Mass Assignment Cheat Sheet



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- Last revision (mm/dd/yy): //
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

= Introduction = "Modern frameworks allow developers to automatically bind HTTP request parameters from both request query and body into model objects for ease of development and increased productivity. If the binder is not correctly configured to control which HTTP request parameters are bound to which model attributes, an attacker may be able to abuse the model binding process and set any other attributes that should not be exposed to user control. This binding is possible even if the model attributes do not appear in the web forms or API contracts." - Mass Assignment: Sensitive Field Exposure

Example
Suppose there is a form for editing a user's account information:

  

Here is the object that the form is binding to:

public class User { private String userid; private String password; private String email; private boolean isAdmin; //Getters & Setters }

Here is the controller handling the request:

@RequestMapping(value = "/addUser, method = RequestMethod.POST)  public String submit(User user) {      userService.add(user);      return "successPage";   }

Here is the typical request:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com

And here is the exploit:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com&isAdmin=true

The attacker can exploit this if:
 * They can guess common sensitive fields
 * They have access to source code and review the models for sensitive fields

General Solutions

 * Whitelist the bindable, non-sensitive fields
 * Blacklist the non-bindable, sensitive fields
 * Use Data Transfer Objects (DTOs)

Alternative Names
Depending on the language/framework in question, this vulnerability can have several alternative names
 * Mass Assignment: Ruby on Rails, NodeJS
 * Autobinding: Spring MVC, ASP.NET MVC
 * Object injection: PHP

= Languages & Frameworks =

PHP Laravel
= Authors and Primary Editors =
 * [mailto:abashkin.anton@gmail.com Abashkin Anton]

= References and future reading =
 * Mass Assignment, Rails and You http://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695

= Other Cheatsheets =


 * }