Before getting into the Mass Assignment vulnerability, let us know what exactly mass assignment is and where it is used. It refers to the assignment of values to multiple variables or object properties all at once. This process reduces the burden on the developer by making their work easier. This is used in Ruby on Rails which is a server-side web application framework, NodeJS, PHP, Spring MVC, and ASP NET MVC.
It is a computer vulnerability that involves abusing an active record pattern in a web application in order to modify data items that the user usually must not be allowed to access, including granted permissions, passwords, or administrator status.
In other words, to make developers’ work easier, the software framework allows developers to use mass assignment functionality i.e., it automatically binds HTTP request parameters either into program code variables or objects. This sometimes triggers the application into a vulnerable state.
This methodology might be used by attackers to create new parameters that were never intended by the developers. The parameters created by attackers might create or overwrite new variables or objects in program code that were not intended to receive in the request. This process of manipulating mass assignment functionality to access sensitive data or cause data loss is called the Mass Assignment vulnerability.
This vulnerability can have many alternative names depending on the language/framework being used:
Example
Consider a form for editing the account information of a user, as shown below:
Image: An example of user form
The form is binding to the following object:
The following controller is handling the request:
Here is the normal request:
Below is the exploit where the value of the attribute “isAdmin” of the instance of the class “User” is set:
If the exploit is successful, then the “testuser” in the request will be granted with admin rights.
This functionality becomes exploitable in the following scenarios:
The successful exploit of mass assignment vulnerabilities provides the attacker to update object properties which should not be accessed by them, this in turn allows them to escalate privileges, modify data, and bypass security mechanisms.
To prevent this, Rails (here the Rails framework is taken as a reference) offers two class methods in the Active Record class to control/limit access to your attributes; attr_protected (blacklist principle) and attr_accessible (whitelist principle).
Utilizing mass assignment may make the work of developers easier but it will also help attackers exploit vulnerabilities. Hence, it is important for developers to use mass assignment carefully by considering all the security measures that help to keep the web apps secure.
https://en.wikipedia.org/wiki/Mass_assignment_vulnerability
https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
https://salt.security/blog/api6-2019-mass-assignment
Author,
Srikanth Rudrarapu,
Attack & PenTest Team,
Varutra Consulting Pvt. Ltd.
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…
Android penetration testing is a crucial aspect of ensuring the security of Android applications and…
In today's interconnected world, where cybersecurity is of paramount importance, password security plays a crucial…
Introduction to Web & Mobile Application Security Assessment Web and Mobile applications have become an…