Yesterday, I solved Dreampring, web challenge in dreamhack.
This application was built with Spring Boot
which is commonly used in everywhere.
In this game, the keyword is Mass Assignment Vulnerability
. Today I’m going to talk about this vulnerability.
What is Mass Assignment Vulnerability?
Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects. This Character of software frameworks can lead to unintended way. To put it Simply, Attacker can add new parameters in request so overwrites objects or new variable.
In Spring MVC, its also called Auto-Binding
. And there is alternative name of Mass Assignment.
- Mass Assignment: Ruby on Rails, NodeJS
- Auto-Binding: Spring MVC, ASP NET MVC
- Object injection: PHP
Example
I will explain based on Spring MVC. Suppose there is a form for registering user’s account.
1
2
3
4
5
6
<form>
<input name="username" type="text">
<input name="password" type="text">
<input name="email" text="text">
<input type="submit">
</form>
And there is Model that the form binding to:
1
2
3
4
5
6
7
8
public class UserModel {
private String username;
private String password;
private String email;
private boolean isAdmin;
//Getters & Setters
}
And there is Controller which is handling HTTP request.
1
2
3
4
5
6
...
@RequestMapping(value = "/register", method = RequestMethod.POST)
public String submit(UserModel user) {
userService.register(user);
return "successPage";
}
User’s normally HTTP request like this:
1
2
3
POST /register
...
username=hoppi&password=guest1234&email=email@example.com
But Attacker can add isAdmin
parameter(attribute) which is need to access admin form or page.
1
2
3
POST /register
...
username=attacker&password=guest1234&email=email@example.com&isAdmin=true
Mitigation
The best way preventing this vulnerability is setting only attribute which is editable by user when you design the Model.
In Spring MVC, You can use @InitBinder
to restrict attribute that is binding to model or object. Like is:
1
2
3
4
5
6
7
8
9
10
@Controller
public class UserController
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setAllowedFields(["username","password","email"]);
}
...
}
Or Using blacklisting way.
1
2
3
4
5
6
7
8
9
10
@Controller
public class UserController
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setDisallowedFields(["isAdmin"]);
}
...
}
Comments powered by Disqus.