Skip to main content

Mass Assignment

Description

We sent a payload with extra properties relating to RBAC and they were accepted. This means that the object was not properly sanitized and special properties can be forced into the object.

Remediation

You must validate all objects and all their properties, even when not documented in the API.

REST Specific

Asp.net

In ASP.NET, use view models with only the properties you want to update and validate the model state before processing it.

Ruby on rails

In Ruby on Rails, use strong parameters to whitelist attributes that can be mass-assigned.

Next.js

In Next.js, ensure that API routes validate the incoming data and only process the expected fields.

Laravel

In Laravel, use the $fillable or $guarded properties in your model to define which attributes are mass-assignable.

Express.js

In Express.js, use middleware to validate and sanitize the request body before processing it.

Django

In Django, use forms or serializers to explicitly define and validate the fields that should be accepted from the request.

Symfony

In Symfony, use form classes to define the allowed fields and validate the data before processing it.

Spring boot

In Spring Boot, use DTOs (Data Transfer Objects) to define the fields that should be bound from the request body and validate them using annotations.

Flask

In Flask, use request parsing libraries like Marshmallow to define schemas and validate the incoming data.

Nuxt

In Nuxt.js, ensure that API endpoints validate the incoming data and only process the expected fields.

Configuration

Identifier: injection/mass_assignment

Examples

Ignore this check

{
"checks": {
"injection/mass_assignment": {
"skip": true
}
}
}

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API1:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6.1
  • psd2: Article-95
  • iso27001: A.18.1.3
  • nist: SP800-53-AC-6
  • fedramp: AC-6

Classification

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • CVSS_SCORE: 9.3