AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Mass Assignment

The attacker can become administrator or change any properties of his account/being which is otherwise prohibited

Severity

Critical

Fix Cost

Medium

Trust Level

Low

MVC type of programming uses auto-binding when populating user sent HTTP parameters in developer created class instances. This is a great relief for developers since getting the user input by using the framework APIs such as System.Web.HttpRequest with sanity checks really becomes cumbersome.

The code snippet below includes this technique which takes this responsibility from the developer and auto populates the User class instance. The auto-binding is done by using easy mapping between HTTP parameter names and class property names.

            
public class UserController : Controller
{
public String Register(User user)
{
// ...
db.Users.Add(user);
db.SaveChanges();
}
}

public class User
{
public string Username { get; set; }
public string Firstname { get; set; }
public string LastName { get; set; }
// ...
public bool IsAdmin { get; set; }
}
                
            

Here the attacker may register a new user with an administrator role by sending an extra HTTP parameter called IsAdmin with value true. The framework will populate the new User instance of which IsAdmin property will be true and save to the persistent storage. Next time the attacker logs in, he will be an administrator on the application.

Note: There may not be a persistent storage for a Mass Assignment to occur. Any critical and unwanted state changing by adding extra parameters and manipulating auto-binding is classified as Mass Assignment.

Attackers can form URLs such as below to trick other end users to login to the application. However, when users logs into the application through the given link, the code will redirect them to the web site’s unintended context path, such as to a path that deletes the account with confirmation. This way attacker uses the trust that end users have in the target application but execute a sophisticated CSRF attacks.

http://www.trustedapplication.com/login?redir=/deleteaccountconfirm

MVC type of programming uses auto-binding when populating user sent HTTP parameters in developer created class instances. This is a great relief for developers since getting the user input by using the framework APIs such as javax.servlet.http.HttpServletRequest with sanity checks really becomes cumbersome.

The code snippet below includes this technique which takes this responsibility from the developer and auto populates the User class instance. The auto-binding is done by using easy mapping between HTTP parameter names and class property names.


@Controller
public class UserController {

@RequestMapping(method = RequestMethod.POST)
public String Register(User user) {
// save user to DB
return "success";    
}
 
}

public class Person {
    
private String name;  
private int age;
private boolean isadmin;
private Account account;
    
public Person(){
account = new Account();
}

public boolean isIsadmin() {
return isadmin;
}

public void setIsadmin(boolean isadmin) {
this.isadmin = isadmin;
}


		

Here the attacker may register a new user with an administrator role by sending an extra HTTP parameter called IsAdmin with value true. The framework will populate the new User instance of which IsAdmin property will be true and save to the persistent storage. Next time the attacker logs in, he will be an administrator on the application.

Note: There may not be a persistent storage for a Mass Assignment to occur. Any critical and unwanted state changing by adding extra parameters and manipulating auto-binding is classified as Mass Assignment.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!