mass assignment wiki

General Solutions
Ruby On Rails
Jackson (JSON Object Mapper)
GSON (JSON Object Mapper)
JSON-Lib (JSON Object Mapper)
Flexjson (JSON Object Mapper)
References and future reading
Microservices Security
Microservices based Security Arch Doc
Mobile Application Security
Multifactor Authentication
NPM Security
Network Segmentation
NodeJS Docker
Nodejs Security
OS Command Injection Defense
PHP Configuration
Password Storage
Prototype Pollution Prevention
Query Parameterization
REST Assessment
REST Security
Ruby on Rails
SAML Security
SQL Injection Prevention
Secrets Management
Secure Cloud Architecture
Secure Product Design
Securing Cascading Style Sheets
Server Side Request Forgery Prevention
Session Management
Software Supply Chain Security
TLS Cipher String
Third Party Javascript Management
Threat Modeling
Transaction Authorization
Transport Layer Protection
Transport Layer Security
Unvalidated Redirects and Forwards
User Privacy Protection
Virtual Patching
Vulnerability Disclosure
Vulnerable Dependency Management
Web Service Security
XML External Entity Prevention
XML Security
XSS Filter Evasion

Mass Assignment Cheat Sheet ¶

Introduction ¶, definition ¶.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names ¶

Depending on the language/framework in question, this vulnerability can have several alternative names :

Mass Assignment: Ruby on Rails, NodeJS.
Autobinding: Spring MVC, ASP NET MVC.
Object injection: PHP.

Example ¶

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability ¶

This functionality becomes exploitable when:

Attacker can guess common sensitive fields.
Attacker has access to source code and can review the models for sensitive fields.
AND the object with sensitive fields has an empty constructor.

GitHub case study ¶

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

Solutions ¶

Allow-list the bindable, non-sensitive fields.
Block-list the non-bindable, sensitive fields.
Use Data Transfer Objects (DTOs).

General Solutions ¶

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions ¶

Spring mvc ¶, allow-listing ¶.

Take a look here for the documentation.

Block-listing ¶

Nodejs + mongoose ¶, ruby on rails ¶, django ¶, asp net ¶, php laravel + eloquent ¶, grails ¶, play ¶, jackson (json object mapper) ¶.

Take a look here and here for the documentation.

GSON (JSON Object Mapper) ¶

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper) ¶

Flexjson (json object mapper) ¶, references and future reading ¶.

Mass Assignment, Rails and You

Mass Effect 3 Guide

Edit source
1.1 Prologue
1.4 Act III
2.1 Priority: The Citadel I
2.2 Priority: Palaven
2.3 Priority: Sur'Kesh
2.4 Priority: Tuchanka
2.5 Priority: The Citadel II
2.6 Priority: Geth Dreadnought
2.7 Priority: Rannoch
2.8 Priority: Thessia

This page contains a walkthrough for the main missions of Mass Effect 3 . Major changes in the gameplay from Mass Effect 2 are listed in the main Mass Effect 3 page , while the effects of importing a saved game from Mass Effect 2 are listed in the Save File Transfer page. For a comprehensive introduction to the mechanics of the actual fighting the player must engage in on most missions, see the combat page .

Legendary Edition: All content that was previously available only from Downloadable Content (DLC) is now included by default, but overall requirements and prerequisites for the missions and characters only available from DLC in the original game remain largely the same. Legendary Edition does feature many changes to the original Mass Effect 3, including changes to how certain equipment is obtained.

Main Plot [ ]

The following missions represent plot progression. They have no time limit, but each mission must be completed before the next becomes available.

