“Mass assignment vulnerability”的意思、由来-开放百科全书

Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.

Many web application frameworks offer an active record and object-relational mapping features, where external data in serialization formats is automatically converted on input into internal objects and, in turn, into database record fields. If the framework's interface for that conversion is too permissive and the application designer doesn't mark specific fields as immutable, it is possible to overwrite fields that were never intended to be modified from outside (e.g. admin permissions flag).^[1]

These vulnerabilities have been found in applications written in Ruby on Rails,^[2] ASP.NET MVC,^[3] and Java Play framework.^[4]

In 2012 mass assignment on Ruby on Rails allowed bypassing of mapping restrictions and resulted in proof of concept injection of unauthorized SSH public keys into user accounts at GitHub.^[5]^[6] Further vulnerabilities in Ruby on Rails allowed creation of internal objects through a specially crafted JSON structure.^[7]

In ASP.NET Core mapping restriction can be declared using the [BindNever] attribute.^[8]

See also

References

1. ^{{cite web | url=http://cwe.mitre.org/data/definitions/915.html | title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes | publisher=NIST | work=Common Weakness Enumeration | accessdate=February 27, 2013}}
2. ^{{cite web | url=http://guides.rubyonrails.org/security.html#mass-assignment | title=Mass Assignment | work=Ruby On Rails Security Guide | accessdate=February 27, 2013}}
3. ^{{cite web | url=http://ironshay.com/post/Mass-Assignment-Vulnerability-in-ASPNET-MVC.aspx | title=Mass Assignment Vulnerability in ASP.NET MVC | publisher=IronsHay | accessdate=February 27, 2013}}
4. ^{{cite web|url=http://alots.wordpress.com/2014/03/26/playframework-how-to-protect-against-mass-assignment/ |title=Playframework, how to protect against Mass Assignment |date=2014 |author=Alberto Souza}}
5. ^{{cite web | url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ | title=GitHub suspends member over 'mass-assignment' hack | publisher=ZDnet | year=2012 | accessdate=February 27, 2013}}
6. ^{{cite web | url=http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ | title=[SEC][ANN] Rails 3.2.12, 3.1.11, and 2.3.17 have been released! | accessdate=January 7, 2016}}
7. ^{{cite web | url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ | title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) | accessdate=January 7, 2016}}
8. ^{{cite web|url=https://docs.microsoft.com/en-us/aspnet/core/mvc/models/model-binding|title=Model Binding in ASP.NET Core|first=|last=tdykstra|website=docs.microsoft.com}}