OWASP API Security Top 10 - API6:2019 - Mass Assignment
Learn about API6:2019 - Mass Assignment, a top API security risk identified by OWASP. Explore impacts, prevention, and attack scenarios.
Overview
API6:2019 - Mass Assignment is one of the top 10 API security risks identified by OWASP (Open Web Application Security Project). This vulnerability occurs when an API endpoint automatically converts client parameters into internal object properties without considering the sensitivity and exposure level of these properties. Attackers can exploit this vulnerability to update or overwrite sensitive object's properties that the developers never intended to expose.
Description
API6:2019 - Mass Assignment is a security weakness that can lead to various impacts such as privilege escalation, data tampering, bypass of security mechanisms, and more. Exploitation of this vulnerability is easier in APIs as they expose the underlying implementation of the application along with the properties' names. Modern frameworks often encourage developers to use functions that automatically bind input from the client into code variables and internal objects, making it easier for attackers to manipulate sensitive object properties.
How to Prevent ?
To prevent API6:2019 - Mass Assignment vulnerability, developers can take the following measures: - Avoid using functions that automatically bind a client's input into code variables or internal objects. - Whitelist only the properties that should be updated by the client. - Use built-in features to blacklist properties that should not be accessed by clients. - If applicable, explicitly define and enforce schemas for the input data payloads.
Example Attack Scenarios:
Scenario #1: Ride Sharing Application: In this scenario, a ride sharing application allows users to edit their basic information through an API call. However, the API endpoint is vulnerable to mass assignment. An attacker exploits this vulnerability by replaying a legitimate API call with a modified payload, allowing them to receive credits without paying.
Scenario #2: Video Sharing Portal: In this scenario, a video sharing portal has an API endpoint that allows users to upload and download content in different formats. The endpoint is vulnerable to mass assignment. An attacker manipulates the video object's properties, including a malicious value in one of them. Once the attacker downloads the video, a shell command injection occurs.