java mass assignment insecure binder configuration

DEV Community

Posted on Apr 19, 2020

How to avoid Insecure Binder Configuration in JAVA

What is api abuse 😥.

An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

The framework binder used for binding the HTTP request parameters to the model class has not been explicitly configured to allow, or disallow certain attributes

Explanation 🤓

To ease development and increase productivity, most modern frameworks allow an object to be automatically instantiated and populated with the HTTP request parameters whose names match an attribute of the class to be bound. Automatic instantiation and population of objects speeds up development, but can lead to serious problems if implemented without caution.

Any attribute in the bound classes, or nested classes, will be automatically bound to the HTTP request parameters. Therefore, malicious users will be able to assign a value to any attribute in bound or nested classes, even if they are not exposed to the client through web forms or API contracts.

The vulnerability 😩

The solution 😊.

Jackson provides an annotation that can be used on class level (JsonIgnoreProperties).

So simple, just add @JsonIgnoreProperties(ignoreUnknown = true) before the class.

Add the following to the top of your class (not to individual methods):

Top comments (1)

Templates let you quickly answer FAQs or store snippets for re-use.

• Joined Jan 28, 2022

Hi Marcos, if the model class is used in both POST and PUT calls, how can I avoid certain fields from SET only in case of PUT operation. Thanks,Vinay

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Getting Started with the TMDB API: A Beginner's Guide

Jamshed alam - Nov 2

TIL emalloc() auto-exits on out-of-memory errors

Jacob Hummer - Nov 2

Issue 67 of AWS Cloud Security Weekly

AJ - Oct 22

Ulyp: Recording Java code execution for faster debugging (Part 1)

Andrey Cheboksarov - Oct 13

We're a place where coders share, stay up-to-date and grow their careers.

• General Solutions
• Ruby On Rails
• Jackson (JSON Object Mapper)
• GSON (JSON Object Mapper)
• JSON-Lib (JSON Object Mapper)
• Flexjson (JSON Object Mapper)
• References and future reading
• Microservices Security
• Microservices based Security Arch Doc
• Mobile Application Security
• Multifactor Authentication
• NPM Security
• Network Segmentation
• NodeJS Docker
• Nodejs Security
• OS Command Injection Defense
• PHP Configuration
• Password Storage
• Prototype Pollution Prevention
• Query Parameterization
• REST Assessment
• REST Security
• Ruby on Rails
• SAML Security
• SQL Injection Prevention
• Secrets Management
• Secure Cloud Architecture
• Secure Product Design
• Securing Cascading Style Sheets
• Server Side Request Forgery Prevention
• Session Management
• Software Supply Chain Security
• TLS Cipher String
• Third Party Javascript Management
• Threat Modeling
• Transaction Authorization
• Transport Layer Protection
• Transport Layer Security
• Unvalidated Redirects and Forwards
• User Privacy Protection
• Virtual Patching
• Vulnerability Disclosure
• Vulnerable Dependency Management
• Web Service Security
• XML External Entity Prevention
• XML Security
• XSS Filter Evasion

Mass Assignment Cheat Sheet ¶

Introduction ¶, definition ¶.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names ¶

Depending on the language/framework in question, this vulnerability can have several alternative names :

• Mass Assignment: Ruby on Rails, NodeJS.
• Autobinding: Spring MVC, ASP NET MVC.
• Object injection: PHP.

Example ¶

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability ¶

This functionality becomes exploitable when:

• Attacker can guess common sensitive fields.
• Attacker has access to source code and can review the models for sensitive fields.
• AND the object with sensitive fields has an empty constructor.

GitHub case study ¶

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

Solutions ¶

• Allow-list the bindable, non-sensitive fields.
• Block-list the non-bindable, sensitive fields.
• Use Data Transfer Objects (DTOs).

General Solutions ¶

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions ¶

Spring mvc ¶, allow-listing ¶.

Take a look here for the documentation.

Block-listing ¶

Nodejs + mongoose ¶, ruby on rails ¶, django ¶, asp net ¶, php laravel + eloquent ¶, grails ¶, play ¶, jackson (json object mapper) ¶.

Take a look here and here for the documentation.

GSON (JSON Object Mapper) ¶

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper) ¶

Flexjson (json object mapper) ¶, references and future reading ¶.

• Mass Assignment, Rails and You

Mass Assignment in Java

Vulnerable example.

