Web application security is a never-ending process. A web application has different components based on its complexity. It’s needless to say that attackers will leave no stone unturned and will try to attack every piece of the application. Hence, it’s important to secure all parts of the application. One of the first things any application owner should do to secure their application is to identify known vulnerabilities and fix them. In this post, we’ll discuss one such vulnerability: mass assignment vulnerability.

Mass assignment vulnerabilities are less common. But they pose great risks to applications and organizations. A mass assignment vulnerability could lead to less critical exploitations such as changing the price of a product to buy it at a cheaper price. But it could also lead to an attacker taking complete control over the application. It depends on how the application is built.

By the end of the post, you’ll understand what mass assignment is and how it leads to a vulnerability. We’ll also look at some examples and understand its impact on business.

What Is Mass Assignment?

Modern applications are pretty advanced and complex. But one of the basic functions of most applications is taking user input and storing it in a database. All the way from signing up for the application to adding personal details, the user inputs data. And all that data has to be stored somewhere.

Traditionally, developers had to add code to store each piece of data. In most cases, doing this would just be copying and pasting code and changing some attributes or using a loop. But it’s still something developers could save time on. Additionally, with this approach developers had redundant code in their codebase.

So, to save developers some time on user inputs, most frameworks provided functionality for easy mapping. Mass assignment is one such functionality. Mass assignment lets developers bind user-side data into data objects using a single line of code. This sounds cool, but it can lead to mass assignment vulnerability. So, how does that happen?

What Is Mass Assignment Vulnerability?

Mass assignment simplifies handling user input. But if you don’t take care of security, this functionality can allow attackers to modify user requests and map data that they’re not supposed to. This is known as mass assignment vulnerability. Now, let’s try to understand how this works.

Let’s say your application uses a form for a user to sign up for your application. The form would collect basic information such as name, email address, password, etc. The data entered in the form comes to the server from the user’s browser in the form of a request. Then the server would insert the data into the database. This is how the signup process is designed to work.

The application can have normal users or users with special privileges referred to as admin users by the application. And the application could use a boolean value to mark a user as an admin or not. You wouldn’t want just any user signing up as an admin. So, by default, the value for this boolean value will be false (e.g., isAdmin = False). Let’s assume that this value is coded as a hidden element on the webpage and the request to the server is designed to have isAdmin = False by default.

Now, when a user signs up, the browser sends a request with the following data:

{

…

“name”:”Tony”,”email”:”tony@abc.com”,”password”:”secret”,”isAdmin”:false

…

}

Then, the server inserts this data into the database. This could lead to a mass assignment vulnerability exploitation.

Malicious Request

Looking at requests is pretty easy using tools like Burpsuite. Attackers can intercept the request and see what attributes and values the browser sends to the server. If the attackers discover the isAdmin field, they could modify the request and set it to true. And by doing this, the server would add the attacker’s email address as an admin.

This is how attackers can exploit mass assignment functionality.

Examples of Mass Assignment Vulnerability

Now that you understand mass assignment and how it can lead to vulnerabilities, let’s move from theory to seeing things in action. We’ll discuss two types of mass assignment vulnerabilities:

• API request with hidden field
• application configured default values at database level

API Request With Hidden Field

The first example we’ll look at is when the isAdmin field is hidden. The HTML for signup is as follows:

<form action=”http://127.0.0.1:5000/signup” method=”POST”>

<h1>Sign Up</h1>

<p>Welcome to This Application! Please sign up to continue.</p>

Name*: <input type=”text” placeholder=”Enter Name” name=”name” required><br/><br/>

Email*: <input type=”text” placeholder=”Enter Email” name=”email” required><br/><br/>

Password* : <input type=”password” placeholder=”Enter Password” name=”pass” required><br/><br/>

<input type=”hidden”name=”isAdmin” value=false required>

<a href=”#” style=”color:blue”>Terms & Conditions</a><br/>

<button type=”button” class=”cancelbtn”>Cancel</button>

<button type=”submit” class=”signupbtn”>Sign Up</button>

</form>

I’m on a Kali machine and will be using the Apache2 server that comes with the OS installation. To start the Apache2 server, I run the command service apache2 start. Then, I’ll place the HTML file with the above script in the /var/www/html directory. I can open the webpage now by visiting localhost on my browser.

