What is a mass-assignment attack?

over posting

Mass-assignment, sometimes also referred to as an over-posting attack, is an attack on (web) applications in which an attacker can arbitrarily modify elements of an object. Applications that use model binding in a request in particular can be vulnerable to this attack. With model binding, a developer does not have to write code which fields are entered within a form. This is used to save code. However, an attacker can use this to change other fields from the database/object.

How does mass assignment work?

Suppose an application has an object or table with the following fields:

name = "John"
isAdmin = False

The application has a form to change the name. When this is sent, the client sends the following request:

POST /profile HTTP/1.1
Host: example.com

field[name]=John

Now we modify the request to the following:

POST /profile HTTP/1.1
Host: example.com

field[isAdmin]=True

If the application is vulnerable, it will modify the isAdmin field instead of the name field.

In practice

Mass-assignment vulnerabilities are often difficult to find manually, because the attacker needs to know how the data model of the application works. In the above example, the attacker just needs to know that the “isAdmin” property exists. Yet such vulnerabilities do occur, often with major consequences. A well-known example is the vulnerability on GitHub, which allows the attacker to take over random repositories via over posting. The best way to detect such vulnerabilities is to use a Static Code Analyzer, such as Fortify. In the case of Fortify, the tool will give a finding called “Mass assignment secure binder”.

How to prevent?

The solution is not immediately obvious, since each framework has its own implementation of binding. However, it is often possible to indicate which properties may and may not be modified. A more generic solution is to check which fields come in before binding. During a pentest we check for mass-assignment attacks. Wondering if your application is vulnerable? Please contact with us.