Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.

Many web application frameworks offer an active record and object-relational mapping features, where external data in serialization formats is automatically converted on input into internal objects and, in turn, into database record fields. If the framework's interface for that conversion is too permissive and the application designer doesn't mark specific fields as immutable, it is possible to overwrite fields that were never intended to be modified from outside (e.g. admin permissions flag).[1]

These vulnerabilities have been found in applications written in Ruby on Rails,[2] ASP.NET MVC,[3] and Java Play framework.[4]

In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in proof of concept injection of unauthorized SSH public keys into user accounts at GitHub.[5][6] Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted JSON structure.[7]

In ASP.NET Core mapping restriction can be declared using the [BindNever] attribute.[8]

See also

edit

References

edit
  1. ^ "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.
  2. ^ "Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.
  3. ^ "Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.
  4. ^ Alberto Souza (2014). "Playframework, how to protect against Mass Assignment".
  5. ^ "GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.
  6. ^ "[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released!". Archived from the original on January 18, 2016. Retrieved January 7, 2016.
  7. ^ "Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)". Retrieved January 7, 2016.
  8. ^ tdykstra (20 June 2023). "Model Binding in ASP.NET Core". docs.microsoft.com.

📚 Artikel Terkait di Wikipedia

Mass-assignment protection

Mass assignment vulnerability. It explores the security breaches that can be done using mass assignment. GitHub got hacked in 2012 by exploiting mass

JSON

implementations have suffered from denial-of-service attack and mass assignment vulnerability. JSON is promoted as a low-overhead alternative to XML as both

Ruby on Rails

In March 2012, security researcher Egor Homakov discovered a mass assignment vulnerability that allowed certain Rails applications to be remotely exploited

SQL injection

database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either

Mass Effect 3

Mass Effect 3 is a 2012 action role-playing game developed by BioWare and published by Electronic Arts. The third major entry in the Mass Effect series

Second French intervention in Mexico

artillery began on 4 February, and an assault was ordered on February 9th. The massing of forces produced panic among the besieged and Díaz surrendered. Díaz

Irma Grese

Blockführer. She allegedly committed a violation while working on this assignment, prompting her to be transferred to oversee a Strafkommando (punishment

Amazon Web Services

a changelog entry, a CVE assignment, or a public statement beyond the bulletin. In response to the Log4Shell vulnerability, AWS released hot patch solutions