Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Shubham_Mishra
F5 Employee
F5 Employee

 Introduction to OWASP API Mass Assignment: 

APIs are the foundation building blocks for today’s modern applications and because of such high acceptance there are software frameworks available to help the developers with the implementation, but these frameworks sometimes allow developers to automatically bind client’s request parameters into the code variables, opening gates for the attackers to exploit the Mass Assignment vulnerability. 

API Mass Assignment vulnerability occurs when manually crafted requests from clients to modify immutable internal object properties are not restricted by API Endpoints. 

Attackers can take advantage of this vulnerability by framing an HTTP request to escalate user privilege, bypass security mechanisms or use any other approach to make the API Endpoints work in a way it was not designed to work. 

Shubham_Mishra_1-1671542949964.jpeg

The above image is the pictorial representation of possible exploitation of Mass Assignment vulnerability. You can see the attacker is successfully able to escalate his privilege from normal user to admin by manipulating the JSON content of the API request. 

In the first scenario, the attacker sends a valid API request to add the user and gets a response back with a parameter carrying information about the role. 

In the second scenario, the attacker adds the role parameter to the JSON object in the API request eventually resulting in successful exploitation of the vulnerability. 

 

Prevention Steps: 

  • Automatic binding of client’s input data into application's internal code variables should be avoided.
  • Allow/Deny list should be clearly defined for the properties that should or shouldn't be accessible by the clients.
  • Application schema should be well defined and enforced on all incoming client requests.
Comments
Rajiv_Goel
F5 Employee
F5 Employee

Great write up and example with step by step walkthrough!

Janibasha
F5 Employee
F5 Employee

Nice article which presented one more strength of F5 XC waap solution in the highly demand API Security market.

Version history
Last update:
‎20-Apr-2023 23:11
Updated by:
Contributors