Mass assignment vulnerability: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:26, 1 December 2015 edit Uzume (talk \| contribs) Extended confirmed users, Page movers, Template editors 12,664 edits m →top ← Previous edit		Latest revision as of 12:10, 18 December 2024 edit undo Habst (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, New page reviewers, Template editors 61,734 edits Added short description Tags: Mobile edit Mobile app edit Android app edit App suggested edit App description add
(15 intermediate revisions by 12 users not shown)
Line 1: {{Short description\|Computer vulnerability}} ~~{{Orphan\|date=March 2013}}~~ '''Mass assignment''' is a [[vulnerability (computing)\|computer vulnerability]] where an [[active record pattern]] in a [[web application]] is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status. Many [[web application framework]]s offer an [[active record pattern\|active record]] ~~feature~~and [[object-relational mapping]] features, where ~~database~~external ~~record~~data ~~fields~~in ~~can~~[[serialization]] ~~be modified~~formats byis automatically ~~generated~~converted ~~web~~on ~~API~~input ~~methods~~into internal [[Object (computer science)\|objects]] and, in turn, into database record fields. If the framework ~~doesn~~'ts ~~prevent~~interface for that ~~automatically~~conversion is too permissive and the application designer doesn't mark specific fields as immutable ~~this way~~, it's is possible to ~~abuse~~overwrite ~~the~~fields ~~API~~that ~~call~~were ~~and~~never ~~modify~~intended ~~these~~to ~~hidden~~be ~~fields~~modified from outside (e.g. admin permissions flag).<ref>{{cite web \| url=http://cwe.mitre.org/data/definitions/915.html \| title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes \| publisher=NIST \| work=Common Weakness Enumeration \| accessdate=February 27, 2013}}</ref> These vulnerabilities ~~were~~have been found in applications written in [[Ruby on Rails]],<ref>{{cite web \| url=http://guides.rubyonrails.org/security.html#mass-assignment \| title=Mass Assignment \| work=Ruby On Rails Security Guide \| accessdate=February 27, 2013}}</ref> [[ASP.NET MVC]],<ref>{{cite web \| url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx \| title=Mass Assignment Vulnerability in ASP.NET MVC \| publisher=IronsHay \| accessdate=February 27, 2013}}</ref> and [[Java (software platform)\|Java]] [[Play framework]].<ref>{{cite web\|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ \|title=Playframework, how to protect against Mass Assignment \|date=2014 \|author=Alberto Souza}}</ref> ▼ In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in [[proof of concept]] injection of unauthorized [[Secure Shell\|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web \| url=https://www.zdnet.com/home-and-office/networking/github-suspends-member-over-mass-assignment-hack/ \| title=GitHub suspends member over 'mass-assignment' hack \| publisher=ZDnet \| year=2012 \| access-date=February 27, 2013}}</ref><ref>{{cite web \| url=http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ \| title=[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released! \| accessdate=January 7, 2016}}</ref> Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted [[JSON]] structure.<ref>{{cite web \| url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ \| title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) \| accessdate=January 7, 2016}}</ref> In ASP.NET Core mapping restriction can be declared using the <code>[BindNever]</code> attribute.<ref>{{cite web\|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding\|title=Model Binding in ASP.NET Core\|last=tdykstra\|website=docs.microsoft.com\|date=20 June 2023 }}</ref> ▲These vulnerabilities were found in applications written in [[Ruby on Rails]],<ref>{{cite web \| url=http://guides.rubyonrails.org/security.html#mass-assignment \| title=Mass Assignment \| work=Ruby On Rails Security Guide \| accessdate=February 27, 2013}}</ref> [[ASP.NET MVC]],<ref>{{cite web \| url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx \| title=Mass Assignment Vulnerability in ASP.NET MVC \| publisher=IronsHay \| accessdate=February 27, 2013}}</ref> [[Java (software platform)\|Java]] [[Play framework]].<ref>{{cite web\|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ \|title=Playframework, how to protect against Mass Assignment \|date=2014 \|author=Alberto Souza}}</ref> == See also == In 2012 mass assignment on Ruby on Rails was published that allowed injection of unauthorized [[Secure Shell\|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web \| url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ \| title=GitHub suspends member over 'mass-assignment' hack \| publisher=ZDnet \| year=2012 \| accessdate=February 27, 2013}}</ref> * [[Data transfer object]] (DTO) == References == {{Reflist}}