Uncategorized

Rarely talked about, this is an interesting vulnerability.

In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub’s enterprise system allowed users to set arbitrary parameters, including the admin flag, during account creation.

The attacker exploited this by including the admin parameter in the account registration request, granting themselves administrative privileges. The hypothetical scenario could look like this:

POST /signup HTTP/1.1
Host: github.com
Content-Type: application/json

{
    "username": "attacker",
    "password": "password123",
    "email": "[email protected]",
    "admin": true
}

By including the “admin”: true parameter in the signup request, the attacker could create an account with administrative privileges.

What is Mass Assignment?

Imagine you have an online form where users can sign up for an account. The form asks for details like:

  • Username
  • Email
  • Password

When a user fills out this form and submits it, the website needs to take this information and create a new user account.

The Problem

Sometimes, developers write code that automatically takes all the information from the form and puts it directly into the user account without checking each piece of information carefully. This is called “mass assignment.”

How it Becomes a Vulnerability

If the form or the underlying system isn’t carefully designed, a clever attacker can add extra information to the form that wasn’t supposed to be there. For example, they might add a hidden field that says:

  • isAdmin: true

If the website doesn’t check this extra information and just automatically assigns it to the new user account, the attacker could create an account with admin privileges. This means they now have special access and control over the website that they shouldn’t have.

Simple Example

Let’s say you have a form like this:

<form action="/register" method="POST">
  <input type="text" name="username" placeholder="Username">
  <input type="email" name="email" placeholder="Email">
  <input type="password" name="password" placeholder="Password">
  <button type="submit">Sign Up</button>
</form>

An attacker might modify the form (using their browser’s developer tools) to include an extra field:

<form action="/register" method="POST">
  <input type="text" name="username" placeholder="Username">
  <input type="email" name="email" placeholder="Email">
  <input type="password" name="password" placeholder="Password">
  <input type="hidden" name="isAdmin" value="true">
  <button type="submit">Sign Up</button>
</form>

If the server doesn’t check for this extra field and just creates the user account with whatever data is provided, the attacker now has an admin account.

Post Views: 156

Leave a comment

Your email address will not be published. Required fields are marked *