CWE-915 Base Incomplet

Improperly Controlled Modification of Dynamically-Determined Object Attributes

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed.…

Définition

What is CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Impact réel

Real-world CVEs caused by CWE-915

  • CVE-2024-3283

    Application for using LLMs allows modification of a sensitive variable using mass assignment.

  • CVE-2012-2054

    Mass assignment allows modification of arbitrary attributes using modified URL.

  • CVE-2012-2055

    Source version control product allows modification of trusted key using mass assignment.

  • CVE-2008-7310

    Attackers can bypass payment step in e-commerce product.

  • CVE-2013-1465

    Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.

  • CVE-2012-3527

    Use of PHP unserialize function on untrusted input in content management system might allow code execution.

  • CVE-2012-0911

    Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.

  • CVE-2012-0911

    Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    This function sets object attributes based on a dot-separated path.

  2. 2

    This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

  3. 3

    By using a denylist of dangerous attributes, this weakness can be eliminated.

Exemple de code vulnérable

Vulnerable JavaScript

This function sets object attributes based on a dot-separated path.

Vulnérable JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
  		if (typeof objectToModify[attr] !== 'object') {
  			objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
Exemple de code sécurisé

Secure JavaScript

By using a denylist of dangerous attributes, this weakness can be eliminated.

Sécurisé JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
```
// Ignore attributes which resolve to object prototype* 
  		 if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
  		
  		```
  			 continue;
  			 }
  		 if (typeof objectToModify[attr] !== "object") {
  			 objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-915

  • Implementation If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
  • Architecture and Design / Implementation If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • Implementation For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
  • Implementation / Architecture and Design Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Signaux de détection

How to detect CWE-915

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-915 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-915 ?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.

Quelle est la gravité de CWE-915 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-915 ?

MITRE lists the following affected platforms: Ruby, ASP.NET, PHP, Python.

Comment puis-je prévenir CWE-915 ?

If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted.…

Comment Plexicus détecte et corrige CWE-915 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-915 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-915 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/915.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-915

CWE-913 Parent

Improper Control of Dynamically-Managed Code Resources

This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime,…

CWE-1321 Frère

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript…

CWE-470 Frère

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…

CWE-502 Frère

Deserialization of Untrusted Data

This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation,…

CWE-914 Frère

Improper Control of Dynamically-Identified Variables

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…

CWE-94 Frère

Improper Control of Generation of Code ('Code Injection')

This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo