Mass assignment vulnerability
|This article is an orphan, as no other articles link to it. Please introduce links to this page from ; try the Find link tool for suggestions. (March 2013)|
Mass assignment is a computer vulnerability where an active record pattern in web application is abused to modify data items that the user should be not normally allowed to access — for example password, granted permissions or administrator status.
Many web application frameworks offer an active record feature, where database record fields can be modified by automatically generated web API methods. If the framework doesn't prevent that automatically and the application designer doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields.
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013.
- "Mass Assignment". Ruby On Rails Security Guide. Retrieved February 27, 2013.
- "Mass Assignment Vulnerability in ASP.NET MVC". IronsHay. Retrieved February 27, 2013.
- Alberto Souza (2014). "Playframework, how to protect against Mass Assignment".
- Krawczyk, Paweł (2014-06-03). "Avoiding mass assignment vulnerability a in Play Framework and DropWizard". IPsec.pl. Retrieved 2014-07-16.
- "GitHub suspends member over 'mass-assignment' hack". ZDnet. 2012. Retrieved February 27, 2013.