Prologue [ ]

Prologue: Earth - Get to the Normandy SR-2 to escape Earth as the Reapers invade.
Priority: Mars - Save Liara T'Soni from Cerberus and retrieve her data on the Crucible , a weapon capable of stopping the Reapers.
Priority: The Citadel I - Begin rallying the other sentient races of the galaxy to the cause.
Priority: Palaven - Rescue a turian primarch.
Priority: Sur'Kesh - Hold a war summit with the turian, salarian , and krogan leaders, then protect a krogan female from a Cerberus attack.
Priority: Tuchanka - Escort the krogan female and a salarian scientist to the Shroud to disperse a cure for the genophage .
Priority: The Citadel II - Save the Citadel Council from a Cerberus coup attempt.
Priority: Perseus Veil - Meet with quarian representatives who wish to assist with the Crucible project.
Priority: Geth Dreadnought - Infiltrate and destroy a geth dreadnought before the Migrant Fleet is wiped out.
Priority: Rannoch - Infiltrate a Reaper base on the surface of Rannoch to deactivate the signal upgrading the geth.
Priority: The Citadel III - Meet with the asari Councilor to receive the location of a clue regarding the whereabouts of the Catalyst.
Priority: Thessia - Reach an asari temple on Thessia to retrieve vital information as the Reapers devastate the planet.
Priority: Horizon - Investigate Cerberus's connection to a refugee center on Horizon .

Act III [ ]

Note: No side missions can be completed once you begin Act III, so finish up anything else you want to finish before heading to Cerberus Headquarters.

Priority: Cerberus Headquarters - Assault Cerberus's headquarters to recapture a Prothean VI that can identify the Catalyst.
Priority: Earth - Gather the galaxy's forces and launch the final battle to retake Earth from the Reapers and deploy the Crucible.

Side Missions [ ]

These missions are issued or can be acquired as the game progresses. They are sorted according to the Priority mission after which they become available. The opportunity to complete certain side missions expires once specific main plot missions are completed. Others are marked as failed if not completed before a number of other missions are completed. These missions are noted below as "progress-sensitive missions" and "timed missions" respectively. Be aware that any side missions not completed before the main plot mission Priority: Cerberus Headquarters will no longer be accessible for the remainder of the game.

Note: Italicized mission names denote minor missions which can be completed merely through planet scanning, conversations, or finding an item during another mission.

Priority: The Citadel I [ ]

N7: Cerberus Lab
DLC Mission: Requires the DLC pack Mass Effect 3: From Ashes .
Progress-Sensitive Mission: This mission cannot be completed if not accomplished during your first and only time on Eden Prime .
This mission cannot be completed before Priority: Palaven.

Priority: Palaven [ ]

Apien Crest: Banner of the First Regiment
Aria: Blood Pack
Aria: Blue Suns
Aria: Eclipse
This mission cannot be completed before Priority: Sur'Kesh.
Progress-Sensitive Mission: This mission expires if not completed before Priority: Tuchanka.
DLC Mission: Requires the DLC pack Mass Effect 3: Omega .
DLC Mission: Requires the DLC pack Mass Effect 3: Leviathan .
Citadel: GX12 Thermal Pipe
Mass Effect 2 Squadmate Cameo: If recruited and alive, Kasumi Goto will appear in this mission.
This mission cannot be completed before Priority: Tuchanka.
Progress-Sensitive Mission: This mission expires if not completed before Priority: The Citadel II .
Mass Effect 2 Squadmate Cameo: If alive, Jack will appear in this mission.
Kite's Nest: Pillars of Strength

Priority: Sur'Kesh [ ]

Main Plot Progression: Unlocks the main plot mission Priority: Tuchanka if done before Tuchanka: Turian Platoon.
Mass Effect 2 Squadmate Cameo: If recruited and alive, Grunt will appear in this mission.
Citadel: Krogan Dying Message
N7: Cerberus Abductions
N7: Cerberus Attack
Main Plot Progression: Unlocks the main plot mission Priority: Tuchanka if done before Attican Traverse: Krogan Team.
Progress-Sensitive Mission: This mission expires if not completed before Priority: Thessia.
This mission cannot be completed before Priority: The Citadel II.
Timed Mission: This mission will be marked as failed if not completed within three missions after acquisition.