GSON is a serialization/deserialization library that allows for convenient and transparent Java class conversion, to and from their JSON representation, with zero configuration. Developers might be tempted to process user-originated JSON requests with this library to obtain Java objects that ultimately will be passed around in the actual business code. When these intermediate Java objects are also used to hold internal fields, it is easy to forget to implement proper validation mechanisms that prevent a malicious user to mass-assign an internal field.

Imagine having the following class:

Also imagine that such a class is used like this:

Now assume that the AssetUploadParameters object is created using some user-controlled JSON:

A legit JSON object might look like the following:

A malicious user might exploit this vulnerability to obtain an arbitrary file write privilege on the application server, for example with:

There are several ways to prevent these kinds of vulnerabilities. Probably the most straightforward way is to create a separation between the user input and the internal data structure so that no contamination is possible; in this case, individual fields are cherry-picked. This is basically an allow list approach concerning which fields the user can assign. In the above example, this could be implemented as follows:

Alternatively, marking a member as transient has the effect of excluding it from the serialization/deserialization process. For example, using this class in the above example resolves the exposure:

Yet another option is to demand the allow list approach to the library. In the case of GSON, see ExclusionStrategy .

CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

OWASP - Mass Assignment Cheat Sheet

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

Mass_Assignment_Cheat_Sheet.md

Latest commit, file metadata and controls, mass assignment cheat sheet, introduction.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names :

• Mass Assignment: Ruby on Rails, NodeJS.
• Autobinding: Spring MVC, ASP NET MVC.
• Object injection: PHP.

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability

This functionality becomes exploitable when:

• Attacker can guess common sensitive fields.
• Attacker has access to source code and can review the models for sensitive fields.
• AND the object with sensitive fields has an empty constructor.

GitHub case study

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

• Allow-list the bindable, non-sensitive fields.
• Block-list the non-bindable, sensitive fields.
• Use Data Transfer Objects (DTOs).

General Solutions

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions

Allow-listing.

Take a look here for the documentation.

Block-listing

Nodejs + mongoose, ruby on rails, php laravel + eloquent, jackson (json object mapper).

Take a look here and here for the documentation.

GSON (JSON Object Mapper)

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper)

Flexjson (json object mapper), references and future reading.

• Mass Assignment, Rails and You

HatchJS.com

Cracking the Shell of Mystery

Mass Assignment: How to Protect Your Application from Insecure Binder Configuration

Mass Assignment: An Insecure Binder Configuration

In software development, mass assignment is the act of sending a large number of parameters to a function or method. This can be a useful technique for quickly creating new objects or updating existing ones. However, if not done correctly, mass assignment can also lead to security vulnerabilities .

One common way to implement mass assignment is to use a binder . A binder is a type of object that maps between a set of input parameters and a set of properties on an object. When mass assignment is used with a binder, the binder will automatically set the properties on the object to the corresponding values from the input parameters.

This can be a convenient way to create or update objects, but it can also be dangerous if the binder is not configured correctly. If a binder allows untrusted input, an attacker could use it to inject malicious code into an application. This could lead to a variety of security problems, such as cross-site scripting (XSS) , SQL injection , and remote code execution (RCE) .

In this article, we will discuss the risks of mass assignment and how to secure binder configurations. We will also provide some examples of how attackers can exploit insecure binder configurations.

By the end of this article, you will be able to:

• Identify the risks of mass assignment
• Understand how to secure binder configurations
• Recognize the signs of an insecure binder configuration

| Column | Data | |—|—| | Name | Description | | Example | Vulnerability | | Mitigation | How to fix | |—|—|—| | `allow_all_fields` | Whether or not to allow all fields to be mass assigned. | `allow_all_fields = true` | This is a very insecure setting and should never be used. | Set `allow_all_fields = false`. | | `whitelist` | A list of fields that are allowed to be mass assigned. | `whitelist = [“name”, “email”]` | This is a more secure setting than `allow_all_fields = true`, but it is still possible to mass assign fields that are not in the whitelist. | Make sure the whitelist is as comprehensive as possible. | | `blacklist` | A list of fields that are not allowed to be mass assigned. | `blacklist = [“password”]` | This is the most secure setting, as it prevents all fields from being mass assigned except for those that are explicitly allowed. | Make sure the blacklist is as comprehensive as possible. |

Mass assignment is a vulnerability that allows an attacker to send a single request to a web application and modify multiple rows of data in a database. This can be done by sending a request with a list of values for each field of a table, or by sending a single value that is used to update multiple rows of data.

Mass assignment is a serious vulnerability because it can allow an attacker to take control of a web application or to steal sensitive data. In this blog post, we will discuss what mass assignment is, how it works, and how to prevent it.

