Exploiting Mass Assignment Vulnerability
What is Mass Assignment?
When a developer allows parameters to bind with http requests to make the work easier for them. In that case, the attacker passes a parameter from the response into the request, since the parameters are being bound automatically the attacker can modify the things on the server end as well. So it over rights or creates new variables that are not acceptable as per authorization and the attacker will escalate his access control.
This functionality was implemented to remove the problems which arise due to the parameter handling but when it is being implemented without maintaining the whitelist of the parameters then it may be escalated to a vulnerability.. In different frameworks it is known with different names such as “Auto binding” in Spring MVC, ASP.NET MVC and “Object Injection” in PHP.
It can be used to perform the access control vulnerability where attackers modify the parameters or add new parameters to escalate their privileges. So the attacker gains access to another user’s data for which he is not authorized. Application uses the predefined parameter to define the access control of the user and these…
