Wikipedia

Mass assignment vulnerability: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m deambig
Added short description
Tags: Mobile edit Mobile app edit Android app edit App suggested edit App description add
 
(31 intermediate revisions by 21 users not shown)
Line 1:
{{Short description|Computer vulnerability}}
'''Mass assignment''' is a [[vulnerability (computing)|computer vulnerability]] where an [[active record pattern]] in a [[web application]] is abused to modify data items that the user should be not normally be allowed to access such for exampleas password, granted permissions, or administrator status.
 
Many [[web application framework]]s offer an [[active record pattern|active record]] featureand [[object-relational mapping]] features, where aexternal databasedata recordin fields[[serialization]] canformats beis modifiedautomatically byconverted anon automaticallyinput generatedinto webinternal API[[Object methods(computer science)|objects]] and, in turn, into database record fields. If the framework doesn'ts preventinterface for that automaticallyconversion is too permissive and the application designeddesigner doesn't mark specific fields as immutable this way, it's is possible to abuseoverwrite thefields APIthat callwere andnever modifyintended theseto hiddenbe fieldsmodified from outside (e.g. admin permissions flag).<ref>{{cite web | url=http://cwe.mitre.org/data/definitions/915.html | title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes | publisher=NIST | work=Common Weakness Enumeration | accessdate=February 27, 2013}}</ref>.
 
These vulnerabilities werehave been found in applications written in [[Ruby on Rails]],<ref>{{cite web | url=http://guides.rubyonrails.org/security.html#mass-assignment | title=Mass Assignment | work=Ruby On Rails Security Guide | accessdate=February 27, 2013}}</ref>, [[ASP.NET MVC Framework]],<ref>{{cite web | url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx | title=Mass Assignment Vulnerability in ASP.NET MVC | publisher=IronsHay | accessdate=February 27, 2013}}</ref>, [[PHP]] and [[PythonJava (programmingsoftware languageplatform)|PythonJava]] [[Play framework]].<ref>{{cite web|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ |title=Playframework, how to protect against Mass Assignment |date=2014 |author=Alberto Souza}}</ref>
 
In 2012 mass assignment on Ruby on Rails wasallowed publishedbypassing thatof allowedmapping restrictions and resulted in [[proof of concept]] injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=httphttps://www.zdnet.com/home-and-office/networking/github-suspends-member-over-mass-assignment-hack-4010025556/ | title=GitHub suspends member over 'mass-assignment' hack | publisher=ZDnet | dateyear=2012 | accessdateaccess-date=February 27, 2013}}</ref><ref>{{cite web | url=http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | title=[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released! | accessdate=January 7, 2016}}</ref> Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted [[JSON]] structure.<ref>{{cite web | url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ | title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) | accessdate=January 7, 2016}}</ref>
 
In ASP.NET Core mapping restriction can be declared using the <code>[BindNever]</code> attribute.<ref>{{cite web|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding|title=Model Binding in ASP.NET Core|last=tdykstra|website=docs.microsoft.com|date=20 June 2023 }}</ref>
 
== See also ==
* [[Data transfer object]] (DTO)
 
== References ==
{{Reflist}}
 
Retrieved from "https://en.wikipedia.org/wiki/Mass_assignment_vulnerability"