Fortifying Web Applications: A Hands-On Analysis of Mass Assignment Vulnerabilities.

— Sam Jacob Dec, 2, 2023

Cybeer Security Blogs >> Secrets In Code >> Fortifying Web Applications
Mass Assignment Vulnerability
What is Mass Assignment?
What is the impact?
Uncovering the Dangers
Prevention and Mitigation.

Introduction:

APIs have become an integral part of many applications, with REST APIs being a popular choice for implementation. However, this popularity has led to security risks, with the OWASP API Top 10 identifying vulnerabilities commonly found in APIs, including mass assignment. 

In this blog, we will explore what mass assignment is, what causes this vulnerability, the impact of this issue, and an example.

What is mass assignment?

Modern frameworks allow developers convenient mass assignment functionality that lets developers directly take a “user-supplied key-value pair” input to the object database. This reduces the requirement of writing code for such custom key-value pairs and increases development efficiency, but at the cost of security risks if not implemented correctly. 

A mass assignment security vulnerability occurs when an application code allows user-provided data to be used to set properties on an object without validation or authorization checks. This can lead to unintended and potentially harmful changes to an object’s attributes. This can leave the application vulnerable to attack, as an attacker can inject malicious code into the application to gain access to sensitive data or perform other malicious activities. An attacker needs to guess the sensitive fields or the source code for the vulnerable application. This is how it typicall works:

Impact:

By exploiting mass assignment vulnerabilities, a malicious actor could create multiple security problems, including:

  1. Unauthorized Data Modification: Attackers can modify or update data within the application, potentially leading to unauthorized changes to user profiles, permissions, or other critical information. 
  2. Data theft: Attackers can gain access to confidential information stored in the database. Sensitive data may be exposed to unauthorized users if they manipulate the application to retrieve information they shouldn’t have access to. This can lead to privacy breaches and disclosure of confidential data.
  3. Data Loss: In some cases, attackers might use mass assignment vulnerabilities to delete or manipulate data, resulting in data loss or corruption.
  4. Elevation of privilege: Attackers can manipulate the properties of an object to gain additional privileges, such as administrator access.
  5. Bypass of security mechanisms: Attackers can manipulate the properties of an object to gain unauthorized access to sensitive resources.

Uncovering the Danger:

Seeing is believing…! Let’s take a look at an example to illustrate mass assignment vulnerabilities in action. In this exploitation scenario, we have an application that includes login and registration API functionality. This application includes APIs that enable users to be registered in the system.

Pre-requisites:

Install Postman, a popular API testing and development tool.

Install Burp Suite, a web vulnerability scanner and proxy tool.

Configure Postman and Burpsuite.

  1. As a first step, we register as a new user called ‘Shelby’ using this API: /users/v1/register by providing the username, password, and email address.

2. When exploring the application further, we were able to find this interesting API, users/v1/_debug, which displays all usernames, their passwords, and relevant roles without any authorization/authentication. This is a critical issue in itself 😊. Note:The user Shelby is not an administrator. 

  • Have you ever wondered or investigated what occurs when an additional parameter is added to the existing API?

3. Now lets attempt to register a new account called ‘Thomas’ but this time we will include an additional parameter ‘admin’ to ‘true’.  Since I learned that ‘admin’ is a valid parameter with boolean value,.

4. In the HTTP response, you can find that an admin account has been successfully created and the API has accepted this additional parameter, ‘admin:true’. You can see that the user-provided data is used by the application to set properties on an object without validation or authorization checks.

5. To verify, let’s go back to the users/v1/_debug api endpoint. We can see that we have registered as this new user, Thomas, with administrator permission.

Add Your Heading Text Here

So, we can finally bypass the restrictions and get access to the admin account permission by exploiting the mass assignment vulnerability.

Prevention & mitigation

How do I avoid this risk?

Here are some recommendations for addressing and mitigating mass assignment vulnerabilities:

  • Implement Access Control: Employ role-based access control (RBAC) to ensure that users only have access to the attributes they are authorized to modify. If possible, split admin APIs from client-facing APIs. This means that admin usage of APIs is separate from client-facing APIs.
  • Whitelist Attributes: Whitelist only the properties that should be updated by the client. Explicitly define a list of attributes that can be mass-assigned and validate incoming data to ensure it conforms to this whitelist. Use an allowlist of fields that can be assigned to. 
  • Validation: Restrict the assignment of user-supplied fields to only fields in the schema that are known safe ones; the values of security-sensitive fields will be prevented from tampering. Validate user-supplied data to ensure it meets expected format, data type, and constraints before applying it to an object. This helps protect against data manipulation.
  • Secure Data Models: Implement a secure data model design that separates sensitive attributes from publicly accessible ones.
  • Use ORM Features: If you’re using an Object-Relational Mapping (ORM) framework, leverage its built-in features for attribute protection and validation.
  • Custom Setters and Getters: Use custom setter and getter methods to control access to attributes and enforce security checks.
  • API Rate Limiting: Implement rate limiting to prevent brute force attacks that could exploit mass assignment vulnerabilities.
  • Security Testing: Regularly conduct security testing, including penetration testing and code reviews, to identify and address vulnerabilities.
  • SAST Scans: Running static application security testing (SAST) on your application code is an excellent way to catch these similar vulnerabilities before they make it to production.

Addressing mass assignment vulnerabilities is an ongoing process that involves a combination of coding practices, access control, security measures, and vigilance to protect your web application against potential threats.

Blog by- SecIQ Security Research Team