API Mass Assignment Vulnerability
Table of Contents
API Mass Assignment
Mass assignment vulnerabilites occur when a user is able to initialize or overwrite server-side variables for which are not intended by the application. By manually crafting a request to include additional parameters in a request, a malicious user may adversely affect application functionality.
Common root causes of mass assignment vulnerabilities may include the following:
-
Framework-level “autobinding” features. Spring and .NET MVC are two of many frameworks that allow HTTP parameters to be directly mapped to model objects. While this feature is useful to easily set server-side values, it does not prevent arbitrary parameters from being injected.
- https://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html
-
Parsing a request body as an object. Although copying an object is easier than selecting numerous individual values within that object, this practice should be avoided. When using data formats such as JSON, developers should only extract values that are intended to be modified by users.
Below shows a common example of this vulnerability in a user registration endpoint: POST /api/register HTTP/1.1
[..]
{“email”:”user1@example.com”}
HTTP/1.1 200 OK
[..]
{”userid”:”112345”,“email”:”user1@example.com”,”email_verified”:false}
A malicious user may want to bypass email verification for a number of reasons. To attack this endpoint, a value is inserted into the request body:
POST /api/register HTTP/1.1
[..]
{“email”:”user2@example.com”,”email_verified”:true}
HTTP/1.1 200 OK
[..]
{”userid”:”112346”,“email”:”user2@example.com”,”email_verified”:true}
Developers should also ensure that values do not include nested objects or arrays which may undermine application logic. Below shows another style of attack leveraging JSON arrays:
POST /api/register HTTP/1.1
[..]
{“email”:[”user3@example.com”,”user4@example.com”]}
HTTP/1.1 200 OK
[..]
{”userid”:”112347”,“email”:[”user3@example.com”,”user4@example.com”],”email_verified”:false}
In the above example an array is provided where a single string value was expected. This would likely have significant security implications for account access and associations.