Mass assignment
These are rare scenarios caused by mass object property assignment from HTTP parameters. Many web applications do this on one level or another to simplify form generation. Advanced ORM's are usually (but not always) involved in this sort of problem, so be on the lookout for PHP's "Doctrine", Ruby's "ActiveRecord", or Python's "sqlAlchemy".
Suppose when a signup form post occurs, an ajax request is sent to:
/users/signup/?username=newguy&password1=crackme&password2=crackme&[email protected]
And our SQL table creation statement looked something like:
CREATE TABLE USER ( id INT AUTO_INCREMENT PRIMARY KEY, group_id INT FOREIGN KEY NOT NULL DEFAULT 1, username VARCHAR(24), password VARCHAR(512), activated TIMESTAMP, email VARCHAR(256)) FOREIGN KEY (group_id) REFERENCES GROUP(id); |
The target software will automatically put new users in group 1 (non-activated users list) on registration. Perhaps on update it would update us to group 2, and additional groups became available for further permissions.
Suppose the "administrators group" for the web application is group id 5. When unchecked mass assignment is in place, the following signup URI would make user `superhacker' an admin:
/users/signup/?username=superhacker&password=1337&[email protected]&group_id=5
Examples
<?php foreach ($_GET as $property => $value) { $user->$property = $value; } $user->save(); ?> |
for param in request.GET: user.__dict__[param] = request.GET[param] |
- Ruby on Rails (ActiveRecord):
user = User.new(params[:user]) |
Mitigation