|
|
| (9 intermediate revisions by 3 users not shown) |
| Line 2: |
Line 2: |
| | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| − | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| |
| − | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| |
| − | <div class="noautonum">__TOC__{{TOC hidden}}</div>
| |
| | | | |
| − | = Introduction =
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html Mass Assignment Cheat Sheet] to see the latest version of the cheat sheet. |
| − | === Definition ===
| |
| − | "Modern frameworks allow developers to automatically bind HTTP request parameters from both request query and body into model objects for ease of development and increased productivity. If the binder is not correctly configured to control which HTTP request parameters are bound to which model attributes, an attacker may be able to abuse the model binding process and set any other attributes that should not be exposed to user control. This binding is possible even if the model attributes do not appear in the web forms or API contracts." - [http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/mass_assignment_sensitive_field_exposure.html Mass Assignment: Sensitive Field Exposure]
| |
| − | | |
| − | === Alternative Names ===
| |
| − | Depending on the language/framework in question, this vulnerability can have several [https://cwe.mitre.org/data/definitions/915.html alternative names]
| |
| − | * Mass Assignment: Ruby on Rails, NodeJS
| |
| − | * Autobinding: Spring MVC, ASP.NET MVC
| |
| − | * Object injection: PHP
| |
| − | | |
| − | === Example ===
| |
| − | | |
| − | Suppose there is a form for editing a user's account information:
| |
| − | | |
| − | <form>
| |
| − | <input name=userid type=text>
| |
| − | <input name=password type=text>
| |
| − | <input name=email text=text>
| |
| − | <input type=submit>
| |
| − | </form>
| |
| − | | |
| − | Here is the object that the form is binding to:
| |
| − | | |
| − | public class User {
| |
| − | private String userid;
| |
| − | private String password;
| |
| − | private String email;
| |
| − | private boolean isAdmin;
| |
| − |
| |
| − | //Getters & Setters
| |
| − | }
| |
| − | | |
| − | Here is the controller handling the request:
| |
| − | | |
| − | @RequestMapping(value = "/addUser, method = RequestMethod.POST)
| |
| − | public String submit(User user) {
| |
| − |
| |
| − | userService.add(user);
| |
| − |
| |
| − | return "successPage";
| |
| − | }
| |
| − | | |
| − | Here is the typical request:
| |
| − | | |
| − | POST /addUser
| |
| − |
| |
| − | | |
| − | | |
| − | And here is the exploit:
| |
| − | | |
| − | POST /addUser
| |
| − |
| |
| − | | |
| − | | |
| − | | |
| − | === Exploitability ===
| |
| − | | |
| − | This functionality becomes exploitable when:
| |
| − | * Attacker can guess common sensitive fields
| |
| − | * Attacker has access to source code and can review the models for sensitive fields
| |
| − | * The object with sensitive fields has an empty constructor
| |
| − | | |
| − | | |
| − | === Case Studies ===
| |
| − | ==== GitHub ====
| |
| − | In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. [https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation GitHub's Blog Post]
| |
| − | | |
| − | | |
| − | === Solutions ===
| |
| − | * Whitelist the bindable, non-sensitive fields
| |
| − | * Blacklist the non-bindable, sensitive fields
| |
| − | * Use Data Transfer Objects (DTOs)
| |
| − | | |
| − | | |
| − | = General Solutions =
| |
| − | === Data Transfer Objects (DTOs) ===
| |
| − | An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.
| |
| − | | |
| − | public class UserRegistrationFormDTO {
| |
| − | private String userid;
| |
| − | private String password;
| |
| − | private String email;
| |
| − |
| |
| − | //private boolean isAdmin;
| |
| − |
| |
| − | //Getters & Setters
| |
| − | }
| |
| − | | |
| − | | |
| − | = Language & Framework Specific Solutions =
| |
| − | | |
| − | == Spring MVC ==
| |
| − | | |
| − | === Whitelisting ===
| |
| − | @Controller
| |
| − | public class UserController
| |
| − | {
| |
| − | @InitBinder
| |
| − | public void initBinder(WebDataBinder binder, WebRequest request)
| |
| − | {
| |
| − | binder.setAllowedFields(["userid","password","email"]);
| |
| − | }
| |
| − |
| |
| − | ...
