Improperly Controlled Modification of Dynamically-Determined Object Attributes
Incomplete Base
Structure: Simple
Description
This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Common Consequences 3
Scope: Integrity
Impact: Modify Application Data
An attacker could modify sensitive data or program variables.
Scope: Integrity
Impact: Execute Unauthorized Code or Commands
Scope: OtherIntegrity
Impact: Varies by ContextAlter Execution Logic
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 4
Phase: Implementation
If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Phase: Architecture and DesignImplementation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Phase: Implementation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Phase: ImplementationArchitecture and Design
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Demonstrative Examples 1
ID : DX-206
This function sets object attributes based on a dot-separated path.Code Example:
Bad
JavaScript
javascriptThis function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.
Code Example:
Bad
JavaScript
javascriptBy using a denylist of dangerous attributes, this weakness can be eliminated.
Code Example:
Good
JavaScript
javascript// Ignore attributes which resolve to object prototype* if (attr === "proto" || attr === "constructor" || attr === "prototype") {
javascriptObserved Examples 18
CVE-2024-3283Application for using LLMs allows modification of a sensitive variable using mass assignment.
CVE-2012-2054Mass assignment allows modification of arbitrary attributes using modified URL.
CVE-2012-2055Source version control product allows modification of trusted key using mass assignment.
CVE-2008-7310Attackers can bypass payment step in e-commerce product.
CVE-2013-1465Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
CVE-2012-3527Use of PHP unserialize function on untrusted input in content management system might allow code execution.
CVE-2012-0911Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
CVE-2012-0911Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
CVE-2011-4962Content management system written in PHP allows code execution through page comments.
CVE-2009-4137Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
CVE-2007-5741Content management system written in Python interprets untrusted data as pickles, allowing code execution.
CVE-2011-2520Python script allows local users to execute code via pickled data.
CVE-2005-2875Python script allows remote attackers to execute arbitrary code using pickled objects.
CVE-2013-0277Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
CVE-2011-2894Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
CVE-2012-1833Grails allows binding of arbitrary parameters to modify arbitrary object properties.
CVE-2010-3258Incorrect deserialization in web browser allows escaping the sandbox.
CVE-2008-1013Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
References 12
Shocking News in PHP Exploitation
Stefan Esser
2009
ID: REF-885
"Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008)
Dinis Cruz
ID: REF-886
Two Security Vulnerabilities in the Spring Framework's MVC
Ryan Berg and Dinis Cruz
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf(2023-04-07)
ID: REF-887
Best Practices for ASP.NET MVC
ASPNETUE
17-09-2010
ID: REF-888
Mass assignment in Rails applications
Michael Hartl
21-09-2008
ID: REF-889
Secure your Rails apps!
Tobi
06-03-2012
ID: REF-890
Ruby On Rails Security Guide
Heiko Webers
ID: REF-891
Mass Assignment Vulnerability in ASP.NET MVC
Josh Bush
05-03-2012
ID: REF-892
6 Ways To Avoid Mass Assignment in ASP.NET MVC
K. Scott Allen
12-03-2012
https://odetocode.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx(2023-04-07)
ID: REF-893
PHP Object Injection
Egidio Romano
22-01-2013
ID: REF-894
Unserializing user-supplied data, a bad idea
Heine Deelstra
25-08-2010
ID: REF-464
Why Python Pickle is Insecure
Nadia Alramli
09-09-2009
ID: REF-466
Applicable Platforms
Languages:
Ruby : UndeterminedASP.NET : UndeterminedPHP : UndeterminedPython : UndeterminedNot Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms
Mass Assignment
"Mass assignment" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes.AutoBinding
The "Autobinding" term is used in frameworks such as Spring MVC and ASP.NET MVC.PHP Object Injection
Some PHP application researchers use this term for attacking unsafe use of the unserialize() function, but it is also used for Deserialization of Untrusted Data.Related Weaknesses
Notes
MaintenanceThe relationships between Deserialization of Untrusted Data and Improperly Controlled Modification of Dynamically-Determined Object Attributes need further exploration. Improperly Controlled Modification of Dynamically-Determined Object Attributes is more narrowly scoped to object modification, and is not necessarily used for deserialization.