{"id":1366,"date":"2024-07-16T22:19:48","date_gmt":"2024-07-16T22:19:48","guid":{"rendered":"https:\/\/hacking.cool\/?p=1366"},"modified":"2024-07-16T22:19:48","modified_gmt":"2024-07-16T22:19:48","slug":"mass-assignment-vulnerabilities","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/","title":{"rendered":"Mass Assignment Vulnerabilities"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1-1024x585.webp\" alt=\"\" class=\"wp-image-1371\" srcset=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1-1024x585.webp 1024w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1-300x171.webp 300w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1-768x439.webp 768w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1-1536x878.webp 1536w, https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803-1.webp 1792w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Rarely talked about, this is an interesting vulnerability. <\/p>\n\n\n\n<p>In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub&#8217;s enterprise system allowed users to set arbitrary parameters, including the <code>admin<\/code> flag, during account creation.<\/p>\n\n\n\n<p>The attacker exploited this by including the <code>admin<\/code> parameter in the account registration request, granting themselves administrative privileges. The hypothetical scenario could look like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/signup HTTP\/1.1\nHost: github.com\nContent-Type: application\/json\n\n{\n    \"username\": \"attacker\",\n    \"password\": \"password123\",\n    \"email\": \"attacker@example.com\",\n    <strong>\"admin\": true<\/strong>\n}<\/code><\/pre>\n\n\n\n<p>By including the &#8220;admin&#8221;: true parameter in the signup request, the attacker could create an account with administrative privileges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is Mass Assignment?<\/h3>\n\n\n\n<p>Imagine you have an online form where users can sign up for an account. The form asks for details like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Username<\/li>\n\n\n\n<li>Email<\/li>\n\n\n\n<li>Password<\/li>\n<\/ul>\n\n\n\n<p>When a user fills out this form and submits it, the website needs to take this information and create a new user account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Problem<\/h3>\n\n\n\n<p>Sometimes, developers write code that automatically takes all the information from the form and puts it directly into the user account without checking each piece of information carefully. This is called &#8220;mass assignment.&#8221;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it Becomes a Vulnerability<\/h3>\n\n\n\n<p>If the form or the underlying system isn&#8217;t carefully designed, a clever attacker can add extra information to the form that wasn&#8217;t supposed to be there. For example, they might add a hidden field that says:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>isAdmin: true<\/code><\/li>\n<\/ul>\n\n\n\n<p>If the website doesn&#8217;t check this extra information and just automatically assigns it to the new user account, the attacker could create an account with admin privileges. This means they now have special access and control over the website that they shouldn&#8217;t have.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Simple Example<\/h3>\n\n\n\n<p>Let&#8217;s say you have a form like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;form action=\"\/register\" method=\"POST\">\n  &lt;input type=\"text\" name=\"username\" placeholder=\"Username\">\n  &lt;input type=\"email\" name=\"email\" placeholder=\"Email\">\n  &lt;input type=\"password\" name=\"password\" placeholder=\"Password\">\n  &lt;button type=\"submit\">Sign Up&lt;\/button>\n&lt;\/form>\n<\/code><\/pre>\n\n\n\n<p>An attacker might modify the form (using their browser&#8217;s developer tools) to include an extra field:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;form action=\"\/register\" method=\"POST\">\n  &lt;input type=\"text\" name=\"username\" placeholder=\"Username\">\n  &lt;input type=\"email\" name=\"email\" placeholder=\"Email\">\n  &lt;input type=\"password\" name=\"password\" placeholder=\"Password\">\n  &lt;input type=\"hidden\" name=\"isAdmin\" value=\"true\">\n  &lt;button type=\"submit\">Sign Up&lt;\/button>\n&lt;\/form>\n<\/code><\/pre>\n\n\n\n<p>If the server doesn&#8217;t check for this extra field and just creates the user account with whatever data is provided, the attacker now has an admin account.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rarely talked about, this is an interesting vulnerability. In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub&#8217;s enterprise system allowed users to set arbitrary parameters, including the admin flag, during account creation. The attacker exploited this by including the admin parameter in the account registration request, granting themselves administrative privileges.<span class=\"post-excerpt-end\">&hellip;<\/span><\/p>\n<p class=\"more-link\"><a href=\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\" class=\"themebutton\">Read More<\/a><\/p>\n","protected":false},"author":3,"featured_media":1370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mass Assignment Vulnerabilities - hacking.cool<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mass Assignment Vulnerabilities - hacking.cool\" \/>\n<meta property=\"og:description\" content=\"Rarely talked about, this is an interesting vulnerability. In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub&#8217;s enterprise system allowed users to set arbitrary parameters, including the admin flag, during account creation. The attacker exploited this by including the admin parameter in the account registration request, granting themselves administrative privileges.&hellip;Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"hacking.cool\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-16T22:19:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1792\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Atom\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Atom\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\",\"url\":\"https:\/\/hacking.cool\/atomanya\/\",\"name\":\"hacking.cool\",\"description\":\"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#primaryimage\",\"url\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp\",\"contentUrl\":\"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp\",\"width\":1792,\"height\":1024},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\",\"url\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\",\"name\":\"Mass Assignment Vulnerabilities - hacking.cool\",\"isPartOf\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#primaryimage\"},\"datePublished\":\"2024-07-16T22:19:48+00:00\",\"dateModified\":\"2024-07-16T22:19:48+00:00\",\"author\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\"},\"breadcrumb\":{\"@id\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/hacking.cool\/atomanya\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mass Assignment Vulnerabilities\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2\",\"name\":\"Atom\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g\",\"caption\":\"Atom\"},\"url\":\"https:\/\/hacking.cool\/atomanya\/author\/atom\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mass Assignment Vulnerabilities - hacking.cool","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/","og_locale":"en_US","og_type":"article","og_title":"Mass Assignment Vulnerabilities - hacking.cool","og_description":"Rarely talked about, this is an interesting vulnerability. In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub&#8217;s enterprise system allowed users to set arbitrary parameters, including the admin flag, during account creation. The attacker exploited this by including the admin parameter in the account registration request, granting themselves administrative privileges.&hellip;Read More","og_url":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/","og_site_name":"hacking.cool","article_published_time":"2024-07-16T22:19:48+00:00","og_image":[{"width":1792,"height":1024,"url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp","type":"image\/webp"}],"author":"Atom","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Atom","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/hacking.cool\/atomanya\/#website","url":"https:\/\/hacking.cool\/atomanya\/","name":"hacking.cool","description":"is the hacking school \ud83d\udc69\ud83c\udffb\u200d\ud83d\udcbb\ud83e\uddd1\ud83c\udffb\u200d\ud83d\udcbb\ud83d\uddfa\ud83d\udcda\ud83d\udcd6","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacking.cool\/atomanya\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#primaryimage","url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp","contentUrl":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp","width":1792,"height":1024},{"@type":"WebPage","@id":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/","url":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/","name":"Mass Assignment Vulnerabilities - hacking.cool","isPartOf":{"@id":"https:\/\/hacking.cool\/atomanya\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#primaryimage"},"datePublished":"2024-07-16T22:19:48+00:00","dateModified":"2024-07-16T22:19:48+00:00","author":{"@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2"},"breadcrumb":{"@id":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hacking.cool\/atomanya\/mass-assignment-vulnerabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacking.cool\/atomanya\/"},{"@type":"ListItem","position":2,"name":"Mass Assignment Vulnerabilities"}]},{"@type":"Person","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/804a839cfa61d89d69fb2cf1d2f0adc2","name":"Atom","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hacking.cool\/atomanya\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac4d05ec7d617e7f2dee5855900a855a?s=96&d=mm&r=g","caption":"Atom"},"url":"https:\/\/hacking.cool\/atomanya\/author\/atom\/"}]}},"jetpack_featured_media_url":"https:\/\/hacking.cool\/atomanya\/wp-content\/uploads\/2024\/07\/0a83f4cc-ea69-4ced-b826-e658f929e803.webp","_links":{"self":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/comments?post=1366"}],"version-history":[{"count":4,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1366\/revisions"}],"predecessor-version":[{"id":1372,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/posts\/1366\/revisions\/1372"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media\/1370"}],"wp:attachment":[{"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/media?parent=1366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/categories?post=1366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacking.cool\/atomanya\/wp-json\/wp\/v2\/tags?post=1366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}