Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Mass assignment"

From NetSec
Jump to: navigation, search
Line 2: Line 2:
 
        
 
        
 
Suppose when a signup form post occurs, an ajax request is sent to:
 
Suppose when a signup form post occurs, an ajax request is sent to:
        /users/signup/?username=newguy&password1=crackme&password2=crackme&[email protected]
+
  /users/signup/?username=newguy&password1=crackme&password2=crackme&[email protected]
     
+
 
And our SQL table creation statement looked something like:
 
And our SQL table creation statement looked something like:
 
        
 
        
Line 17: Line 16:
 
      
 
      
 
Suppose the "administrators group" for the web application is group id 5.  When unchecked mass assignment is in place, the following signup URI would make user `superhacker' an admin:
 
Suppose the "administrators group" for the web application is group id 5.  When unchecked mass assignment is in place, the following signup URI would make user `superhacker' an admin:
        /users/signup/?username=superhacker&password=1337&[email protected]&group_id=5
+
  /users/signup/?username=superhacker&password=1337&[email protected]&group_id=5
 
        
 
        
 
=== Examples ===
 
=== Examples ===
Line 23: Line 22:
 
* [[PHP]]
 
* [[PHP]]
 
{{code|text=<source lang="php">
 
{{code|text=<source lang="php">
          <?php
+
<?php
            foreach ($_GET as $property => $value) {  
+
  foreach ($_GET as $property => $value) {  
              $user->$property = $value;  
+
    $user->$property = $value;  
            }
+
  }
            $user->save();
+
  $user->save();
          ?></source>}}
+
?></source>}}
 
* [[Python]]
 
* [[Python]]
 
{{code|text=<source lang="python">
 
{{code|text=<source lang="python">
        for param in request.GET:
+
for param in request.GET:
          user.__dict__[param] = request.GET[param]</source>}}
+
  user.__dict__[param] = request.GET[param]</source>}}
 
        
 
        
 
* [[Ruby]] on Rails (ActiveRecord):
 
* [[Ruby]] on Rails (ActiveRecord):
 
{{code|text=<source lang="ruby">
 
{{code|text=<source lang="ruby">
          user = User.new(params[:user])</source>}}
+
user = User.new(params[:user])</source>}}
 
            
 
            
 
=== Mitigation ===
 
=== Mitigation ===

Revision as of 01:55, 12 May 2013

These are rare scenarios caused by mass object property assignment from HTTP parameters. Many web applications do this on one level or another to simplify form generation. Advanced ORM's are usually (but not always) involved in this sort of problem, so be on the lookout for PHP's "Doctrine", Ruby's "ActiveRecord", or Python's "sqlAlchemy".

Suppose when a signup form post occurs, an ajax request is sent to:

 /users/signup/?username=newguy&password1=crackme&password2=crackme&[email protected]

And our SQL table creation statement looked something like:

CREATE TABLE USER (
id INT AUTO_INCREMENT PRIMARY KEY, 
group_id INT FOREIGN KEY NOT NULL DEFAULT 1, 
username VARCHAR(24), 
password VARCHAR(512), 
activated TIMESTAMP, 
email VARCHAR(256)) FOREIGN KEY (group_id) REFERENCES GROUP(id);

The target software will automatically put new users in group 1 (non-activated users list) on registration. Perhaps on update it would update us to group 2, and additional groups became available for further permissions.

Suppose the "administrators group" for the web application is group id 5. When unchecked mass assignment is in place, the following signup URI would make user `superhacker' an admin:

 /users/signup/?username=superhacker&password=1337&[email protected]&group_id=5
     

Examples

 
<?php
  foreach ($_GET as $property => $value) { 
    $user->$property = $value; 
  }
  $user->save();
?>
 
for param in request.GET:
  user.__dict__[param] = request.GET[param]
  • Ruby on Rails (ActiveRecord):
 
user = User.new(params[:user])

Mitigation


Auditing