Mass assignment is the practice of assigning values to multiple variables or object properties all at once.
Mass Assignment is an extremely common practice. A couple examples: multiplayer video games passing a lot of state data and storing it and in pretty much every enterprise application where there are a lot of customizable for fields that are getting stored in a database.
Mass Assignment vulnerabilities occur when a user is able to initialize or overwrite server-side variables or objects which are not intended by the application. This can be done by manually crafting a request to include additional parameters in a request, which could result in a malicious user adversely affecting application functionality. Essentially this is a really easy way for someone to wreck your database.
Mass assignment attacks first became popular to attack ruby frameworks however it is absolutely not limited to ruby. This type of vulnerability can have alternative names depending on the language/framework being used:
Mass Assignment - Ruby on Rails, Node.js
Auto binding - ASP NET MVC, Spring MVC
Object injection: PHP
Let's walk through an example
Assume we have an application where a user is going to sign up in the system. When a user is signed up the following parameters are set:
First Name
Last Name
Email
Password
Admin (true/false)
The code could look something like this:
class User < ActiveRecord: :Base
attr_accessor :email, :password, :admin, :first_name, :last_name
The user is signed up based on the parameters which are passed to the server from the front end. What this means it is common for the developer to only be checking or validating whether all the fields are being set when the user is created.
As a result if a malicious user was to assume or guess there was an admin field and if the admin field was se to true the this malicious user would have admin privileges within the application. This could be accomplished by sending a JSON request that looks something like this:
{
"email": "user@test.com",
"password": "myPassword*",
"admin": "true",
"first_name": "malicious",
"last_name": "user"
}
Clearly a significant security risk.
GitHub Example
GitHub was exploited by a mass assignment attack in 2012 by a user named Egor Homakov. Egor Homakov's hack caused widespread alarm among developers. According to GitHub, he exploited a vulnerability in the site's public key update form that gave administrator privileges, letting him commit a file to the Ruby on Rails project. All in all, logs showed Homakov compromised only three accounts. But there was potential for significantly worse damage.
"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability" GitHub co-founder Tom Preston-Werner wrote in a blog post. "In parallel to the attack investigation we initiated a full audit of the GitHub codebase to ensure no other instances of this vulnerability were present".
The GitHub attack was instrumental in bringing mass assignment vulnerabilities to light.
Defending agains mass assignment attacks (in brief)
You should try to disable the automatic mapping of properties whenever possible; all properties should be mapped manually, and others should be ignored.
You should not rely on a blacklist to block the data that the user is not allowed to edit but instead you should rely on a whitelist that enable users to edit specified objects. Whitelisting denies access to resources and only the "owner" can allow access. Blacklisting allows access to all with the provision that only certain items are denied.
Rely on the functions of the framework when whitelisting instead of writing your own. These functions have been tested many times over so they are more likely to be safe than a custom-built solution.
If you have the resources, you should investigate the request and responses that reach the API and what properties they can have. Test if parameters the user cannot edit are actually read only by sending them a request and trying to edit them.
Conclusion
Utilizing mass assignment can make the work of developers easier but it potentially will also help malicious users to exploit vulnerabilities. Therefor, it is important to think critically about the function of every parameter within an application and make sure you understand what it means and what all the options are for that specific property and to utilize available security measures.
Latest comments (0)