logo

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Incomplete Base
Structure: Simple
Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Extended Description

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Common Consequences 3
Scope: Integrity

Impact: Modify Application Data

An attacker could modify sensitive data or program variables.

Scope: Integrity

Impact: Execute Unauthorized Code or Commands

Scope: OtherIntegrity

Impact: Varies by ContextAlter Execution Logic
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 4
Phase: Implementation
If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Phase: Architecture and DesignImplementation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Phase: Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Phase: ImplementationArchitecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Demonstrative Examples 1

ID : DX-206

This function sets object attributes based on a dot-separated path.

Code Example:

Bad
JavaScript
javascript
This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

Code Example:

Bad
JavaScript
javascript
By using a denylist of dangerous attributes, this weakness can be eliminated.

Code Example:

Good
JavaScript
javascript

// Ignore attributes which resolve to object prototype* if (attr === "proto" || attr === "constructor" || attr === "prototype") {

javascript
  
Observed Examples 18
CVE-2024-3283Application for using LLMs allows modification of a sensitive variable using mass assignment.
CVE-2012-2054Mass assignment allows modification of arbitrary attributes using modified URL.
CVE-2012-2055Source version control product allows modification of trusted key using mass assignment.
CVE-2008-7310Attackers can bypass payment step in e-commerce product.
CVE-2013-1465Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
CVE-2012-3527Use of PHP unserialize function on untrusted input in content management system might allow code execution.
CVE-2012-0911Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
CVE-2012-0911Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
CVE-2011-4962Content management system written in PHP allows code execution through page comments.
CVE-2009-4137Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
CVE-2007-5741Content management system written in Python interprets untrusted data as pickles, allowing code execution.
CVE-2011-2520Python script allows local users to execute code via pickled data.
CVE-2005-2875Python script allows remote attackers to execute arbitrary code using pickled objects.
CVE-2013-0277Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
CVE-2011-2894Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
CVE-2012-1833Grails allows binding of arbitrary parameters to modify arbitrary object properties.
CVE-2010-3258Incorrect deserialization in web browser allows escaping the sandbox.
CVE-2008-1013Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
  
References 12
Shocking News in PHP Exploitation
Stefan Esser
2009
https://owasp.org/www-pdf-archive/POC2009-ShockingNewsInPHPExploitation.pdf(2023-04-07)
ID: REF-885
"Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008)
Dinis Cruz
http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html(2023-04-07)
ID: REF-886
Two Security Vulnerabilities in the Spring Framework's MVC
Ryan Berg and Dinis Cruz
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf(2023-04-07)
ID: REF-887
Best Practices for ASP.NET MVC
ASPNETUE
17-09-2010
https://web.archive.org/web/20100921074010/http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx(2023-04-07)
ID: REF-888
Mass assignment in Rails applications
Michael Hartl
21-09-2008
https://web.archive.org/web/20090808163156/http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/(2023-04-07)
ID: REF-889
Secure your Rails apps!
Tobi
06-03-2012
https://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/(2023-04-07)
ID: REF-890
Ruby On Rails Security Guide
Heiko Webers
https://guides.rubyonrails.org/security.html#mass-assignment(2023-04-07)
ID: REF-891
Mass Assignment Vulnerability in ASP.NET MVC
Josh Bush
05-03-2012
https://web.archive.org/web/20120309022539/http://freshbrewedcode.com/joshbush/2012/03/05/mass-assignment-aspnet-mvc(2023-04-07)
ID: REF-892
6 Ways To Avoid Mass Assignment in ASP.NET MVC
K. Scott Allen
12-03-2012
https://odetocode.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx(2023-04-07)
ID: REF-893
PHP Object Injection
Egidio Romano
22-01-2013
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection(2023-04-07)
ID: REF-894
Unserializing user-supplied data, a bad idea
Heine Deelstra
25-08-2010
https://drupalsun.com/heine/2010/08/25/unserializing-user-supplied-data-bad-idea(2023-04-07)
ID: REF-464
Why Python Pickle is Insecure
Nadia Alramli
09-09-2009
http://michael-rushanan.blogspot.com/2012/10/why-python-pickle-is-insecure.html(2023-04-07)
ID: REF-466
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Ruby : UndeterminedASP.NET : UndeterminedPHP : UndeterminedPython : UndeterminedNot Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
  Implementation  
 
 
 
    
Alternate Terms 
Mass Assignment
"Mass assignment" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes.
AutoBinding
The "Autobinding" term is used in frameworks such as Spring MVC and ASP.NET MVC.
PHP Object Injection
Some PHP application researchers use this term for attacking unsafe use of the unserialize() function, but it is also used for Deserialization of Untrusted Data.
      
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Improper Control of Dynamically-Managed Code Resources (CWE-913) 
  PeerOf:
 Deserialization of Untrusted Data (CWE-502) 
 
 
 
   
Notes 
MaintenanceThe relationships between Deserialization of Untrusted Data and Improperly Controlled Modification of Dynamically-Determined Object Attributes need further exploration. Improperly Controlled Modification of Dynamically-Determined Object Attributes is more narrowly scoped to object modification, and is not necessarily used for deserialization.