Mass Assignment
A mass assignment attack is a security vulnerability that occurs when a web application automatically assigns user-supplied input values to properties or variables of a program object. This can become an issue if a user is able to modify attributes they should not have access to, like a user's permissions or an admin flag.
Summary
Methodology
Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality.
For instance, consider a web application that uses an ORM and has a user object with the attributes username
, email
, password
, and isAdmin
. In a normal scenario, a user might be able to update their own username, email, and password through a form, which the server then assigns to the user object.
However, an attacker may attempt to add an isAdmin
parameter to the incoming data like so:
{
"username": "attacker",
"email": "attacker@email.com",
"password": "unsafe_password",
"isAdmin": true
}
If the web application is not checking which parameters are allowed to be updated in this way, it might set the isAdmin
attribute based on the user-supplied input, giving the attacker admin privileges
Labs
- PentesterAcademy - Mass Assignment I
- PentesterAcademy - Mass Assignment II
- Root Me - API - Mass Assignment