Wikipedia

Mass assignment vulnerability: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
top: it doesn't make sense to mention "raw" programming languages like PHP or Python as MA is vulnerability in how high-level frameworks are implemented
Added short description
Tags: Mobile edit Mobile app edit Android app edit App suggested edit App description add
 
(17 intermediate revisions by 14 users not shown)
Line 1:
{{Short description|Computer vulnerability}}
{{Orphan|date=March 2013}}
'''Mass assignment''' is a [[vulnerability (computing)|computer vulnerability]] where an [[active record pattern]] in a [[web application]] is abused to modify data items that the user should be not normally be allowed to access such for exampleas password, granted permissions, or administrator status.
 
Many [[web application framework]]s offer an [[active record pattern|active record]] featureand [[object-relational mapping]] features, where databaseexternal recorddata fieldsin can[[serialization]] be modifiedformats byis automatically generatedconverted webon APIinput methodsinto internal [[Object (computer science)|objects]] and, in turn, into database record fields. If the framework doesn'ts preventinterface for that automaticallyconversion is too permissive and the application designer doesn't mark specific fields as immutable this way, it's is possible to abuseoverwrite thefields APIthat callwere andnever modifyintended theseto hiddenbe fieldsmodified from outside (e.g. admin permissions flag).<ref>{{cite web | url=http://cwe.mitre.org/data/definitions/915.html | title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes | publisher=NIST | work=Common Weakness Enumeration | accessdate=February 27, 2013}}</ref>
'''Mass assignment''' is a [[vulnerability (computing)|computer vulnerability]] where an [[active record pattern]] in [[web application]] is abused to modify data items that the user should be not normally allowed to access — for example password, granted permissions or administrator status.
 
These vulnerabilities have been found in applications written in [[Ruby on Rails]],<ref>{{cite web | url=http://guides.rubyonrails.org/security.html#mass-assignment | title=Mass Assignment | work=Ruby On Rails Security Guide | accessdate=February 27, 2013}}</ref> [[ASP.NET MVC]],<ref>{{cite web | url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx | title=Mass Assignment Vulnerability in ASP.NET MVC | publisher=IronsHay | accessdate=February 27, 2013}}</ref> and [[Java (software platform)|Java]] [[Play framework]].<ref>{{cite web|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ |title=Playframework, how to protect against Mass Assignment |date=2014 |author=Alberto Souza}}</ref>
Many [[web application framework]]s offer an [[active record pattern|active record]] feature, where database record fields can be modified by automatically generated web API methods. If the framework doesn't prevent that automatically and the application designer doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields.<ref>{{cite web | url=http://cwe.mitre.org/data/definitions/915.html | title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes | publisher=NIST | work=Common Weakness Enumeration | accessdate=February 27, 2013}}</ref>
 
TheseIn vulnerabilities2012 weremass foundassignment inon applicationsRuby writtenon Rails allowed bypassing of mapping restrictions and resulted in [[Rubyproof onof Railsconcept]], injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=httphttps://guideswww.rubyonrailszdnet.orgcom/security.html#home-and-office/networking/github-suspends-member-over-mass-assignment-hack/ | title=MassGitHub Assignmentsuspends |member work=Rubyover On'mass-assignment' Railshack Security| Guidepublisher=ZDnet | accessdateyear=2012 | access-date=February 27, 2013}}</ref> [[ASP.NET MVC Framework]],<ref>{{cite web | url=http://ironshayweblog.comrubyonrails.org/post2013/Mass2/11/SEC-AssignmentANN-VulnerabilityRails-in3-ASPNET2-MVC.aspx12-3-1-11-and-2-3-17-have-been-released/ | title=Mass[SEC][ANN] AssignmentRails Vulnerability3.2.12, in3.1.11, and ASP2.NET3.17 MVChave |been publisher=IronsHayreleased! | accessdate=FebruaryJanuary 277, 20132016}}</ref> [[JavaFurther (programmingvulnerabilities language)|Java]]in Ruby on Rails allowed creation of internal objects through a specially crafted [[Play frameworkJSON]] structure.<ref>{{cite web | url=httphttps://alotswww.wordpressruby-lang.comorg/2014en/03news/262013/playframework02/22/json-howdos-tocve-protect2013-against-mass-assignment0269/ | title=Playframework,Denial howof toService protectand againstUnsafe MassObject AssignmentCreation |date=2014Vulnerability in JSON (CVE-2013-0269) |author accessdate=AlbertoJanuary 7, Souza2016}}</ref>
 
In ASP.NET Core mapping restriction can be declared using the <code>[BindNever]</code> attribute.<ref>{{cite web|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding|title=Model Binding in ASP.NET Core|last=tdykstra|website=docs.microsoft.com|date=20 June 2023 }}</ref>
In 2012 mass assignment on Ruby on Rails was published that allowed injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ | title=GitHub suspends member over 'mass-assignment' hack | publisher=ZDnet | year=2012 | accessdate=February 27, 2013}}</ref>
 
==References See also ==
* [[Data transfer object]] (DTO)
 
== References ==
{{Reflist}}
 
Retrieved from "https://en.wikipedia.org/wiki/Mass_assignment_vulnerability"