25.-Web-mass-assignment-vulnerabilities
1. Concept of Mass Assignment Vulnerability
Mass assignment vulnerabilities occur when frameworks allow direct insertion of user-supplied data into objects or databases without proper restrictions. Attackers can exploit this by modifying HTTP request parameters to alter unauthorized model attributes, leading to:
Unauthorized data modification
Privilege escalation
Bypassing approval mechanisms
2. Exploitation Examples
Python/SQLite (Vulnerable Code & Exploitation)
Vulnerable Code:
try:
if request.form['confirmed']:
cond = True
except:
cond = False
with sqlite3.connect("database.db") as con:
cur = con.cursor()
cur.execute('select * from users where username=?', (username,))
if cur.fetchone():
return render_template('index.html', value='User exists!!')
else:
cur.execute('insert into users values(?,?,?)', (username, password, cond))
con.commit()
return render_template('index.html', value='Success!!')Exploit Example (HTTP POST request modification):
POST /register HTTP/1.1
Host: <target_host>
Content-Type: application/x-www-form-urlencoded
Content-Length: ...
username=newuser&password=password123&confirmed=anyvalueAn attacker can register a user and set confirmed to any value, bypassing admin approval.
Ruby on Rails (Vulnerable Code & Prevention)
Vulnerable Code:
class UsersController < ApplicationController
def create
@user = User.new(params[:user]) # Vulnerable mass assignment
if @user.save
redirect_to @user
else
render 'new'
end
end
endAn attacker could send an HTTP request with admin=true, escalating privileges.
Prevention with Strong Parameters:
class UsersController < ApplicationController
def create
@user = User.new(user_params)
if @user.save
redirect_to @user
else
render 'new'
end
end
private
def user_params
params.require(:user).permit(:username, :email) # Only allow specific fields
end
endLaravel (PHP) Vulnerability & Prevention
Vulnerable Code:
class User extends Model {
protected $guarded = []; // Allows mass assignment of all attributes (unsafe)
}Prevention:
class User extends Model {
protected $fillable = ['username', 'email']; // Only specific fields are allowed
}Express (Node.js) Vulnerability & Prevention
Vulnerable Code:
app.post('/register', async (req, res) => {
const user = await User.create(req.body); // Accepts all fields from request (unsafe)
res.send(user);
});Prevention:
app.post('/register', async (req, res) => {
const user = await User.create({
username: req.body.username,
email: req.body.email
}); // Only specific fields are allowed
res.send(user);
});3. Prevention Techniques
Whitelisting: Define explicitly allowed attributes (e.g.,
params.require(:user).permit(...)).ORM Security Features: Utilize framework protections, such as:
Rails:
attr_protected(deprecated, use strong parameters instead)Sequelize (Node.js):
allowNull: falseanddefaultValue: false.
Sanitization & Validation: Ensure user inputs are validated before database insertion.
Principle of Least Privilege: Limit user permissions to the absolute minimum necessary.
Logging & Monitoring: Detect unusual parameter modifications and alert security teams.
Regular Code Audits: Conduct security reviews and penetration testing to identify vulnerabilities.
Database Constraints: Use
NOT NULL,CHECK, andENUMvalues to enforce security at the database level.
4. Real-World Exploits
GitHub's 2012 Mass Assignment Vulnerability
GitHub suffered from a mass assignment flaw that allowed attackers to gain administrative access to projects by modifying their user roles in API requests.
Shopify Mass Assignment Exploit
A researcher exploited a mass assignment vulnerability in Shopify's admin panel to gain unauthorized control over store settings.
5. Key Takeaways
Mass assignment vulnerabilities arise from automatic mapping of user input to database fields.
Exploits typically involve parameter tampering in HTTP requests.
Whitelisting and framework security features should always be used.
Always validate and sanitize user input.
Logging and monitoring can help detect and prevent such attacks.
Security should be an ongoing process, with continuous code reviews and testing.
Last updated