Posts

Showing posts from March, 2016

Preventing Mass Assignment Attacks in Spring

If you have a wizard to collect data from users in a set of steps you can open yourself up to a mass assignment attack. OWASP as always gives great information on this . How it works You Bind an object to the model and you want to populate the fields in that object as your user progresses through your wizard. So on the first screen you might collect their name, second screen email and so on. Between each of these steps you perform validation on the just entered values. However a hacker exploiting mass assignment can bind data from step 1 during a subsequent step just by putting the variable and value in the URL (assuming GET, although obviously this can be done with POST also). So for the first step you are after this: https://mywebsite.com/myapp/action? email =anthonynolan@somemail.com And the second step, this: https://mywebsite.com/myapp/action2? name =Anthony Instead the hacker supplies this which is fine and passes our validation: https://mywebsite.com/myapp/acti