Mass Assignment
Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.
Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.
This functionality becomes exploitable when:
Attacker can guess common sensitive fields.
Attacker has access to source code and can review the models for sensitive fields.
AND the object with sensitive fields has an empty constructor.
Example
Suppose there is a form for editing a user's account information:
Here is the object that the form is binding to:
Here is the controller handling the request:
Here is the typical request:
And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User:
References
Last updated