CWE-915 Base Incompleto

Improperly Controlled Modification of Dynamically-Determined Object Attributes

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed.…

Definición

What is CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Impacto en el mundo real

Real-world CVEs caused by CWE-915

  • CVE-2024-3283

    Application for using LLMs allows modification of a sensitive variable using mass assignment.

  • CVE-2012-2054

    Mass assignment allows modification of arbitrary attributes using modified URL.

  • CVE-2012-2055

    Source version control product allows modification of trusted key using mass assignment.

  • CVE-2008-7310

    Attackers can bypass payment step in e-commerce product.

  • CVE-2013-1465

    Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.

  • CVE-2012-3527

    Use of PHP unserialize function on untrusted input in content management system might allow code execution.

  • CVE-2012-0911

    Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.

  • CVE-2012-0911

    Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This function sets object attributes based on a dot-separated path.

  2. 2

    This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

  3. 3

    By using a denylist of dangerous attributes, this weakness can be eliminated.

Ejemplo de código vulnerable

Vulnerable JavaScript

This function sets object attributes based on a dot-separated path.

Vulnerable JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
  		if (typeof objectToModify[attr] !== 'object') {
  			objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
Ejemplo de código seguro

Secure JavaScript

By using a denylist of dangerous attributes, this weakness can be eliminated.

Seguro JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
```
// Ignore attributes which resolve to object prototype* 
  		 if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
  		
  		```
  			 continue;
  			 }
  		 if (typeof objectToModify[attr] !== "object") {
  			 objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-915

  • Implementation If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
  • Architecture and Design / Implementation If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • Implementation For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
  • Implementation / Architecture and Design Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Señales de detección

How to detect CWE-915

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-915 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.

¿Qué gravedad tiene CWE-915?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-915?

MITRE lists the following affected platforms: Ruby, ASP.NET, PHP, Python.

¿Cómo puedo prevenir CWE-915?

If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted.…

¿Cómo detecta y corrige Plexicus CWE-915?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-915 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-915?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/915.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-915

CWE-913 Padre

Improper Control of Dynamically-Managed Code Resources

This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime,…

CWE-1321 Hermano

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript…

CWE-470 Hermano

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…

CWE-502 Hermano

Deserialization of Untrusted Data

This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation,…

CWE-914 Hermano

Improper Control of Dynamically-Identified Variables

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…

CWE-94 Hermano

Improper Control of Generation of Code ('Code Injection')

This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo