Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.
Many web application frameworks offer an active record and object-relational mapping features, where external data in serialization formats is automatically converted on input into internal objects and, in turn, into database record fields. If the framework's interface for that conversion is too permissive and the application designer doesn't mark specific fields as immutable, it is possible to overwrite fields that were never intended to be modified from outside (e.g. admin permissions flag).[1]
In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in proof of concept injection of unauthorized SSH public keys into user accounts at GitHub.[5][6] Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted JSON structure.[7]
In ASP.NET Core mapping restriction can be declared using the [BindNever] attribute.[8]
^"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.
^"Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.
^"Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.
^Alberto Souza (2014). "Playframework, how to protect against Mass Assignment".
^"GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.
^"[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released!". Retrieved January 7, 2016.
^"Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)". Retrieved January 7, 2016.
^tdykstra (20 June 2023). "Model Binding in ASP.NET Core". docs.microsoft.com.
January 01, 1970
mass, assignment, vulnerability, mass, assignment, computer, vulnerability, where, active, record, pattern, application, abused, modify, data, items, that, user, should, normally, allowed, access, such, password, granted, permissions, administrator, status, ma. Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password granted permissions or administrator status Many web application frameworks offer an active record and object relational mapping features where external data in serialization formats is automatically converted on input into internal objects and in turn into database record fields If the framework s interface for that conversion is too permissive and the application designer doesn t mark specific fields as immutable it is possible to overwrite fields that were never intended to be modified from outside e g admin permissions flag 1 These vulnerabilities have been found in applications written in Ruby on Rails 2 ASP NET MVC 3 and Java Play framework 4 In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in proof of concept injection of unauthorized SSH public keys into user accounts at GitHub 5 6 Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted JSON structure 7 In ASP NET Core mapping restriction can be declared using the BindNever attribute 8 See also editData transfer object DTO References edit CWE 915 Improperly Controlled Modification of Dynamically Determined Object Attributes Common Weakness Enumeration NIST Retrieved February 27 2013 Mass Assignment Ruby On Rails Security Guide Retrieved February 27 2013 Mass Assignment Vulnerability in ASP NET MVC IronsHay Retrieved February 27 2013 Alberto Souza 2014 Playframework how to protect against Mass Assignment GitHub suspends member over mass assignment hack ZDnet 2012 Retrieved February 27 2013 SEC ANN Rails 3 2 12 3 1 11 and 2 3 17 have been released Retrieved January 7 2016 Denial of Service and Unsafe Object Creation Vulnerability in JSON CVE 2013 0269 Retrieved January 7 2016 tdykstra 20 June 2023 Model Binding in ASP NET Core docs microsoft com Retrieved from https en wikipedia org w index php title Mass assignment vulnerability amp oldid 1171950946, wikipedia, wiki, book, books, library,
