25.-Web-mass-assignment-vulnerabilities

1. Concept of Mass Assignment Vulnerability

Mass assignment vulnerabilities occur when frameworks allow direct insertion of user-supplied data into objects or databases without proper restrictions. Attackers can exploit this by modifying HTTP request parameters to alter unauthorized model attributes, leading to:

Unauthorized data modification
Privilege escalation
Bypassing approval mechanisms

2. Exploitation Examples

Python/SQLite (Vulnerable Code & Exploitation)

Vulnerable Code:

try:
  if request.form['confirmed']:
    cond = True
except:
  cond = False

with sqlite3.connect("database.db") as con:
  cur = con.cursor()
  cur.execute('select * from users where username=?', (username,))
  if cur.fetchone():
    return render_template('index.html', value='User exists!!')
  else:
    cur.execute('insert into users values(?,?,?)', (username, password, cond))
    con.commit()
    return render_template('index.html', value='Success!!')

Exploit Example (HTTP POST request modification):

POST /register HTTP/1.1
Host: <target_host>
Content-Type: application/x-www-form-urlencoded
Content-Length: ...

username=newuser&password=password123&confirmed=anyvalue

An attacker can register a user and set confirmed to any value, bypassing admin approval.

Ruby on Rails (Vulnerable Code & Prevention)

Vulnerable Code:

class UsersController < ApplicationController
  def create
    @user = User.new(params[:user]) # Vulnerable mass assignment
    if @user.save
      redirect_to @user
    else
      render 'new'
    end
  end
end

An attacker could send an HTTP request with admin=true, escalating privileges.

Prevention with Strong Parameters:

class UsersController < ApplicationController
  def create
    @user = User.new(user_params)
    if @user.save
      redirect_to @user
    else
      render 'new'
    end
  end

  private
  def user_params
    params.require(:user).permit(:username, :email) # Only allow specific fields
  end
end

Laravel (PHP) Vulnerability & Prevention

Vulnerable Code:

class User extends Model {
    protected $guarded = []; // Allows mass assignment of all attributes (unsafe)
}

Prevention:

class User extends Model {
    protected $fillable = ['username', 'email']; // Only specific fields are allowed
}

Express (Node.js) Vulnerability & Prevention

Vulnerable Code:

app.post('/register', async (req, res) => {
    const user = await User.create(req.body); // Accepts all fields from request (unsafe)
    res.send(user);
});

Prevention:

app.post('/register', async (req, res) => {
    const user = await User.create({
        username: req.body.username,
        email: req.body.email
    }); // Only specific fields are allowed
    res.send(user);
});

3. Prevention Techniques

Whitelisting: Define explicitly allowed attributes (e.g., params.require(:user).permit(...)).
ORM Security Features: Utilize framework protections, such as:
- Rails: attr_protected (deprecated, use strong parameters instead)
- Sequelize (Node.js): allowNull: false and defaultValue: false.
Sanitization & Validation: Ensure user inputs are validated before database insertion.
Principle of Least Privilege: Limit user permissions to the absolute minimum necessary.
Logging & Monitoring: Detect unusual parameter modifications and alert security teams.
Regular Code Audits: Conduct security reviews and penetration testing to identify vulnerabilities.
Database Constraints: Use NOT NULL, CHECK, and ENUM values to enforce security at the database level.

4. Real-World Exploits

GitHub's 2012 Mass Assignment Vulnerability

GitHub suffered from a mass assignment flaw that allowed attackers to gain administrative access to projects by modifying their user roles in API requests.

Shopify Mass Assignment Exploit

A researcher exploited a mass assignment vulnerability in Shopify's admin panel to gain unauthorized control over store settings.

5. Key Takeaways

Mass assignment vulnerabilities arise from automatic mapping of user input to database fields.
Exploits typically involve parameter tampering in HTTP requests.
Whitelisting and framework security features should always be used.
Always validate and sanitize user input.
Logging and monitoring can help detect and prevent such attacks.
Security should be an ongoing process, with continuous code reviews and testing.

Previous24.Attacking-ldap Next26.Attacking-applications-connecting-to-services

Last updated 12 days ago

try: if request.form['confirmed']: cond = True except: cond = False with sqlite3.connect("database.db") as con: cur = con.cursor() cur.execute('select * from users where username=?', (username,)) if cur.fetchone(): return render_template('index.html', value='User exists!!') else: cur.execute('insert into users values(?,?,?)', (username, password, cond)) con.commit() return render_template('index.html', value='Success!!')

class UsersController < ApplicationController def create @user = User.new(params[:user]) # Vulnerable mass assignment if @user.save redirect_to @user else render 'new' end end end

class UsersController < ApplicationController def create @user = User.new(user_params) if @user.save redirect_to @user else render 'new' end end private def user_params params.require(:user).permit(:username, :email) # Only allow specific fields end end

app.post('/register', async (req, res) => { const user = await User.create({ username: req.body.username, email: req.body.email }); // Only specific fields are allowed res.send(user); });