Python API Server

I’ll use a Python Flask API server on the back end. This API server will take the values from the form and display them on the terminal. To keep it simple, I’m not inserting the data into a database. The Python 3 script for the API server is as follows:

from flask import Flask, json, request, jsonify 

import os 

from flask_cors import CORS

api = Flask(__name__) 

api.config[‘SECRET_KEY’] = ‘the quick brown fox jumps over the lazy dog’ 

api.config[‘CORS_HEADERS’] = ‘Content-Type’ 

cors = CORS(api)

@api.route(‘/signup’, methods=[‘POST’]) 

def data_insert(): 

    data = {}

    data.update(request.form.to_dict(flat=True))

    print(data) 

    return (“Data Inserted”)

if __name__ == ‘__main__’: 

    api.run()

You need to install the Flask library using the command pip3 install flask. Save the above script in a Python extension file, (e.g., api.py) and start the API server by running python3 <filename>.py. If all goes well, you should see something like this:

Now let’s enter some values and see how this works. When I click the signup button, the browser will send a request to my server. And because I’ve programmed the server to just print the values, I’ll see the data entered in the terminal.

As you can see, along with the name, email, and password, I also see the isAdmin, which is by default set to false. Now let’s see how an attacker can exploit this.

Because the data for isAdmin is present in the HTML that’s available on the browser, I can change the value using the browser without any additional tools. To do this, I’ll right-click on the browser and click the Inspect button. Next, I’ll find the hidden element and change the value of isAdmin from false to true. 

When I send this request, I’ll see that Tony has been added as an admin.

Application Configured Default Values at Database Level

In the previous example, we saw that the admin flag was present in HTML and was being sent in the request. But such cases are very rare. In most cases, these fields aren’t passed from the browser. Instead, the database itself is configured to set a default value. In such cases, you can’t modify the value from the browser and you’ll need additional tools.

For this example, I’ll use Burpsuite, which comes preinstalled in Kali. To intercept the request, you’ll have to configure Burpsuite and the browser. When you configure Burp proxy, Burpsuite doesn’t capture traffic to the localhost. Instead, you’ll have to use your LAN IP. Similarly, you’ll also have to replace 127.0.0.1 in the HTML file with the LAN IP.

Now, when I enter data and sign up, Burpsuite should intercept my traffic. By default, the isAdmin won’t be a part of the request.

So, I will add it myself.

As you can see, all data is visible and I can edit this. I’ll change the value of isAdmin from false to true and forward the request.

Now my server clearly shows the modified value, and the server will add Tony as an admin. This is how attackers can leverage mass assignment vulnerabilities.

Impact of Mass Assignment Vulnerabilities

As we’ve seen in the examples, mass assignment vulnerabilities can lead to critical privilege escalation. If an attacker gets admin privileges to an application, they can steal or modify data or even bring the whole application down.

But this vulnerability doesn’t always need to be used to get privilege access. Attackers can also use it to access certain features or bypass certain checks. For example, if the application tracks whether a user’s email is verified or not using an isVerified flag, the user can modify this value and bypass email verification.

Another example could be bypassing two-factor authentication used in many organizations. An organization could be using a third-party two-factor authentication tool as an extra level of authentication and APIs for verification from the tool. Using mass assignment, an attacker could manipulate the field that indicates whether two-factor authentication was successful and could bypass the second factor of authentication even by entering wrong values. Such vulnerabilities can result in unimaginable harm.

Real-World Example: GitHub Breach

One good real-world example that clearly illustrates the impact of mass assignment vulnerability on your business is when GitHub had a security breach in 2012. A GitHub member was able to use mass assignment to gain access to repositories with super-user privileges. The member was able to do so by exploiting the public key update functionality that was vulnerable to mass assignment. Imagining an attacker getting super-user privileges to your codebase is scary. They could delete your code, bring your whole application down, or try to create more vulnerabilities for later exploitation.

When an application is a crucial element of your business, an attacker compromising it would majorly affect your business. You might end up losing all your data, lose your codebase, or even end up paying heavy fines or getting sued due to data leakage. Even bringing the system down for some time could result in a huge loss of revenue.

Conclusion

Mass assignment is an under-discussed security threat, but it poses a great danger to applications and businesses. We’ve seen examples of how attackers can exploit mass assignment vulnerabilities and how it can impact your business.

An application is only as secure as its least secure component. A lot of organizations focus mostly on server-side security, authentication, and authorization, which is undoubtedly crucial. But they also overestimate their API security and don’t focus much on improving it.

The Price of Hubris ebook has addressed an attacker’s way to hack APIs and what happens when organizations overestimate their API security. Finally, what we should take from this is that API security is as important as securing any other components of the application.

This post was written by Omkar Hiremath. Omkar is a cybersecurity team lead who is enthusiastic about cybersecurity, ethical hacking, and Python. He is keenly interested in bug bounty hunting and vulnerability analysis.