Skip to content

Mass Assignment

What does this mean ?

Mass Assignment is the act of constructing an object with a parameters hash. such as assigning multiple values to attributes via a single assignment operator.

What can happen ?

An attacker exploiting mass assignment vulnerabilities can update object properties that they should not have access to allowing them to escalate privileges, tamper with data, and bypass security mechanisms

Recommendation

Disable and specify exact keys using params.permit

Sample Code

Vulnerable :

public class User
{
    public string Login { get; set; }
    public string Password { get; set; }
    public string Role { get; set; }
}

// /Create?Login=username&Password=pwd
public IActionResult Create(User user)
{
    _context.Update(user);
    return View(user);
}

Non Vulnerable :

public class User
{
    public string Login { get; set; }
    public string Password { get; set; }
    [Editable(false)]
    public string Role { get; set; }
}

Vulnerable :

class AssetUploadParameters {
    String root = Constants.ASSETS_ROOT;
    String name;
    String data;
}

Non Vulnerable :

class AssetUploadParameters {
    transient String root = Constants.ASSETS_ROOT;
    String name;
    String data;
}

Vulnerable :

class RegisterController extends Controller
{

    public function save()
    {
        $user = new User(request()->all());
    }
}

Non Vulnerable :

class User extends Register
{
    protected $fillable = [
        'name', 'email', 'password',
    ];
}

Vulnerable :

app.post('/register', function (req, res) {
    const {username} = req.body;
    usersCollection.countDocuments({username}, function (err, count) {
        if (count === 0) {
            const newUser = req.body;
            usersCollection.insert(newUser);
            res.status(201);
        } else {
            res.status(409);
        }
    });
});

Non Vulnerable :

const {username, password} = req.body;
usersCollection.insert({username, password});

Vulnerable :

def register
    @user = User.new(params.permit(:name, :password, :first_name, :last_name, :is_admin))
end

Non Vulnerable :

User.new(params.permit!)

References