Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.
Many web application frameworks offer an active record and object-relational mapping features, where external data in serialization formats is automatically converted on input into internal objects and, in turn, into database record fields. If the framework's interface for that conversion is too permissive and the application designer doesn't mark specific fields as immutable, it is possible to overwrite fields that were never intended to be modified from outside (e.g. admin permissions flag).[1]
These vulnerabilities have been found in applications written in Ruby on Rails,[2] ASP.NET MVC,[3] and Java Play framework.[4]
In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in proof of concept injection of unauthorized SSH public keys into user accounts at GitHub.[5][6] Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted JSON structure.[7]
In ASP.NET Core mapping restriction can be declared using the [BindNever] attribute.[8]
^"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.
^"Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.
^"Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.
^Alberto Souza (2014). "Playframework, how to protect against Mass Assignment".
^"GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.
^"[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released!". Retrieved January 7, 2016.
^"Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)". Retrieved January 7, 2016.
^tdykstra (20 June 2023). "Model Binding in ASP.NET Core". docs.microsoft.com.
and 26 Related for: Mass assignment vulnerability information
Massassignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not...
implementations have suffered from denial-of-service attack and massassignmentvulnerability. JSON is promoted as a low-overhead alternative to XML as both...
In March 2012, security researcher Egor Homakov discovered a massassignmentvulnerability that allowed certain Rails applications to be remotely exploited...
Mass Effect 3 is a 2012 action role-playing video game developed by BioWare and published by Electronic Arts. The third major entry in the Mass Effect...
began on 4 February, and an assault was ordered for February 9th. The massing of forces produced a panic in Díaz' men. Díaz was not willing to engage...
existing sequences in the database. De novo sequencing is an assignment of fragment ions from a mass spectrum. Different algorithms are used for interpretation...
rule. The concept of measurement is often misunderstood as merely the assignment of a value, but it is possible to assign a value in a way that is not...
Chief of Naval Operations, with the design of a unit to test the Navy's vulnerability to terrorism. This unit was the Naval Security Coordination Team OP-06D...
water). Thus deuterium accounts for about 0.0156% by number (0.0312% by mass) of all hydrogen in the oceans: 4.85×1013 tonnes of deuterium – mainly in...
years are quite modern and spacious, but since there is a lottery for assignment the waiting list can often run years. On the other hand, there continue...
re-loaded. They were still vulnerable, especially to cavalry, as they could not present the solid wall of bayonets a larger mass of soldiers could. These...
staff, Will is left with no speechwriting staff, an endless list of assignments, and four interns to get everything done. 82 17 "Red Haven's on Fire"...
redistribution of body fat towards a gynoid fat distribution, decreased muscle mass/strength, and changes in mood. Trans women may seek to feminize their voice...
debilitating effect that entails arresting individuals. Given the general vulnerability and naivete of children, it is important to understand how such a traumatic...
were always surrounded by capitalist enemies, always worried about the vulnerability and loyalty of the Red Army. It was not a ploy—Stalin truly believed...
his services to Ulrich and was delighted to receive such an important assignment. "Rinunce e nomine, 26.04.2022" (Press release) (in Italian). Holy See...
vulnerability analysis in regards to combat and other external damage, whereas the Army's Vulnerability Assessment Laboratory conducted vulnerability...
Canadian Radio-television and Telecommunications Commission (CRTC). Canadian mass media, both print and digital, and in both official languages, is largely...
including, The Adventures of Nick Carter, Dead Man on the Run, Assignment Vienna's pilot Assignment: Munich, The Night Rider, The Silent Gun, The Lives of Jenny...
were exposed to "toxic" and traumatic content; one worker described the assignment as "torture". OpenAI's outsourcing partner was Sama, a training-data company...
Technology (NJIT), DeCarolis chose the building as the topic for a report assignment in his freshman class on the basic concepts of structural engineering...
Internet technical community, including itself, “address the vulnerabilities exploited [by mass surveillance campaigns]...to ensure that the Internet can...
News. Retrieved 14 June 2016. Dawson, Walter. 2010. "Private Tutoring and Mass Schooling in East Asia: Reflections of Inequality in Japan, South Korea,...
following psychological reactions: Increase in the realization of personal vulnerability. The perception of the world as meaningless and incomprehensible. They...
independent. She continued to caucus with the Democratic Party for committee assignments. Late in 2023, Sinema was brought in as the medium between progressive...
(ISSI) for the duration of the assignment (an hour, a morning patrol or a given short period allocated to the assignment). The advantage being that each...