Jump to content

User:Apshukla/sandbox

From Wikipedia, the free encyclopedia

The phrase mass assignment[1] refers to assigning values to multiple attributes in a single go. In the computing world, where software frameworks make life of developer easier, there are problems associated with it which the developer does not intend. Software frameworks use Object Relational Mapping (ORM) tool for converting data of different types and if the software framework does not have a strong mechanism to protect the fields of a class (the types of data), then it becomes easily exploitable by the attackers. These frameworks allow developers to bind parameters with HTTPand manipulate the data externally. The HTTP request that is generated carries the parameters that is used to create or manipulate objects in the application program .

Mass Assignment is a feature available in languages like Ruby on Rails that allows the modifications of multiple object attributes at once using modified URL. This saves substantial amount of work for developers as they need not set each value individually. Passing a hash to the new method, or assign_attributes= a hash value, sets the model’s attributes to the values in the hash.

Threats

[edit]

In Mass Assignment, a hacker can attack and manipulate the data in various ways. He can send the tags which can make him an admin of the web application and assign various permissions which would otherwise be forbidden. This is called Mass assignment vulnerability. It explores the security breaches that can be done using mass assignment.

Protection Methods

[edit]

We can perform some changes in the active record models to ensure the protection of our data.

  1. To use attr_protected: [2] We specify the attributes which need to be protected. If the user tries mass assignment, then the user will get an error page which says Mass Assignment Security error. In other case, the attribute value will not be changed. This is also called blacklisting[3]. In this method, sometimes keeping track of all the attributes we want to protect is difficult.
  2. To use attr_accessible: In this, we add attributes that are accessible to everyone and need not be protected. This is easier to manage as the attributes that can be mass-assigned can be explicitly selected. All others are considered as protected. This is sometimes reffered to as whitelisting[4].
  3. Sanitize method: Another configuration which we can do to avoid mass assignment problems is called mass assignment sanitizer. This is a method called sanitize[5]. This method filters the incoming requests and takes care that there should be no malicious tags. It only allows those tags that are whitelisted by the user.

[6]Github got hacked in 2012 by exploiting mass assignment protection. Homakov who attacked the Github gained private access to Rails by replacing his SSH with SSH key of one of the members of Rails github.

References

[edit]