With one click, you are the admin: Mass assignments and their threats to API data integrity.
You’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten. The current API top ten are Broken Object Level Authorization, Broken User Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function Level Authorization, Mass Assignment, Security Misconfiguration, Injection, Improper Assets Management, and Insufficient Logging & Monitoring.
The vulnerability we will talk about today is OWASP API #6, Mass Assignment. “Mass assignment” refers to the practice of assigning values to multiple variables or object properties all at once. But how could this feature cause security vulnerabilities? Let’s explore by taking a look at an example object.
Object properties
Application objects often have many properties that describe the object. For instance, let’s say a “user” object is used to store user information in your application. It contains properties that describe the user like the user’s ID, name, location, and so on.
{
"id": 12345,
"name": "Vickie",
"location": "San Francisco, CA",
"admin": false,
"group_membership": [121, 322, 457]
}
In this case, users should be able to modify some of these properties stored in their objects, like the location and name properties. But other parts of this user object should be restricted from the user, such as the “admin” property, which denotes whether the user is an admin, and the “group_membership” property, which records which user groups the user is a member of.
Mass assignment
Mass assignment vulnerabilities happen when the application automatically assigns user input to multiple program variables or objects. This is a feature in many application frameworks designed to simplify application development.
But this feature sometimes allows attackers to overwrite, modify, or create new program variables or object properties at will. For instance, let’s say the site allows users to change their names via a PUT request like this one. This request will update the name of the user 12345 from “Vickie” to “Vickie Li”.
PUT /api/v1.1/user/12345
{
"name": "Vickie Li"
}
Now, what if a malicious user submitted this request instead?
PUT /api/v1.1/user/12345
{
"name": "Vickie Li",
"admin": true
}
If the application uses mass assignment to automatically update the properties of the user object, this request would update the “admin” field of the object as well, and grant the user 12345 admin privileges. This is what a mass assignment vulnerability looks like.
Similarly, the malicious user might be able to add themselves to private user groups by assigning themselves to new groups using the endpoint.
PUT /api/v1.1/user/12345
{
"name": "Vickie Li",
"admin": true,
"group_membership": [1, 35, 121, 322, 457]
}
To prevent mass assignments, you can disable the mass assignment feature with the framework you are using, or use a whitelist to only allow assignment on certain properties or variables.
What other security concepts do you want to learn about? I’d love to know. Feel free to connect on Twitter @vickieli7.
Want to learn more about application security? Take our free OWASP top ten courses here: https://www.shiftleft.io/learn/.
Top comments (0)