Mass Assignment - Response Body
Description
Mass Assignment vulnerability occurs when an attacker manipulates input fields to modify more data than intended, potentially gaining unauthorized access to sensitive information or privileges. This can lead to unauthorized changes in the application's data or behavior, compromising its security. Mitigation involves carefully validating and sanitizing input data, using techniques such as whitelisting, blacklisting, or employing frameworks that offer built-in protection against Mass Assignment attacks.
Remediation
Restrict the fields that can be updated or created via user input by implementing strict whitelisting of permissible parameters. Use robust validation and sanitation methods to ensure only the expected properties are set. If your framework supports mass assignment protection (e.g., Rails' strong parameters, or similar features in other frameworks), enable and configure it accordingly. Consider separating fields intended for user updates from sensitive or internal attributes that should never be mass assignable. Regularly review code to confirm that no newly introduced fields bypass these restrictions, and employ thorough logging to detect abnormal changes in application data.
References
https://owasp.org/Top10/A05_2021-Security_Misconfigurationhttps://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.htmlSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4