Revision as of 03:41, 10 August 2012 edit AlastairIrvine (talk \| contribs) Extended confirmed users 605 edits ←Created page with 'This can be used to submit extra data to a Web form, thus bypassing additional access, etc. == References == *[http://cve.mitre.org/cgi-bin/cvena...'		Revision as of 16:04, 27 February 2013 edit undo Cloud200 (talk \| contribs) Extended confirmed users 4,720 edits More content, move refernces to refs (edited with ProveIt) Next edit →
Line 1: '''Mass assignment''' is a [[computer vulnerability]] where an [[active record pattern]] in [[web application]] is abused to modify data items that the user should be not normally allowed to access — for example password, granted permissions or administrator status. ~~This can be used to submit extra data to a [[Form (web)\|Web form]], thus bypassing additional access, etc.~~ Many [[web application framework]]s offer an [[active record pattern\|active record]] feature, where a database record fields can be modified by an automatically generated web API methods. If the framework doesn't prevent that automatically and the application designed doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields<ref>{{cite web \| url=http://cwe.mitre.org/data/definitions/915.html \| title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes \| publisher=NIST \| work=Common Weakness Enumeration \| accessdate=February 27, 2013}}</ref>. ~~== References ==~~ [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7310 CVE-2008-7310] [http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ Mass assignment in Rails applications] [http://arstechnica.com/business/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby/ Hacker commandeers GitHub to prove Rails vulnerability] [http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ GitHub suspends member over 'mass-assignment' hack] [https://github.com/rails/rails/issues/5228 Rails bug report] [http://guides.rubyonrails.org/security.html#mass-assignment Mass Assignment section in the Ruby On Rails Security Guide] [https://groups.google.com/d/topic/cake-php/FcVBqxifvck/discussion "Mass Assignment Vulnerability" - protection in Cake] -- requires login to Google [http://stackoverflow.com/questions/10458468/does-cakephp-automatically-deal-with-mass-assignment-vulnerabilities-when-saving Does CakePHP automatically deal with mass assignment vulnerabilities when saving modified data?] *[http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx Mass Assignment Vulnerability in ASP.NET MVC] These vulnerabilities were found in applications written in [[Ruby on Rails]]<ref>{{cite web \| url=http://guides.rubyonrails.org/security.html#mass-assignment \| title=Mass Assignment \| work=Ruby On Rails Security Guide \| accessdate=February 27, 2013}}</ref>, [[ASP.NET MVC Framework]]<ref>{{cite web \| url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx \| title=Mass Assignment Vulnerability in ASP.NET MVC \| publisher=IronsHay \| accessdate=February 27, 2013}}</ref>, [[PHP]] and [[Python]]. ~~{{Compu-prog-stub}}~~ In 2012 mass assignment on Ruby on Rails was published that allowed injection of unauthorized [[SSH]] public keys into user accounts at [[GitHub]]<ref>{{cite web \| url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ \| title=GitHub suspends member over 'mass-assignment' hack \| publisher=ZDnet \| date=2012 \| accessdate=February 27, 2013}}</ref>. {[references}} [[Category:Web security exploits]]

Mass assignment vulnerability: Difference between revisions