crAPI: Mass Assignment
Today we will talk about OWASP API:06, “
Mass Assignment.“. In order to optimize and accelerate development, application frameworks encourage developers to implement functions that automatically map user input present in HTTP requests into internal objects. This can sometimes cause harm.
An attacker can use this approach to introduce a parameter in the request that was never intended, which can subsequently be exploited to get Business logic vulnerabilities in an application. For example, suppose that when enrolling as a normal user, the user discovered a parameter in the server response, i.e.
isAdmin:false. The user will again repeat the registration request, but this time he will include
isAdmin:true in the request, and the application will accept the registration request and provide administrator privileges to the user.
We have a shop feature in crAPI that enables users to order things for their vehicles. The user has a credit balance here, and if they have a problem with the goods, they can return them to the shop. The application will generate a QR code, which the user could show to a UPS shop to get a refund immediately to their credit balance. We will bypass the application logic by seeking a refund for an item that we never returned. Let’s have a look at the attack in detail.
1. Authenticate to the crAPI application and go to “Shops.” Note the Balance, which is 100$.
2. Click on “Past Orders” and capture the request using the ZAP proxy tool.
3. The server response shows that the endpoint supports the PUT method.
4. We discovered that we could modify the orders by using the PUT method. Take note of the “status” parameter of the server response.
5. Now fuzz the parameter’s value. Note the server response for all possible “status” parameter values.
6. We found that changing the status to “returned” would refund the order money without returning the product to the store.
7. Take note that the balance has been increased from $100 to $110.
- Avoid automated mapping of request parameters to internal objects, and ignore any additional objects in the request.
- Create an allow-list of parameters that should be allowed.
- Use the OWASP cheatsheet for Mass Assignment.
In Levo, we are focusing on automating Mass Assignment vulnerabilities. Sign up for free and give it a try.
In our next blog post, we will learn about NoSQL Injection issues in crAPI. Stay Tuned.