Revision as of 01:21, 18 February 2016

Last revision (mm/dd/yy): 02/18/2016

Introduction

Definition

"Modern frameworks allow developers to automatically bind HTTP request parameters from both request query and body into model objects for ease of development and increased productivity. If the binder is not correctly configured to control which HTTP request parameters are bound to which model attributes, an attacker may be able to abuse the model binding process and set any other attributes that should not be exposed to user control. This binding is possible even if the model attributes do not appear in the web forms or API contracts." - Mass Assignment: Sensitive Field Exposure

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names

Mass Assignment: Ruby on Rails, NodeJS
Autobinding: Spring MVC, ASP.NET MVC
Object injection: PHP

Example

Suppose there is a form for editing a user's account information:

  <form>
     <input name=userid type=text>
     <input name=password type=text>
     <input name=email text=text>
     <input type=submit>
  </form>

Here is the object that the form is binding to:

  public class User {
     private String userid;
     private String password;
     private String email;
     private boolean isAdmin;
   
     //Getters & Setters
   }

Here is the controller handling the request:

  @RequestMapping(value = "/addUser, method = RequestMethod.POST)
  public String submit(User user) {
     
     userService.add(user);
  
     return "successPage";
  }

Here is the typical request:

  POST /addUser
  
  userid=bobbytables&password=hashedpass&[email protected]

And here is the exploit:

  POST /addUser
  
  userid=bobbytables&password=hashedpass&[email protected]&isAdmin=true

Exploitability

This functionality becomes exploitable when:

Attacker can guess common sensitive fields
Attacker has access to source code and can review the models for sensitive fields
The object with sensitive fields has an empty constructor

Case Studies

GitHub

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post

Solutions

Whitelist the bindable, non-sensitive fields
Blacklist the non-bindable, sensitive fields
Use Data Transfer Objects (DTOs)

General Solutions

Data Transfer Objects (DTOs)

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

  public class UserRegistrationFormDTO {
     private String userid;
     private String password;
     private String email;
  
     //private boolean isAdmin;
   
     //Getters & Setters
   }

Language & Framework Specific Solutions

Spring MVC

Whitelisting

  @Controller
  public class UserController
  {
     @InitBinder
     public void initBinder(WebDataBinder binder, WebRequest request)
     {
        binder.setAllowedFields(["userid","password","email"]);
     }
  
     ...
  }

Reference

Blacklisting

  @Controller
  public class UserController
  {
     @InitBinder
     public void initBinder(WebDataBinder binder, WebRequest request)
     {
        binder.setDisallowedFields(["isAdmin"]);
     }
  
     ...
  }

Reference

NodeJS + Mongoose

Reference

Ruby On Rails

Reference

Django

Reference

ASP.NET

Reference

PHP Laravel + Eloquent

Whitelisting

  <?php
  
  namespace App;
  
  use Illuminate\Database\Eloquent\Model;
  
  class User extends Model
  {
     private $userid;
     private $password;
     private $email;
     private $isAdmin;
  
     protected $fillable = array('userid','password','email');
  
  }

Reference

Blacklisting

  <?php
  
  namespace App;
  
  use Illuminate\Database\Eloquent\Model;
  
  class User extends Model
  {
     private $userid;
     private $password;
     private $email;
     private $isAdmin;
  
     protected $guarded = array('isAdmin');
  
  }

Reference

Grails

Reference

Play

Reference

Jackson (JSON Object Mapper)

Reference Reference

GSON (JSON Object Mapper)

Reference Reference

JSON-Lib (JSON Object Mapper)

Reference

Flexjson (JSON Object Mapper)

Reference

Authors and Primary Editors

Abashkin Anton

References and future reading

Mass Assignment, Rails and You http://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695

Other Cheatsheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

@@ Line 67: / Line 67: @@
 === Exploitability ===
-The attacker can exploit this if:
+This functionality becomes exploitable when:
-* They can guess common sensitive fields
+* Attacker can guess common sensitive fields
-* They have access to source code and can review the models for sensitive fields
+* Attacker has access to source code and can review the models for sensitive fields
 * The object with sensitive fields has an empty constructor
@@ Line 88: / Line 88: @@
 An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.
-    public class UserDTO {
+    public class UserRegistrationFormDTO {
        private String userid;
        private String password;
@@ Line 97: / Line 97: @@
        //Getters & Setters
      }
 = Language & Framework Specific Solutions =
@@ Line 130: / Line 131: @@
     }
 [http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields-java.lang.String...- Reference]
 == NodeJS + Mongoose ==
 [https://www.npmjs.com/package/mongoose-mass-assign Reference]
 == Ruby On Rails ==
 [http://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment Reference]
 == Django ==
 [https://coffeeonthekeyboard.com/mass-assignment-security-part-10-855/ Reference]
 == ASP.NET ==
 [http://odetocode.com/Blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx Reference]
 == PHP Laravel + Eloquent ==
@@ Line 187: / Line 193: @@
 [https://laravel.com/docs/5.2/eloquent#mass-assignment Reference]
 == Grails ==
 [http://spring.io/blog/2012/03/28/secure-data-binding-with-grails/ Reference]
+== Play ==
+[https://www.playframework.com/documentation/1.1.1/controllers Reference]
+== Jackson (JSON Object Mapper) ==
+[http://www.baeldung.com/jackson-field-serializable-deserializable-or-not Reference]
+[http://lifelongprogrammer.blogspot.com/2015/09/using-jackson-view-to-protect-mass-assignment.html Reference]
+== GSON (JSON Object Mapper) ==
+[https://sites.google.com/site/gson/gson-user-guide#TOC-Excluding-Fields-From-Serialization-and-Deserialization Reference]
+[http://stackoverflow.com/a/27986860 Reference]
+== JSON-Lib (JSON Object Mapper) ==
+[http://json-lib.sourceforge.net/advanced.html Reference]
+== Flexjson (JSON Object Mapper) ==
+[http://flexjson.sourceforge.net/#Serialization Reference]
 = Authors and Primary Editors =

Difference between revisions of "Mass Assignment Cheat Sheet"

Revision as of 01:21, 18 February 2016

Introduction

Definition

Alternative Names

Example

Exploitability

Case Studies

GitHub

Solutions

General Solutions

Data Transfer Objects (DTOs)

Language & Framework Specific Solutions

Spring MVC

Whitelisting

Blacklisting

NodeJS + Mongoose

Ruby On Rails

Django

ASP.NET

PHP Laravel + Eloquent

Whitelisting

Blacklisting

Grails

Play

Jackson (JSON Object Mapper)

GSON (JSON Object Mapper)

JSON-Lib (JSON Object Mapper)

Flexjson (JSON Object Mapper)

Authors and Primary Editors

References and future reading

Other Cheatsheets

Navigation menu

Search