Priority: Tuchanka [ ]

N7: Cerberus Fighter Base

Priority: The Citadel II [ ]

Mass Effect 2 Squadmate Cameo: If alive, Jacob Taylor will appear in this mission.
Athena Nebula: Hesperia-Period Statue
Citadel: Batarian Codes
This mission cannot be completed before Priority: Thessia.
Citadel: Cerberus Retribution
Citadel: Cerberus Turian Poison
This mission cannot be completed before Priority: Geth Dreadnought.
Citadel: Inspirational Stories
Citadel: Medical Supplies
Citadel: Medi-Gel Sabotage
DLC Mission: Requires the DLC pack Mass Effect 3: Citadel .
Mass Effect 2 Squadmate Cameo: If recruited and alive, Zaeed Massani will appear in this mission.
Citadel: Wounded Batarian
This mission cannot be completed before Priority: Rannoch.
Mass Effect 2 Squadmate Cameo: If recruited and alive, Samara will appear in this mission.
Citadel: Asari Widow
Nimbus Cluster: Library of Asha
Valhallan Threshold: Prothean Data Drives

Priority: Geth Dreadnought [ ]

N7: Fuel Reactors
Main Plot Progression: Unlocks the main plot mission Priority: Rannoch.
Progress-Sensitive Mission: This mission expires if not completed before Priority: Rannoch.

Priority: Rannoch [ ]

Dekuuna: Elcor Extraction

Priority: Thessia [ ]

N7: Communication Hub
Mass Effect
2 Romance (Mass Effect: Andromeda)

Book a Demo

Mass assignment vulnerability: how it works & 6 defensive measures.

What Is a Mass Assignment Vulnerability?

Mass assignment vulnerabilities occur when an application automatically assigns user input to model properties without proper filtering or validation. This allows attackers to modify object properties they shouldn't be able to access, such as changing a user's permissions, email, or password.

These vulnerabilities often occur in applications that use frameworks allowing mass assignment from request parameters. Without strict controls, attackers can supply unexpected parameters through common methods like POST requests, leading to unauthorized changes in the application's data.

This is part of a series of articles about OWASP Top 10

The Impact of a Mass Assignment Vulnerability

The impact can be severe, depending on the data an attacker can modify. It might lead to privilege escalation, data leakage, or full account takeover. This could result in significant financial losses, legal penalties, or damage to an organization's reputation.

By exploiting mass assignment vulnerabilities, attackers can bypass usual access controls, altering critical system settings or user data without detection. The scale of the attack often hinges on the application's data sensitivity and what the altered parameters control.

Tzvika Shneider is a 20-year software security industry leader with a robust background in product and software management.

Tips from the expert

Use allowlists for properties : Explicitly define the properties that can be modified through API requests, reducing the risk of unauthorized fields being altered.
Implement server-side checks : Ensure the server validates the data before processing, rejecting any unexpected fields in incoming requests.
Restrict JSON deserialization : Restrict JSON deserialization to predefined models, preventing attackers from injecting malicious or unintended properties.
Employ input sanitization : Sanitize all input to strip out properties that are not explicitly allowed or that exceed defined data constraints.
Audit API endpoints : Regularly audit API endpoints for potential mass assignment vulnerabilities, especially after introducing new features or making changes to data models.

How Mass Assignment Vulnerabilities Work

Mass assignment vulnerabilities exploit how frameworks handle user input. When an application doesn’t differentiate between which parameters should and shouldn’t be modified directly by a user, it opens up a vector for attack. Once such a weak point is identified, the attacker crafts malicious HTTP requests that include parameters targeting these unprotected attributes.

For example, consider a scenario where an application uses an object to store user profile information. The attacker can send a POST request with additional, unanticipated parameters such as role=admin or status=disabled. If these parameters are not explicitly filtered out or validated against an allowlist, the application's backend logic might accept these as legitimate and alter the user object’s properties accordingly.

Learn more in our detailed guide to business logic vulnerabilities

Thus, attackers can gain elevated privileges or disrupt services by manipulating key object attributes through seemingly innocuous user input. These attacks are made possible by the common practice of binding form or API input directly to data models. Without rigorous checks and balances, such as field-level validation, attackers can easily insert unauthorized data into these models.

This is particularly dangerous when combined with other vulnerabilities or weak points within the application, such as insecure direct object references or insufficient logging and monitoring, which can mask or facilitate unauthorized access and modifications.

