Before we jump into mass assignment, let’s first understand how website user roles or privileges work. When a user registers to a website they will typically be given a role, this would be something like “standard” or “user”. However, the website may have been built with further functionality for higher privileged users such as “moderators” or “administrators”.
Mass assignment is when an attacker can alter the role or privileges that their user has thus granting greater access and privileges within the web application.
For mass assignment to occur there need to be three things present.
- There must be a request which accepts user input, this could be a user registration or a profile update.
- Users must be able to alter values which aren’t available by default.
- There must be an absence of security controls and validation.
Going back to our initial user registration example, let’s say we have a web application which allows users to register, this information is submitted as JSON and forwarded to an API for processing.
{
"username":"arcan3",
"password":"supersecure123"
}As we can see, when the API request is sent the username and password objects are passed. If a mass assignment vulnerability exists, an attacker could add objects such as “user_role” and set this to “Administrator”. Assuming this role exists and the application is made in such a way that it will update all the provided information then the user would be granted additional privileges.
{
"username":"arcan3",
"password":"supersecure123",
"user_role":"administrator"
}Protecting against mass assignment
Mass assignment can often be found using two methods, the first would be to review official API documentation and then test for any objects which may allow for further privileges which is why we would recommend that any API documentation which does not need to be accessible to the wider public be removed.
Additionally, mass assignment can be detected using fuzzing, the process in which a user sends a high number of requests with additional objects in the hope that one of these is valid and allows for further access. To prevent fuzzing web administrators can implement rate limiting, this is when a restriction is placed on how many requests can be made within a given period. If 5 requests have been made within 20 seconds then access to that feature would be halted for a minute making fuzzing impractical.
Ensuring that correct validation is in place for any user input and that only specified objects are handled and passed to the database would prevent mass assignment from ever occurring.
Article written by – arcan3
