Content deleted Content added
m Added Laravel PHP framework to the list of application frameworks that are susceptible to mass assignment vulnerabilities unless special measures such as the addition of the $fillable property are taken. |
Added short description Tags: Mobile edit Mobile app edit Android app edit App suggested edit App description add |
||
| (11 intermediate revisions by 8 users not shown) | |||
Line 1:
{{Short description|Computer vulnerability}}
'''Mass assignment''' is a [[vulnerability (computing)|computer vulnerability]] where an [[active record pattern]] in a [[web application]] is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.
Many [[web application framework]]s offer an [[active record pattern|active record]] and [[object-relational mapping]] features, where external data in [[serialization]] formats is automatically converted on input into internal [[Object (computer science)|objects]] and, in turn, into database record fields. If the framework's interface for that conversion is too permissive and the application designer doesn't mark specific fields as immutable, it
These vulnerabilities
In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in [[proof of concept]] injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=
In ASP.NET Core mapping restriction can be declared using the <code>[BindNever]</code> attribute.<ref>{{cite web|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding|title=Model Binding in ASP.NET Core|last=tdykstra|website=docs.microsoft.com|date=20 June 2023 }}</ref>
▲These vulnerabilities were found in applications written in [[Ruby on Rails]],<ref>{{cite web | url=http://guides.rubyonrails.org/security.html#mass-assignment | title=Mass Assignment | work=Ruby On Rails Security Guide | accessdate=February 27, 2013}}</ref> [[ASP.NET MVC]],<ref>{{cite web | url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx | title=Mass Assignment Vulnerability in ASP.NET MVC | publisher=IronsHay | accessdate=February 27, 2013}}</ref> [[Java (software platform)|Java]] [[Play framework]]<ref>{{cite web|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ |title=Playframework, how to protect against Mass Assignment |date=2014 |author=Alberto Souza}}</ref>, [[Laravel]]<ref>{{Cite web|title = Eloquent: Getting Started - Laravel - The PHP Framework For Web Artisans|url = https://laravel.com/docs/5.1/eloquent#mass-assignment|website = laravel.com|access-date = 2016-01-26|first = Taylor|last = Otwell}}</ref>
== See also ==
▲In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in [[proof of concept]] injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ | title=GitHub suspends member over 'mass-assignment' hack | publisher=ZDnet | year=2012 | accessdate=February 27, 2013}}</ref><ref>{{cite web | url=http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | title=[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released! | accessdate=January 7, 2016}}</ref> Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted [[JSON]] structure.<ref>{{cite web | url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ | title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) | accessdate=January 7, 2016}}</ref>
* [[Data transfer object]] (DTO)
== References ==
{{Reflist}}
| |||