Mass Assignment Insecure Binder Configuration Fortify Restaurant

Posted on by Turr

Browse

Topics

Documents

Terms

About

Search

Wikipedia Terms Topic Distributions Per Term year population household family female income median city include make average people mile km² there area live town race states time size male density square census state part line call work accord large land form style child locate number system present total give county early individual unit small follow high film place lead century water play find write group government show begin end township living spread school couple housing country reside husband term poverty member racial village married good base capita versus makeup day result non-family males householder set game world home language math change provide release force serve power order hold point remain sqmi create man late build support major produce series feature life run leave book word great service move case record due long local refer community war public death history win team design start develop law continue music character back return website increase company album original common period control footnote receive claim study band open describe establish region main song version bear important low popular modern code die note center title level political single source party program student development event publish human type north blank1_info side role rule field player american require issue process building military son similar close south general house theory grow function season influence site body effect operate turn attempt represent bring add attack position fall british woman report list pass date complete current island generally today problem production occur view seat station west french light many link short perform model standard replaced-dns act offer addition official head reach n't plan exist bgcolor art national lose involve hand article range german space information star cover border church element business rate fact kill office election method top month material movement east young father person district consist market originally define structure sell special product story replace free carry sign computer meet direct air project famous industry send property final found eventually practice introduce idea fire river court ship natural strong speak western join subject resident action plant army television suggest international king sound location social operation break section limit culture economic leader borough network put reduce energy significant separate object elect recent vote white activity performance traditional english interest regard reference rise movie nation full maintain fight text experience policy letter condition color trade associate half central image stage travel battle datum episode science capital research rowspan success road hit share reason organization black enter ground apply wife measure host private choose gain friend concept award cell amount track radio cdp construction food rock real drive charge commercial temperature argue degree european test decide surface evidence summer territory incorporate car defeat effort divide typically commonly approximately cost accept face thing northern tradition draw relate mother concern stand account route visit brother store growth determine question artist application religious remove estimate variety figure independent future career speed aircraft relationship pay connect majority marry daughter animal author div approach southern engine complex authority mark club ancient machine lie mass successful access mention week society love nature announce portion true discover president recently medium wide primary video numerous university deal rank page focus stop purpose key tour train historical widely surround prove derive economy destroy device christian chinese pressure raise read finally e.g. hour scene identify rest technology directly entire park specific extend writer technique education simple adopt flow lack seek origin user attend past simply difference notable sense appearance division propose clear piece campaign address matter sea gas loss settlement display recognize signal score largely settle launch supply fail relation street decision arrive depend grant feel money personal specie collection religion sport nearby native foreign vary big legal facility civil tree cross survive officer physical file achieve paper length prevent blockquote foot additional previous japanese agree construct earth primarily decade metal declare musical college compare post command cut night police card improve eastern branch active distance highly status table province explain prior document council troop ability software learn spend capture factor board basis definition arm centre disease annual front oil response 19th 1980s damage heavy mi² express wear weapon gallery purchase greek price principle magazine era oppose 20th @[email protected]

Last revision (mm/dd/yy): 12/21/2016

Introduction

Definition

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm. Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended. This is called a mass assignment vulnerability.

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names

  • Mass Assignment: Ruby on Rails, NodeJS
  • Autobinding: Spring MVC, ASP.NET MVC
  • Object injection: PHP

Example

Suppose there is a form for editing a user's account information:

<form> <input name=userid type=text> <input name=password type=text> <input name=email text=text> <input type=submit> </form>

Here is the object that the form is binding to:

public class User { private String userid; private String password; private String email; private boolean isAdmin; //Getters & Setters }

Here is the controller handling the request:

@RequestMapping(value = "/addUser", method = RequestMethod.POST) public String submit(User user) { userService.add(user); return "successPage"; }

Here is the typical request:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com

And here is the exploit:

POST /addUser userid=bobbytables&password=hashedpass&email=bobby@tables.com&isAdmin=true

Exploitability

This functionality becomes exploitable when:

  • Attacker can guess common sensitive fields
  • Attacker has access to source code and can review the models for sensitive fields
  • AND the object with sensitive fields has an empty constructor

Case Studies

GitHub

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post

Solutions

  • Whitelist the bindable, non-sensitive fields
  • Blacklist the non-bindable, sensitive fields
  • Use Data Transfer Objects (DTOs)

General Solutions

Data Transfer Objects (DTOs)

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

public class UserRegistrationFormDTO { private String userid; private String password; private String email; //NOTE: isAdmin field is not present //Getters & Setters }

Language & Framework Specific Solutions

Spring MVC

Whitelisting

@Controller public class UserController { @InitBinder public void initBinder(WebDataBinder binder, WebRequest request) { binder.setAllowedFields(["userid","password","email"]); } ... }

Reference

Blacklisting

@Controller public class UserController { @InitBinder public void initBinder(WebDataBinder binder, WebRequest request) { binder.setDisallowedFields(["isAdmin"]); } ... }

Reference

NodeJS + Mongoose

Whitelisting

var UserSchema = new mongoose.Schema({ userid  : String, password  : String, email  : String, isAdmin  : Boolean, }); UserSchema.statics = { User.userCreateSafeFields: ['userid', 'password', 'email'] }; var User = mongoose.model('User', UserSchema); _ = require('underscore'); var user = new User(_.pick(req.body, User.userCreateSafeFields));

ReferenceReference

Blacklisting

var massAssign = require('mongoose-mass-assign'); var UserSchema = new mongoose.Schema({ userid  : String, password  : String, email  : String, isAdmin  : { type: Boolean, protect: true, default: false } }); UserSchema.plugin(massAssign); var User = mongoose.model('User', UserSchema); /** Static method, useful for creation **/ var user = User.massAssign(req.body); /** Instance method, useful for updating **/ var user = new User; user.massAssign(req.body); /** Static massUpdate method **/ var input = { userid: 'bhelx', isAdmin: 'true' }; User.update({ '_id': someId }, { $set: User.massUpdate(input) }, console.log);

Reference

Ruby On Rails

Reference

Django

Reference

ASP.NET

Reference

PHP Laravel + Eloquent

Whitelisting

<?php namespace App; use Illuminate\Database\Eloquent\Model; class User extends Model { private $userid; private $password; private $email; private $isAdmin; protected $fillable = array('userid','password','email'); }

Reference

Blacklisting

<?php namespace App; use Illuminate\Database\Eloquent\Model; class User extends Model { private $userid; private $password; private $email; private $isAdmin; protected $guarded = array('isAdmin'); }

Reference

Grails

Reference

Play

Reference

Jackson (JSON Object Mapper)

ReferenceReference

GSON (JSON Object Mapper)

ReferenceReference

JSON-Lib (JSON Object Mapper)

Reference

Flexjson (JSON Object Mapper)

Reference

Authors and Primary Editors

References and future reading

Other Cheatsheets

Categories: 1

0 Replies to “Mass Assignment Insecure Binder Configuration Fortify Restaurant”

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *