This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Mass Assignment Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Point to the official site)
 
(12 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
<div class="noautonum">__TOC__{{TOC hidden}}</div>
 
  
= Introduction =
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html Mass Assignment Cheat Sheet] to see the latest version of the cheat sheet.
"Modern frameworks allow developers to automatically bind HTTP request parameters from both request query and body into model objects for ease of development and increased productivity. If the binder is not correctly configured to control which HTTP request parameters are bound to which model attributes, an attacker may be able to abuse the model binding process and set any other attributes that should not be exposed to user control. This binding is possible even if the model attributes do not appear in the web forms or API contracts." - [http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/mass_assignment_sensitive_field_exposure.html Mass Assignment: Sensitive Field Exposure]
 
 
 
=== Example ===
 
 
 
Suppose there is a form for editing a user's account information:
 
 
 
  <form>
 
      <input name=userid type=text>
 
      <input name=password type=text>
 
      <input name=email text=text>
 
      <input type=submit>
 
  </form>
 
 
 
Here is the object that the form is binding to:
 
 
 
  public class User {
 
      private String userid;
 
      private String password;
 
      private String email;
 
      private boolean isAdmin;
 
   
 
      //Getters & Setters
 
    }
 
 
 
Here is the controller handling the request:
 
 
 
  @RequestMapping(value = "/addUser, method = RequestMethod.POST)
 
  public String submit(User user) {
 
     
 
      userService.add(user);
 
 
 
      return "successPage";
 
  }
 
 
 
Here is the typical request:
 
 
 
  POST /addUser
 
 
 
  userid=bobbytables&password=hashedpass&[email protected]
 
 
 
And here is the exploit:
 
 
 
  POST /addUser
 
 
 
  userid=bobbytables&password=hashedpass&[email protected]&isAdmin=true
 
 
 
 
 
The attacker can exploit this if:
 
* They can guess common sensitive fields
 
* They have access to source code and review the models for sensitive fields
 
 
 
=== General Solutions ===
 
* Whitelist the bindable, non-sensitive fields
 
* Blacklist the non-bindable, sensitive fields
 
* Use Data Transfer Objects (DTOs)
 
 
 
=== Alternative Names ===
 
Depending on the language/framework in question, this vulnerability can have several [https://cwe.mitre.org/data/definitions/915.html alternative names]
 
* Mass Assignment: Ruby on Rails, NodeJS
 
* Autobinding: Spring MVC, ASP.NET MVC
 
* Object injection: PHP
 
 
 
 
 
= Languages & Frameworks =
 
 
 
== Spring MVC ==
 
 
 
=== Whitelisting ===
 
  @Controller
 
  public class UserController
 
  {
 
      @InitBinder
 
      public void initBinder(WebDataBinder binder, WebRequest request)
 
      {
 
        binder.setAllowedFields(["userid","password","email"]);
 
      }
 
 
 
      ...
 
  }
 
 
 
[http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setAllowedFields-java.lang.String...- Reference]
 
 
 
=== Blacklisting ===
 
  @Controller
 
  public class UserController
 
  {
 
      @InitBinder
 
      public void initBinder(WebDataBinder binder, WebRequest request)
 
      {
 
        binder.setDisallowedFields(["isAdmin"]);
 
      }
 
 
 
      ...
 
  }
 
[http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields-java.lang.String...- Reference]
 
 
 
== NodeJS ==
 
 
 
== Ruby On Rails ==
 
 
 
== Django ==
 
 
 
== ASP.NET ==
 
 
 
== PHP Laravel + Eloquent ==
 
 
 
=== Whitelisting ===
 
  <?php
 
 
 
  namespace App;
 
 
 
  use Illuminate\Database\Eloquent\Model;
 
 
 
  class User extends Model
 
  {
 
      private $userid;
 
      private $password;
 
      private $email;
 
      private $isAdmin;
 
 
 
      protected $fillable = array('userid','password','email');
 
 
 
  }
 
 
 
[https://laravel.com/docs/5.2/eloquent#mass-assignment Reference]
 
=== Blacklisting ===
 
  <?php
 
 
 
  namespace App;
 
 
 
  use Illuminate\Database\Eloquent\Model;
 
 
 
  class User extends Model
 
  {
 
      private $userid;
 
      private $password;
 
      private $email;
 
      private $isAdmin;
 
 
 
      protected $guarded = array('isAdmin');
 
 
 
  }
 
 
 
[https://laravel.com/docs/5.2/eloquent#mass-assignment Reference]
 
 
 
= Authors and Primary Editors =
 
* [mailto:[email protected] Abashkin Anton]
 
 
 
= References and future reading =
 
* Mass Assignment, Rails and You http://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695
 
 
 
= Other Cheatsheets =
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
|}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 14:17, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Mass Assignment Cheat Sheet to see the latest version of the cheat sheet.