CWE-915 Base Incomplete

Improperly Controlled Modification of Dynamically-Determined Object Attributes

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed.…

Definition

What is CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-915

  • CVE-2024-3283

    Application for using LLMs allows modification of a sensitive variable using mass assignment.

  • CVE-2012-2054

    Mass assignment allows modification of arbitrary attributes using modified URL.

  • CVE-2012-2055

    Source version control product allows modification of trusted key using mass assignment.

  • CVE-2008-7310

    Attackers can bypass payment step in e-commerce product.

  • CVE-2013-1465

    Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.

  • CVE-2012-3527

    Use of PHP unserialize function on untrusted input in content management system might allow code execution.

  • CVE-2012-0911

    Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.

  • CVE-2012-0911

    Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    This function sets object attributes based on a dot-separated path.

  2. 2

    This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

  3. 3

    By using a denylist of dangerous attributes, this weakness can be eliminated.

Verwundbares Codebeispiel

Vulnerable JavaScript

This function sets object attributes based on a dot-separated path.

Verwundbar JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
  		if (typeof objectToModify[attr] !== 'object') {
  			objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
Sicheres Codebeispiel

Secure JavaScript

By using a denylist of dangerous attributes, this weakness can be eliminated.

Sicher JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
```
// Ignore attributes which resolve to object prototype* 
  		 if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
  		
  		```
  			 continue;
  			 }
  		 if (typeof objectToModify[attr] !== "object") {
  			 objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-915

  • Implementation If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
  • Architecture and Design / Implementation If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • Implementation For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
  • Implementation / Architecture and Design Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Erkennungssignale

How to detect CWE-915

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus Auto-Fix

Plexicus erkennt CWE-915 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.

Wie gravierend ist CWE-915?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-915 betroffen?

MITRE lists the following affected platforms: Ruby, ASP.NET, PHP, Python.

Wie kann ich CWE-915 verhindern?

If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted.…

Wie erkennt und behebt Plexicus CWE-915?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-915 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-915?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/915.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-915

CWE-913 Parent

Improper Control of Dynamically-Managed Code Resources

This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime,…

CWE-1321 Sibling

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript…

CWE-470 Sibling

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…

CWE-502 Sibling

Deserialization of Untrusted Data

This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation,…

CWE-914 Sibling

Improper Control of Dynamically-Identified Variables

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…

CWE-94 Sibling

Improper Control of Generation of Code ('Code Injection')

This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen