Mass assignment vulnerabilities!
Mass assignment (also known as auto-binding) can inadvertently create hidden parameters.
by Wilomousky Assaf on September 09
Mass assignment (also known as
auto-binding) can inadvertently create hidden parameters. It occurs when
software frameworks automatically bind request parameters to fields on an
internal object. Mass assignment may therefore result in the application supporting
parameters that were never intended to be processed by the developer.
Identifying hidden parameters
Since mass assignment creates parameters from object fields, you can often identify these hidden parameters by manually examining objects returned by the API.
For example, consider a PATCH /api/users/
request, which enables users to update their username and email, and includes
the following JSON:
{
"username":
"wiener",
"email":
"wiener@example.com",
}
A concurrent GET /api/users/123 request
returns the following JSON:
{
"id": 123,
"name": "John
Doe",
"email":
"john@example.com",
"isAdmin":
"false"
}
This may indicate that the hidden id and isAdmin parameters are bound to the internal user object, alongside
the updated username and email parameters.
Testing mass assignment vulnerabilities
To test whether you can modify the enumerated isAdmin parameter value, add it to the PATCH request:
{
"username":
"wiener",
"email":
"wiener@example.com",
"isAdmin": false,
}
In addition, send a PATCH request with an
invalid isAdmin parameter value:
{
"username":
"wiener",
"email":
"wiener@example.com",
"isAdmin":
"foo",
}
If the application behaves differently, this
may suggest that the invalid value impacts the query logic, but the valid value
doesn't. This may indicate that the parameter can be successfully updated by
the user.
You can then send a PATCH request with the isAdmin
parameter value set to true, to try and exploit the vulnerability:
{
"username":
"wiener",
"email":
"wiener@example.com",
"isAdmin": true,
}
If the isAdmin value in the request is
bound to the user object without adequate validation and sanitization, the user
wiener
may be incorrectly granted admin privileges. To determine whether this
is the case, browse the application as wiener to see whether you can access
admin functionality.
Good luck stay safe
Comments
Post a Comment