• What is mass assignment?

Mass assignment is a vulnerability that occurs when a web application allows an attacker to send a single request to update multiple rows of data in a database. This can be done by sending a request with a list of values for each field of a table, or by sending a single value that is used to update multiple rows of data.

For example, consider a web application that allows users to create and manage accounts. If the application is not properly configured, an attacker could send a request to create a new account with a list of usernames and passwords. This would allow the attacker to create multiple accounts with the same username and password, which could then be used to access the application.

Another example would be a web application that allows users to create and manage products. If the application is not properly configured, an attacker could send a request to update the price of all products in the database. This would allow the attacker to change the prices of all products, which could lead to financial loss for the company.

How does insecure binder configuration lead to mass assignment?

In order to prevent mass assignment, web applications typically use a binder to sanitize user input before it is used to update a database. The binder checks the input to make sure that it is in the correct format and that it does not contain any malicious code.

If the binder is not configured correctly, it may allow user input to be passed directly to the database. This could allow an attacker to send a request with a list of values for each field of a table, or with a single value that is used to update multiple rows of data.

How to prevent mass assignment

There are a number of ways to prevent mass assignment. Here are some tips:

• Use a binder to sanitize user input. A binder is a security mechanism that can be used to prevent mass assignment. The binder checks the input to make sure that it is in the correct format and that it does not contain any malicious code.
• Limit the number of rows that can be updated in a single request. This will help to prevent an attacker from sending a request to update multiple rows of data.
• Use role-based access control. This will help to ensure that users only have access to the data that they need to access.
• Monitor your web application for suspicious activity. This will help you to identify and respond to mass assignment attacks.

Mass assignment is a serious vulnerability that can allow an attacker to take control of a web application or to steal sensitive data. By following the tips in this blog post, you can help to prevent mass assignment and protect your web application from attack.

Additional resources

• [OWASP Top 10: A1 – Injection](https://owasp.org/www-project-top-ten/2017/A1_Injection)
• [Preventing Mass Assignment Attacks](https://www.owasp.org/index.php/Preventing_Mass_Assignment_Attacks)
• [Mass Assignment Attacks: How to Prevent and Mitigate](https://www.cisa.gov/uscert/ncas/tips/ST16-008)

3. What are the risks of insecure binder configuration?

Insecure binder configuration is a serious security vulnerability that can allow attackers to bypass access controls and modify data in a database. This can lead to a variety of serious consequences, including data loss, data corruption, denial of service, and identity theft.

An attacker can use mass assignment to delete data from a database by sending a malicious request that contains a list of record IDs. The binder will then attempt to update each record with the data provided in the request, which could include a delete operation. If the binder is not configured correctly, it may not properly validate the request data and could delete records that the user does not have permission to delete.

Data corruption

An attacker can use mass assignment to modify data in a database by sending a malicious request that contains a list of record IDs and new data values. The binder will then attempt to update each record with the data provided in the request, which could include invalid or malicious data. If the binder is not configured correctly, it may not properly validate the request data and could update records with data that could corrupt the database.

Denial of service

An attacker can use mass assignment to make a web application unavailable by sending a malicious request that contains a large number of record IDs. The binder will then attempt to update each record with the data provided in the request, which could consume a significant amount of resources and slow down or crash the web application.

Identity theft

An attacker can use mass assignment to steal sensitive data, such as usernames, passwords, and credit card numbers, by sending a malicious request that contains a list of record IDs and the data values that they want to steal. The binder will then attempt to update each record with the data provided in the request, which could include the attacker’s own data values. If the binder is not configured correctly, it may not properly validate the request data and could update records with the attacker’s data values, which could then be used to steal the victim’s identity.

4. How can you prevent insecure binder configuration?

There are a number of steps that you can take to prevent insecure binder configuration, including:

• Use a secure binder library. There are a number of secure binder libraries available that can help you to prevent insecure binder configuration. These libraries typically include features such as input validation, parameter binding, and type checking.
• Configure the binder correctly. When you configure the binder, you should make sure to set the appropriate security options. For example, you should make sure that the binder only allows trusted users to update data in the database.
• Sanitize user input before it is used to update a database. Even if you use a secure binder library and configure it correctly, you should still sanitize user input before it is used to update a database. This will help to protect your application from attacks that exploit vulnerabilities in the binder library.
• Monitor your web application for signs of mass assignment attacks. You should monitor your web application for signs of mass assignment attacks. This can be done by using a security monitoring tool or by manually reviewing your application logs. If you detect any suspicious activity, you should investigate it immediately and take steps to mitigate the threat.

