Mass assignment vulnerability: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 05:07, 30 December 2018 edit DannyS712 (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 156,608 edits m Filled in 1 bare reference(s) with reFill () ← Previous edit		Latest revision as of 12:10, 18 December 2024 edit undo Habst (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, New page reviewers, Template editors 61,734 edits Added short description Tags: Mobile edit Mobile app edit Android app edit App suggested edit App description add
(4 intermediate revisions by 3 users not shown)
Line 1: {{Short description\|Computer vulnerability}} ~~{{Orphan\|date=March 2013}}~~ '''Mass assignment''' is a [[vulnerability (computing)\|computer vulnerability]] where an [[active record pattern]] in a [[web application]] is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status. Line 7 ⟶ 6: These vulnerabilities have been found in applications written in [[Ruby on Rails]],<ref>{{cite web \| url=http://guides.rubyonrails.org/security.html#mass-assignment \| title=Mass Assignment \| work=Ruby On Rails Security Guide \| accessdate=February 27, 2013}}</ref> [[ASP.NET MVC]],<ref>{{cite web \| url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx \| title=Mass Assignment Vulnerability in ASP.NET MVC \| publisher=IronsHay \| accessdate=February 27, 2013}}</ref> and [[Java (software platform)\|Java]] [[Play framework]].<ref>{{cite web\|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ \|title=Playframework, how to protect against Mass Assignment \|date=2014 \|author=Alberto Souza}}</ref> In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in [[proof of concept]] injection of unauthorized [[Secure Shell\|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web \| url=~~http~~https://www.zdnet.com/home-and-office/networking/github-suspends-member-over-mass-assignment-hack~~-4010025556~~/ \| title=GitHub suspends member over 'mass-assignment' hack \| publisher=ZDnet \| year=2012 \| ~~accessdate~~access-date=February 27, 2013}}</ref><ref>{{cite web \| url=http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ \| title=[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released! \| accessdate=January 7, 2016}}</ref> Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted [[JSON]] structure.<ref>{{cite web \| url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ \| title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) \| accessdate=January 7, 2016}}</ref> In ASP.NET Core mapping restriction can be declared using the <code>[BindNever]</code> attribute.<ref>{{cite web\|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding\|title=Model Binding in ASP.NET Core~~\|first=~~\|last=tdykstra\|website=docs.microsoft.com\|date=20 June 2023 }}</ref> == See also ==