Home [TIL] Mass Assignment Vulnerability in Spring Boot
Post
Cancel

[TIL] Mass Assignment Vulnerability in Spring Boot

Posted Feb 6, 2023 Updated Feb 7, 2023
By hoppi
1 min read

Yesterday, I solved Dreampring, web challenge in dreamhack.
This application was built with Spring Boot which is commonly used in everywhere.
In this game, the keyword is Mass Assignment Vulnerability. Today I’m going to talk about this vulnerability.

What is Mass Assignment Vulnerability?

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects. This Character of software frameworks can lead to unintended way. To put it Simply, Attacker can add new parameters in request so overwrites objects or new variable.

In Spring MVC, its also called Auto-Binding. And there is alternative name of Mass Assignment.

  • Mass Assignment: Ruby on Rails, NodeJS
  • Auto-Binding: Spring MVC, ASP NET MVC
  • Object injection: PHP

Example

I will explain based on Spring MVC. Suppose there is a form for registering user’s account.

1
2
3
4
5
6

<form>
     <input name="username" type="text">
     <input name="password" type="text">
     <input name="email" text="text">
     <input type="submit">
</form>


And there is Model that the form binding to:

1
2
3
4
5
6
7
8

public class UserModel {
   private String username;
   private String password;
   private String email;
   private boolean isAdmin;

   //Getters & Setters
}


And there is Controller which is handling HTTP request.

1
2
3
4
5
6

...
@RequestMapping(value = "/register", method = RequestMethod.POST)
public String submit(UserModel user) {
   userService.register(user);
   return "successPage";
}


User’s normally HTTP request like this:

1
2
3

POST /register
...
username=hoppi&password=guest1234&email=email@example.com


But Attacker can add isAdmin parameter(attribute) which is need to access admin form or page.

1
2
3

POST /register
...
username=attacker&password=guest1234&email=email@example.com&isAdmin=true


Mitigation

The best way preventing this vulnerability is setting only attribute which is editable by user when you design the Model.

In Spring MVC, You can use @InitBinder to restrict attribute that is binding to model or object. Like is:

1
2
3
4
5
6
7
8
9
10

@Controller
public class UserController
{
    @InitBinder
    public void initBinder(WebDataBinder binder, WebRequest request)
    {
        binder.setAllowedFields(["username","password","email"]);
    }
...
}


Or Using blacklisting way.

1
2
3
4
5
6
7
8
9
10

@Controller
public class UserController
{
   @InitBinder
   public void initBinder(WebDataBinder binder, WebRequest request)
   {
      binder.setDisallowedFields(["isAdmin"]);
   }
...
}


Reference

Web
mass_assignment spring_boot dreamhack
Recently Updated

[Hackthebox] EasterBunny

[Hackthebox] Joker

Comments powered by Disqus.