some potential messing with the application internal state.
2. Attribute value alter : This is the most common and less likely to introduce a vulnerability by itself.
Instead of removing the second type, I would vote for setting it priority (confidence) to LOW at worst.
This way this "FP producer" will not pollute day to day review by developers.
The text was updated successfully, but these errors were encountered: