Preventing Mass Assignment Attacks in Spring

If you have a wizard to collect data from users in a set of steps you can open yourself up to a mass assignment attack. OWASP as always gives great information on this.

How it works

You Bind an object to the model and you want to populate the fields in that object as your user progresses through your wizard. So on the first screen you might collect their name, second screen email and so on. Between each of these steps you perform validation on the just entered values.

However a hacker exploiting mass assignment can bind data from step 1 during a subsequent step just by putting the variable and value in the URL (assuming GET, although obviously this can be done with POST also).

So for the first step you are after this:

https://mywebsite.com/myapp/action?email=anthonynolan@somemail.com

And the second step, this:

https://mywebsite.com/myapp/action2?name=Anthony

Instead the hacker supplies this which is fine and passes our validation:

https://mywebsite.com/myapp/action?email=anthonynolan@somemail.com

Followed by this. Which is not fine as the email is not validated on this step:

https://mywebsite.com/myapp/action2?name=Anthony&email=bad_guy_email@dodgy.com

Because Spring binds all params that it can match in the URL the email address will be bound in the last case. Your code may not have included validation of email (restricted domains for example) in that step of the wizard.

There are a number of approaches to fix this.

Repeat the validations on each step

Therefore the validation is accretive. Something like this.

Step 1

  • Validate condition 1

Step2

  • Validate condition 1 again
  • Validate condition 2
and so on.

This leads to some duplication of code - but it is very minimal - only method calls. I plan to put together a neater way of achieving this accretion, but for now this will do.

Isolate each wizard step in its own controller

This will allow you to use the OWASP recommended method of using a binder (this is the whitelist version, there is blacklist too):

@Controller
  public class UserController
  {
     @InitBinder
     public void initBinder(WebDataBinder binder, WebRequest request)
     {
        binder.setAllowedFields(["userid","password","email"]);
     }
  
     ...
  }

However if you have the steps in the same controller (a better design in my opinion), this won't work. You will end up blocking the params at every step, not just the prohibited ones.

Blacklist params in handler

You can however use the Params attribute on your RequestMapping annotation to disallow certain parameters. This one will disallow role in the params list. If role is supplied the user will get a 404.

@RequestMapping(value = "/bitofurl", params = "!role")


All this is a little awkward and removes some of the elegance of a Spring solution. But mass assignment attacks are serious stuff and can result in all manner of nastiness. Better slightly less elegant code than a compromised user DB.



Comments

Post a Comment

Popular posts from this blog

Building a choropleth map for Irish agricultural data

I wanted to create a choropleth map  using Irish data. The Irish Government has made a large quantity of data available at data.gov.ie. The set I chose was for Bovine TB across Ireland over a number of years. You can get geojson for a variety of countries and Ireland's county boundaries are available. All I had to do was get the data labels to match. In the data some counties are split into 2 parts. I merged and summed these data points to get the choropleth to work with normal county boundaries. You can see the results here . A link to the github is included at the top of the notebook.
Read more

Early Stopping with Keras

Steps to train a model There are a number of things you have to do when working on a Machine Learning problem. Import your data and transform it as appropriate Define  your model using something like Keras - this includes your chosen hyperparameter values Run the training phase Evaluate the model If at the end of this process the evaluation shows that your model is not sufficient for your needs you will need to make some changes and rerun the training.  Ideally you should have a way to spot that training is not going as you want and stop it. This is one of the uses of early stopping. The other is if your model has reached a sufficient quality standard for you to use and further improvements have slowed, stopped altogether or an unnecessary.  Early Stopping Keras provides a way of doing this using the EarlyStopping callback . There are a range of callbacks in Keras and you can define your own. Details are here . The EarlyStopping callback works by choosing a metric
Read more

AutoCompleteTextView backed with data from SQLite in Android

Image
This is a handy piece of code. As your database gets bigger you can allow the user to pick the correct value by typing. If the db gets very big, you can always increase the threshold, so that the query does not run until there will be a suitably sized resultset returned. Running it at a threshold of 1 is fine for very small resultsets.  Here is the code you need to back your AutoCompleteTextView with a cursor adapter. @Override protected void onResume() { super.onResume(); text = (AutoCompleteTextView) findViewById(R.id.autoCompleteTextView1); final AdapterHelper h = new AdapterHelper(this); Cursor c = h.getAllResults(); startManagingCursor(c); String[] from = new String[] { "val" }; int[] to = new int[] { android.R.id.text1 }; CursorAdapter adapter = new MyCursorAdapter(this, android.R.layout.simple_dropdown_item_1line, c, from, to); adapter.setFilterQueryProvider(new FilterQueryProvider() { public Cursor runQuery(Cha
Read more