Coders Conquer Security OWASP Top 10 API Series - Mass Assignment
Coders Conquer Security OWASP Top 10 API Series - Mass Assignment
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b68b30ab426193ae7876_601109cb6f32a39624f121ad_CCC-1.webp)
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b68b30ab426193ae7876_601109cb6f32a39624f121ad_CCC-1.webp)
The mass assignment vulnerability was born because many modern frameworks encourage developers to use functions that automatically bind input from clients into code variables and internal objects. This is done to simplify code and speed up operations.
Attackers can use this methodology to force changes to object properties that should never be updated by a client. Normally this results in business-specific problems, like a user adding admin privileges to themselves as opposed to bringing down a website or stealing corporate secrets. Attackers must also have some idea of the relationships between objects and the business logic of the application they are exploiting.
However, none of that makes the mass assignment vulnerability any less dangerous in the hands of a clever and malicious user.
Before we launch into the full guide, play our gamified challenge and see how you fare:
How can attackers exploit the mass assignment vulnerability?
The scenario put forward by OWASP (and modified slightly by us) assumes a ride-sharing application that includes different properties bound to objects in the code using mass assignment. These include permission-related properties that users can change and process-dependent properties that should only be set internally by the application. Both use mass assignment to bind properties to objects.
In this scenario, the ride-sharing application allows users to update their profiles, as is common in many user-facing applications. This is done using an API call sent to PUT, which returns the following JSON object:
{"user_name":"SneakySnake", "age":17, "is_admin":false}
Because the attacker, Mr. SneakySnake in this case, has figured out the relationship between the properties and the objects, he can resend his original request to update his profile with the following string:
{"user_name":"SneakySnake","age":24,, "is_admin":true}
As the endpoint is vulnerable to mass assignment, it accepts the new input as valid. Not only did our hacker add a few years to his profile, but he also assigned himself admin privileges.
Eliminating the mass assignment vulnerability
As convenient as it might be to use the mass assignment function in some frameworks, you should avoid doing that if you want to keep your APIs secure. Instead, parse request values rather than binding them directly to an object. You can also use a reduced data transfer object which would provide nearly the same convenience as binding directly to the object itself, only without the associated risk.
As an extra precaution, sensitive properties like admin privileges from the example above could be denied so that they will never be accepted by the server on an API call. An even better idea might be to deny every property by default and then allow specific, non-sensitive ones that you want users to be able to update or change. Doing any of those things can help to lock down APIs and eliminate the mass assignment vulnerability from your environment.
Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try a demo of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.
Resources to get you started
Trust Agent by Secure Code Warrior
Discover SCW Trust Agent, an innovative solution designed to enhance security by aligning developer secure code knowledge and skills with the work they commit. It provides comprehensive visibility and controls across an organization's entire code repository, analyzing each commit against developers' secure code profiles. With SCW Trust Agent, organizations can strengthen their security posture, optimize development lifecycles, and scale developer-driven security.
Resources to get you started
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
SCW Trust Agent - Visibility and Control to Scale Developer Driven Security
SCW Trust Agent, introduced by Secure Code Warrior, offers security leaders the visibility and control needed to scale developer-driven security within organizations. By connecting to code repositories, it assesses code commit metadata, inspects developers, programming languages used, and shipment timestamps to determine developers' security knowledge.
Coders Conquer Security OWASP Top 10 API Series - Mass Assignment
![](https://cdn.prod.website-files.com/5fec9210c1841a6c20c6ce81/6022b68b30ab426193ae7876_601109cb6f32a39624f121ad_CCC-1.webp)
The mass assignment vulnerability was born because many modern frameworks encourage developers to use functions that automatically bind input from clients into code variables and internal objects. This is done to simplify code and speed up operations.
Attackers can use this methodology to force changes to object properties that should never be updated by a client. Normally this results in business-specific problems, like a user adding admin privileges to themselves as opposed to bringing down a website or stealing corporate secrets. Attackers must also have some idea of the relationships between objects and the business logic of the application they are exploiting.
However, none of that makes the mass assignment vulnerability any less dangerous in the hands of a clever and malicious user.
Before we launch into the full guide, play our gamified challenge and see how you fare:
How can attackers exploit the mass assignment vulnerability?
The scenario put forward by OWASP (and modified slightly by us) assumes a ride-sharing application that includes different properties bound to objects in the code using mass assignment. These include permission-related properties that users can change and process-dependent properties that should only be set internally by the application. Both use mass assignment to bind properties to objects.
In this scenario, the ride-sharing application allows users to update their profiles, as is common in many user-facing applications. This is done using an API call sent to PUT, which returns the following JSON object:
{"user_name":"SneakySnake", "age":17, "is_admin":false}
Because the attacker, Mr. SneakySnake in this case, has figured out the relationship between the properties and the objects, he can resend his original request to update his profile with the following string:
{"user_name":"SneakySnake","age":24,, "is_admin":true}
As the endpoint is vulnerable to mass assignment, it accepts the new input as valid. Not only did our hacker add a few years to his profile, but he also assigned himself admin privileges.
Eliminating the mass assignment vulnerability
As convenient as it might be to use the mass assignment function in some frameworks, you should avoid doing that if you want to keep your APIs secure. Instead, parse request values rather than binding them directly to an object. You can also use a reduced data transfer object which would provide nearly the same convenience as binding directly to the object itself, only without the associated risk.
As an extra precaution, sensitive properties like admin privileges from the example above could be denied so that they will never be accepted by the server on an API call. An even better idea might be to deny every property by default and then allow specific, non-sensitive ones that you want users to be able to update or change. Doing any of those things can help to lock down APIs and eliminate the mass assignment vulnerability from your environment.
Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try a demo of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.
Resources to get you started
Women in Security are Winning: How the AWSN is Setting Up a New Generation of Security Superwomen
Secure-by-Design is the latest initiative on everyone’s lips, and the Australian government, collaborating with CISA at the highest levels of global governance, is guiding a higher standard of software quality and security from vendors.
SCW Trust Agent - Visibility and Control to Scale Developer Driven Security
SCW Trust Agent, introduced by Secure Code Warrior, offers security leaders the visibility and control needed to scale developer-driven security within organizations. By connecting to code repositories, it assesses code commit metadata, inspects developers, programming languages used, and shipment timestamps to determine developers' security knowledge.
Trust Agent by Secure Code Warrior
Discover SCW Trust Agent, an innovative solution designed to enhance security by aligning developer secure code knowledge and skills with the work they commit. It provides comprehensive visibility and controls across an organization's entire code repository, analyzing each commit against developers' secure code profiles. With SCW Trust Agent, organizations can strengthen their security posture, optimize development lifecycles, and scale developer-driven security.