Related content: Read our guide to owasp top 10 cheat sheet

Example of a Mass Assignment Attack

This example was adapted from the official OWASP cheat sheet . Let’s look at a scenario where a mass assignment vulnerability exists in a basic web application designed for editing user account information. ‍

The application comprises a straightforward HTML form that captures a user's ID, password, and email address. This form interacts with a backend controller upon submission, binding user input to a corresponding User object.

The form is outlined as follows:

The User object, meant to receive the form data, looks like this:

The server-side handling of the form submission is managed by a controller mapped to /addUser and designed to process POST requests. Upon receiving a form submission, it invokes a service method to add the user data to the system:

A typical, legitimate request to this endpoint might look like this:

However, exploiting the mass assignment vulnerability involves manipulating the request to include an isAdmin parameter, which is not intended to be modified directly by end users through the form. By appending &isAdmin=true to the request, an attacker can alter the isAdmin property of the User object, granting themselves administrative privileges:

This exploit demonstrates the risk associated with indiscriminately binding user input to model attributes, especially when sensitive properties like isAdmin are involved. Without adequate filtering or validation, this vulnerability can compromise the integrity of the application.

6 Ways to Mitigate the Security Risks of Mass Assignment

Here are some of the measures that can be used to prevent mass assignment attacks.

1. Allowlist Allowed Attributes

Define which attributes can be safely exposed to mass assignment. Using an allowlist approach ensures only specified attributes can be updated through user input.

This method requires explicitly listing allowed parameters, making unintended data modifications less likely. Regularly review and update the allowlist to accommodate changes in the application’s functionality.

2. Sanitize and Validate Input

Sanitizing input involves stripping harmful data before it’s processed, whereas validation ensures the data meets specific criteria. Together, they can prevent attackers from submitting malicious or unexpected data through mass assignment.

Input should be sanitized to remove potential executable code or SQL commands. Validation rules, like checking for allowable values or correct data types, further reduce the risk of unauthorized modifications.

3. Keep Dependencies Up-to-Date

Applications often rely on external libraries or frameworks that might contain vulnerabilities, including those leading to mass assignment issues. Regularly update these dependencies to ensure that known vulnerabilities are patched.

Subscribe to notifications from dependency providers and security bulletins to stay informed about relevant security updates. Automated tools can help identify outdated dependencies in a project, simplifying the update process.

4. Employ Strong Authentication and Authorization

Authentication mechanisms ensure that users are who they claim to be, while authorization checks confirm they have permission for the requested actions. Ensuring both are in place can significantly reduce the risk of mass assignment vulnerabilities being exploited. ‍

Authorization checks should occur at every stage of data processing, especially before sensitive operations like data updates. This prevents unauthorized users from exploiting mass assignment vulnerabilities to access or modify data.

5. Use Role-Based Access Control (RBAC)

RBAC ensures users can only interact with data and actions appropriate for their role. This helps mitigate risks by limiting what authenticated users can modify, even if a mass assignment vulnerability exists.

RBAC requires defining roles and permissions carefully, ensuring they align with the principle of least privilege. This means users get only the access necessary for their role, reducing the potential impact of a mass assignment vulnerability.

6. Monitor and Log Activities

Monitoring and logging access and modification of sensitive data help detect unauthorized attempts to exploit mass assignment vulnerabilities. Automated alerts can notify administrators of suspicious activities, enabling rapid response to potential breaches.

Logs should capture sufficient detail to understand the nature of each attempt, including who made the request and what was attempted. Regular analysis of logs can also help identify patterns indicating unaddressed vulnerabilities.

API Security with Pynt

Pynt is an innovative API Security Testing platform exposing verified API threats through simulated attacks. We help hundreds of companies such as Telefonica, Sage, Halodoc, and more, to continuously monitor, classify and attack poorly secured APIs, before hackers do.

Pynt's leverages an integrated shift-left approach, and unique hack technology using home-grown attack scenarios, to detect real threats, discover APIs, suggest fixes to verified vulnerabilities, thereby eliminating the API attack surface risk.

Thousands of companies rely on Pynt to secure the no. 1 attack surface - APIs, as part of their AppSec strategy.

Learn more about Pynt and get started free