Revision as of 16:05, 10 March 2013 edit Yobot (talk \| contribs) Bots 4,733,870 edits m WP:CHECKWIKI errors fixed + general fixes, added orphan tag using AWB (8961) ← Previous edit		Revision as of 12:37, 26 April 2013 edit undo 77.56.36.164 (talk) No edit summary Next edit →
Line 3: '''Mass assignment''' is a [[vulnerability (computing)\|computer vulnerability]] where an [[active record pattern]] in [[web application]] is abused to modify data items that the user should be not normally allowed to access — for example password, granted permissions or administrator status. Many [[web application framework]]s offer an [[active record pattern\|active record]] feature, where a database record fields can be modified by ana automatically generated web API methods. If the framework doesn't prevent that automatically and the application designed doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields.<ref>{{cite web \| url=http://cwe.mitre.org/data/definitions/915.html \| title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes \| publisher=NIST \| work=Common Weakness Enumeration \| accessdate=February 27, 2013}}</ref> These vulnerabilities were found in applications written in [[Ruby on Rails]],<ref>{{cite web \| url=http://guides.rubyonrails.org/security.html#mass-assignment \| title=Mass Assignment \| work=Ruby On Rails Security Guide \| accessdate=February 27, 2013}}</ref> [[ASP.NET MVC Framework]],<ref>{{cite web \| url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx \| title=Mass Assignment Vulnerability in ASP.NET MVC \| publisher=IronsHay \| accessdate=February 27, 2013}}</ref> [[PHP]] and [[Python (programming language)\|Python]].

Mass assignment vulnerability: Difference between revisions