Before getting into the Mass Assignment vulnerability, let us know what exactly mass assignment is and where it is used. It refers to the assignment of values to multiple variables or object properties all at once. This process reduces the burden on the developer by making their work easier. This is used in Ruby on Rails which is a server-side web application framework, NodeJS, PHP, Spring MVC, and ASP NET MVC.

What is Mass Assignment Vulnerability?

It is a computer vulnerability that involves abusing an active record pattern in a web application in order to modify data items that the user usually must not be allowed to access, including granted permissions, passwords, or administrator status.

In other words, to make developers’ work easier, the software framework allows developers to use mass assignment functionality i.e., it automatically binds HTTP request parameters either into program code variables or objects. This sometimes triggers the application into a vulnerable state.

This methodology might be used by attackers to create new parameters that were never intended by the developers. The parameters created by attackers might create or overwrite new variables or objects in program code that were not intended to receive in the request. This process of manipulating mass assignment functionality to access sensitive data or cause data loss is called the Mass Assignment vulnerability.

This vulnerability can have many alternative names depending on the language/framework being used:

  • Mass Assignment: Ruby on Rails, NodeJS.
  • Auto binding: ASP NET MVC, Spring MVC.
  • Object injection: PHP.

Example

Consider a form for editing the account information of a user, as shown below:

Image: An example of user form

  • <form>
  • <input name=”userid” type=”text”>
  • <input name=”password” type=”text”>
  • <input name=”email” text=”text”>
  • <input type=”submit”>
  • </form>

The form is binding to the following object:

  • public class User {
  • private String userid;
  • private String password;
  • private String email;
  • private boolean isAdmin;
  • //Getters & Setters
  • }

The following controller is handling the request:

  • @RequestMapping(value = “/addUser”, method = RequestMethod.POST)
  • public String submit(User user) {
  • add(user);
  • return “successPage”;
  • }

Here is the normal request:

  • POST /addUser
  • … // code
  • userid=testuser&password=somepassword&email=test@user.com

Below is the exploit where the value of the attribute “isAdmin” of the instance of the class “User” is set:

  • POST /addUser
  • … // code
  • userid=testuser&password=somepassword&email=test@user.com&isAdmin=true

If the exploit is successful, then the “testuser” in the request will be granted with admin rights.

Exploitability of Mass Assignment Vulnerability

This functionality becomes exploitable in the following scenarios:

  • When the attacker can guess common sensitive fields.
  • When the attacker can access source code and review the models for sensitive fields.
  • When the object with sensitive fields has an empty constructor.

 

Impact of Mass Assignment Vulnerability

The successful exploit of mass assignment vulnerabilities provides the attacker to update object properties which should not be accessed by them, this in turn allows them to escalate privileges, modify data, and bypass security mechanisms.

 

Remediation

To prevent this, Rails (here the Rails framework is taken as a reference) offers two class methods in the Active Record class to control/limit access to your attributes; attr_protected (blacklist principle) and attr_accessible (whitelist principle).

  • attr_protected: This method requires a list of attributes that cannot be accessed for mass-assignment. To set up protected attributes, you must assign them individually.
    • Ex: attr_protected :admin
    • attr_protected :last_login, :as => :admin
  • attr_accessible: Another convenient way is to use the whitelist principle i.e., the attr_accessible method. This is exactly the opposite of the above attr_protected method as this method allows a list of attributes that can be accessed. All other attributes will be protected. This way, it is easier to protect attributes while adding new ones during development.
    • Ex: attr_accessible :name
    • attr_accessible :name, :is_admin, :as => :admin

Utilizing mass assignment may make the work of developers easier but it will also help attackers exploit vulnerabilities. Hence, it is important for developers to use mass assignment carefully by considering all the security measures that help to keep the web apps secure.

 

References:

https://en.wikipedia.org/wiki/Mass_assignment_vulnerability

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/

https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

https://salt.security/blog/api6-2019-mass-assignment

 

Author,

Srikanth Rudrarapu,

Attack & PenTest Team,

Varutra Consulting Pvt. Ltd.