Mass assignment vulnerability

Mass assignment is a computer vulnerability where an active record pattern in web application is abused to modify data items that the user should be not normally allowed to access — for example password, granted permissions or administrator status.

Many web application frameworks offer an active record feature, where a database record fields can be modified by an automatically generated web API methods. If the framework doesn't prevent that automatically and the application designed doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields^[1].

These vulnerabilities were found in applications written in Ruby on Rails^[2], ASP.NET MVC Framework^[3], PHP and Python.

In 2012 mass assignment on Ruby on Rails was published that allowed injection of unauthorized SSH public keys into user accounts at GitHub^[4].

^ "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.
^ "Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.
^ "Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.
^ "GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.

[1] "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.

[2] "Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.

[3] "Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.

[4] "GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.

[1]

[2]

[3]

[4]