By following these steps, you can help to prevent insecure binder configuration and protect your web application from a variety of serious security vulnerabilities.

Q: What is mass assignment?

A: Mass assignment is a security vulnerability that occurs when an application allows an attacker to send a single request that sets multiple properties of an object. This can be exploited to create new users, modify existing users, or delete users.

Q: What is an insecure binder configuration?

A: An insecure binder configuration is a configuration that allows mass assignment to occur. This can happen when a developer forgets to add the `attr` or `only` parameters to a `Form::model()` or `Form::create()` call.

Q: What are the risks of mass assignment?

A: Mass assignment can allow an attacker to do the following:

• Create new users with administrator privileges
• Modify existing user accounts
• Delete user accounts
• Read sensitive data from user accounts

Q: How can I protect my application from mass assignment?

There are a few things you can do to protect your application from mass assignment:

• Use the `attr` or `only` parameters to restrict the properties that can be mass assigned.
• Use the `csrf_field()` helper to protect against cross-site request forgery (CSRF) attacks.
• Use a framework that has built-in protection against mass assignment.

Q: What are some additional resources on mass assignment?

• [Laravel’s documentation on mass assignment](https://laravel.com/docs/8.x/securitymass-assignment)
• [The PHP Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/PHP_Security_Cheat_Sheet.html)
• [OWASP’s Top 10 Most Critical Web Application Security Risks](https://owasp.org/www-project-top-ten/)

In this blog post, we discussed the security risks of mass assignment and how to secure your application against it. We covered the following topics:

• How does mass assignment work?
• What are the security risks of mass assignment?
• How to secure your application against mass assignment

We hope that this blog post has helped you to understand the security risks of mass assignment and how to secure your application against it. If you have any questions or feedback, please feel free to contact us.

Key takeaways:

• Mass assignment is a vulnerability that allows an attacker to send arbitrary data to a server-side application.
• Mass assignment can be exploited to inject malicious code into a server-side application, which can lead to a variety of security breaches.
• To secure your application against mass assignment, you should use a whitelist of allowed fields and use input validation to ensure that all data is properly sanitized.

Author Profile

Latest entries

• December 26, 2023 Error Fixing User: Anonymous is not authorized to perform: execute-api:invoke on resource: How to fix this error
• December 26, 2023 How To Guides Valid Intents Must Be Provided for the Client: Why It’s Important and How to Do It
• December 26, 2023 Error Fixing How to Fix the The Root Filesystem Requires a Manual fsck Error
• December 26, 2023 Troubleshooting How to Fix the `sed unterminated s` Command

Similar Posts

How to generate an entity relationship diagram in azure data studio.

An entity-relationship diagram (ER diagram) is a graphical representation of the entities and relationships in a database. It is used to model the data and relationships between different entities in a database. ER diagrams are used to design databases and to communicate the design to other database users. In this article, we will show you…

How to Divide a Square into 4 Equal Parts

Have you ever wondered how to divide a square into four equal parts? It’s a simple task that can be accomplished with just a few lines and some basic geometry. In this article, we’ll show you how to divide a square into four equal parts using a ruler and compass. We’ll also provide a few…

How to Pronounce Rationed: A Guide for Non-Native English Speakers

How to Pronounce Ration Ration is a noun that means a limited amount of something, especially food or fuel, that is officially allowed to each person or group. It can also be a verb, meaning to divide or distribute something in limited amounts. The pronunciation of ration is “RAY-shuhn.” The “a” in ration is pronounced…

How to Forward a Meeting Invite in Outlook Without Notifying Others

How to Forward a Meeting Invite in Outlook Without Notifying Others Whether you’re trying to avoid a meeting altogether or simply want to share the invite with someone else, there are a few ways to forward a meeting invite in Outlook without notifying others. In this article, we’ll show you how to do just that….

How to Grow a Jungle Tree in Minecraft | A Step-by-Step Guide

How to Grow a Jungle Tree in Minecraft The lush jungles of Minecraft are home to some of the tallest and most majestic trees in the game. These trees can reach heights of over 100 blocks, and they provide a valuable source of wood, leaves, and fruit. However, growing a jungle tree can be a…

How to Breed the Apocalypse Dragon in Dragon City

The Apocalypse Dragon is one of the most powerful and sought-after dragons in the world of DragonVale. With its fearsome appearance and devastating attacks, it is a force to be reckoned with. But how can you get your hands on one of these legendary creatures? In this article, we will discuss everything you need to…