0% found this document useful (0 votes)
35 viewsMass Assignment Cheatsheet
Mass Assignment Cheatsheet
Uploaded by
Rizki KurniawanCopyright
© © All Rights Reserved
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
35 viewsMass Assignment Cheatsheet
Mass Assignment Cheatsheet
Uploaded by
Rizki KurniawanCopyright
© © All Rights Reserved
Available Formats
Download as PDF or read online on Scribd
/ 7
ras, 65 AM ‘Mass Assignment - OWASP Cheat Sheet Series
Mass Assignment Cheat Sheet
Introduction
Definition
Software frameworks sometime allow developers to automatically bind HTTP request parameters
into program code variables or objects to make ushg that framework easier on developers. This
can sometimes cause ham.
Attackers can sometimes use this methodology to create new parameters that the developer never
intended wich in tum creates or overutites new variable or otjects in program code that was net
intended.
This is called a Mass Assignment vuherability.
Alternative Names
Depending on the language /framework in question, this vulnerability can have several alternative
names;
‘+ Mass Assignment: Ruby on Rails, NodeJS.
‘+ Autobinding: Spring MVC, ASP NET MVC.
‘* Object injection: PHP.
Example
‘Suppose there is a form for editing a user's account information:
put name="userid" type="text">
put name="passnord" type="text">
Hereiss the object that the form is binding to:
Intps:ifcheatshectseries.owasp.orgicheatsheets!Mass_Assignment_Cheat_ Sheet. html w
ras, 65 AM ‘Mass Assignment - OWASP Cheat Sheet Series
public class User {
privete String userid;
privete String password;
privete String email;
private boolean isAdmin;
/[oetters & Setters
Hereis the controller handling the request.
eRequestMapping(value = "/addUser", method = RequestMethod. POST)
public String submit(User user) {
userService-add(user)
return “successPage";
+
Hereis the typical request:
Post /adduser
userid=bobbytables&password=hashedpasstemail=bobbyStables.com
And bere is the exploit in which we set the value of the attribute isadnin of the instance of the
class User :
PosT /adduser
user id-bobbytables&password=hashedpasstemail=bobby®tables.com&isAdnin=true
Exploitability
This functionality becomes exploitable when:
+ Atlacker can guess common sensitive fields.
+ Attacker has access to source code and can review the madels for sensitive fields.
‘+ ANDthe object with sensitive fields has an empty constructor.
GitHub case study
In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to
any organization and thus make any subsequent changes in their repositories, GitHlub’s Blog Post.
Intps:ifcheatshectseries.owasp.orgicheatsheets!Mass_Assignment_Cheat_ Sheet. html an
ras, 65 AM ‘Mass Assignment - OWASP Cheat Sheet Series
Solutions
+ Allow4ist the bindable, non-sensitive fields.
+ Block-ist thenon-bindable, sensitive fields.
+ Use Data Transfer Objects (DTOs).
General Solutions
‘An architectural approach is to create Data Transfer Objects and avoid binding input directly to
domain objects. Only the fields that are meant to be editable by the user are included in the DTO.
public class UserRegistrationFornDT0 {
private String userid;
private String password;
private String email;
/INOTE: isAdnin field is not present
/icetters & Setters
Language & Framework specific solutions
‘Spring MVC.
Alllow-listing
econtroller
public class UserController
{
etnixBinder
public void initBinder(WebDateBinder binder, WebRequest request)
{
>
po
binder .setALlowedFields(["useri¢”, "pessword" , “enail"])
‘Take a look here for the documentation.
Block-isting
Intps:ifcheatshectseries.owasp.orgicheatsheets!Mass_Assignment_Cheat_ Sheet. html ai
‘Mass Assignment - OWASP Cheat Sheet Series
econtroller
public class UserController
4
etnitpinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
>
binder .setDisallovedFields(["isAdmin" ]);
‘Take a look here for the documentation.
NodeJS + Mongoose
Allowlisting
var UserSchena = new mongoose.Schena( {
userid: String,
pasword: String,
enail : String,
isAdain : Boolean,
v:
UserSchoma. statics = {
User.userCreateSafeFields: [‘userid', ‘password’, ‘enail’ ]
}
var User = mongoose.model(‘User', UserSchena) ;
= = require(‘underscore’);
var user = new User(_.pick(req.body, User.userCreat
‘afeFields));
‘Take alook here for the documentation
Block-listing
var massAssign = require(’mongoose-nass-assign’);
var UserSchema = new mongoose.Schema( {
userid: String,
password: String,
enail : String,
isAdmin : { type: Booleen, protect: true, default: false )
D:
UserSchema. plugin(massAssign) ;
var User = mongoose.model('User', UserSchena) ;
Intps:ifcheatshectseries.owasp.orgicheatsheets!Mass_Assignment_Cheat_ Sheet. html
ras, 65 AM ‘Mass Assignment - OWASP Cheat Sheet Series
/** Static method, useful for creation **/
var user = User.massAssign(req.body);
/** Instance method, useful for updating**/
var user = new User;
user .massAssign(req. body) ;
/** Static massUpdate method **/
var input = { userid: "bhelx', isAdmin: ‘true’ };
User update({ ‘id’: someId }, { Sset: User.massUpdate(input) }, console.log) ;
‘Take a look here for the documentation.
Ruby On Rails
Take a look here for the documentation.
Django
‘Take a look here for the documentation.
ASP NET
‘Take a look here for the documentation.
PHP Laravel + Eloquent
Allow-listing
‘