| |
| − | }
| |
| − | | |
| − | [http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setAllowedFields-java.lang.String...- Reference]
| |
| − | | |
| − | === Blacklisting ===
| |
| − | @Controller
| |
| − | public class UserController
| |
| − | {
| |
| − | @InitBinder
| |
| − | public void initBinder(WebDataBinder binder, WebRequest request)
| |
| − | {
| |
| − | binder.setDisallowedFields(["isAdmin"]);
| |
| − | }
| |
| − |
| |
| − | ...
| |
| − | }
| |
| − | [http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields-java.lang.String...- Reference]
| |
| − | | |
| − | | |
| − | == NodeJS + Mongoose ==
| |
| − | | |
| − | [https://www.npmjs.com/package/mongoose-mass-assign Reference]
| |
| − | | |
| − | | |
| − | == Ruby On Rails ==
| |
| − | | |
| − | [http://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment Reference]
| |
| − | | |
| − | | |
| − | == Django ==
| |
| − | | |
| − | [https://coffeeonthekeyboard.com/mass-assignment-security-part-10-855/ Reference]
| |
| − | | |
| − | | |
| − | == ASP.NET ==
| |
| − | | |
| − | [http://odetocode.com/Blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx Reference]
| |
| − | | |
| − | | |
| − | == PHP Laravel + Eloquent ==
| |
| − | | |
| − | === Whitelisting ===
| |
| − | <?php
| |
| − |
| |
| − | namespace App;
| |
| − |
| |
| − | use Illuminate\Database\Eloquent\Model;
| |
| − |
| |
| − | class User extends Model
| |
| − | {
| |
| − | private $userid;
| |
| − | private $password;
| |
| − | private $email;
| |
| − | private $isAdmin;
| |
| − |
| |
| − | protected $fillable = array('userid','password','email');
| |
| − |
| |
| − | }
| |
| − | | |
| − | [https://laravel.com/docs/5.2/eloquent#mass-assignment Reference]
| |
| − | === Blacklisting ===
| |
| − | <?php
| |
| − |
| |
| − | namespace App;
| |
| − |
| |
| − | use Illuminate\Database\Eloquent\Model;
| |
| − |
| |
| − | class User extends Model
| |
| − | {
| |
| − | private $userid;
| |
| − | private $password;
| |
| − | private $email;
| |
| − | private $isAdmin;
| |
| − |
| |
| − | protected $guarded = array('isAdmin');
| |
| − |
| |
| − | }
| |
| − | | |
| − | [https://laravel.com/docs/5.2/eloquent#mass-assignment Reference]
| |
| − | | |
| − | | |
| − | == Grails ==
| |
| − | [http://spring.io/blog/2012/03/28/secure-data-binding-with-grails/ Reference]
| |
| − | | |
| − | | |
| − | == Play ==
| |
| − | [https://www.playframework.com/documentation/1.1.1/controllers Reference]
| |
| − | | |
| − | | |
| − | == Jackson (JSON Object Mapper) ==
| |
| − | [http://www.baeldung.com/jackson-field-serializable-deserializable-or-not Reference]
| |
| − | [http://lifelongprogrammer.blogspot.com/2015/09/using-jackson-view-to-protect-mass-assignment.html Reference]
| |
| − | | |
| − | | |
| − | == GSON (JSON Object Mapper) ==
| |
| − | [https://sites.google.com/site/gson/gson-user-guide#TOC-Excluding-Fields-From-Serialization-and-Deserialization Reference]
| |
| − | [http://stackoverflow.com/a/27986860 Reference]
| |
| − | | |
| − | | |
| − | == JSON-Lib (JSON Object Mapper) ==
| |
| − | [http://json-lib.sourceforge.net/advanced.html Reference]
| |
| − | | |
| − | | |
| − | == Flexjson (JSON Object Mapper) ==
| |
| − | [http://flexjson.sourceforge.net/#Serialization Reference]
| |
| − | | |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | | |
| − | = References and future reading =
| |
| − | * Mass Assignment, Rails and You http://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | | |
| − | {{Cheatsheet_Navigation_Body}}
| |
| − | | |
| − | |}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
