This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Mass Assignment Cheat Sheet
|
Last revision (mm/dd/yy): 02/18/2016
IntroductionDefinition"Modern frameworks allow developers to automatically bind HTTP request parameters from both request query and body into model objects for ease of development and increased productivity. If the binder is not correctly configured to control which HTTP request parameters are bound to which model attributes, an attacker may be able to abuse the model binding process and set any other attributes that should not be exposed to user control. This binding is possible even if the model attributes do not appear in the web forms or API contracts." - Mass Assignment: Sensitive Field Exposure
Alternative NamesDepending on the language/framework in question, this vulnerability can have several alternative names
ExampleSuppose there is a form for editing a user's account information: <form>
<input name=userid type=text>
<input name=password type=text>
<input name=email text=text>
<input type=submit>
</form>
Here is the object that the form is binding to: public class User {
private String userid;
private String password;
private String email;
private boolean isAdmin;
//Getters & Setters
}
Here is the controller handling the request: @RequestMapping(value = "/addUser, method = RequestMethod.POST)
public String submit(User user) {
userService.add(user);
return "successPage";
}
Here is the typical request: POST /addUser userid=bobbytables&password=hashedpass&[email protected] And here is the exploit: POST /addUser userid=bobbytables&password=hashedpass&[email protected]&isAdmin=true
ExploitabilityThis functionality becomes exploitable when:
Case StudiesGitHubIn 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post
Solutions
General SolutionsData Transfer Objects (DTOs)An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO. public class UserRegistrationFormDTO {
private String userid;
private String password;
private String email;
//private boolean isAdmin;
//Getters & Setters
}
Language & Framework Specific SolutionsSpring MVCWhitelisting @Controller
public class UserController
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["userid","password","email"]);
}
...
}
Blacklisting @Controller
public class UserController
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setDisallowedFields(["isAdmin"]);
}
...
}
NodeJS + Mongoose
Ruby On Rails
Django
ASP.NET
PHP Laravel + EloquentWhitelisting <?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class User extends Model
{
private $userid;
private $password;
private $email;
private $isAdmin;
protected $fillable = array('userid','password','email');
}
Blacklisting <?php
namespace App;
use Illuminate\Database\Eloquent\Model;
class User extends Model
{
private $userid;
private $password;
private $email;
private $isAdmin;
protected $guarded = array('isAdmin');
}
Grails
Play
Jackson (JSON Object Mapper)
GSON (JSON Object Mapper)
JSON-Lib (JSON Object Mapper)
Flexjson (JSON Object Mapper)
Authors and Primary EditorsReferences and future reading
Other Cheatsheets |
