CWE-915 Base Incompleto

Improperly Controlled Modification of Dynamically-Determined Object Attributes

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed.…

Definição

What is CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.
This flaw, often called mass assignment, autobinding, or object injection, allows attackers to bypass intended business logic by manipulating parameters in requests (like JSON or form data) to overwrite critical object fields. For example, an attacker might add a parameter like `isAdmin=true` to a user profile update, potentially escalating their privileges if the application blindly binds all incoming data to the object. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by correlating SAST findings with runtime behavior. While SAST tools catch the insecure pattern, Plexicus uses AI to suggest the actual code fix—such as implementing an allowlist for bindable attributes—saving hours of manual review and patching.
Impacto no mundo real

Real-world CVEs caused by CWE-915

  • CVE-2024-3283

    Application for using LLMs allows modification of a sensitive variable using mass assignment.

  • CVE-2012-2054

    Mass assignment allows modification of arbitrary attributes using modified URL.

  • CVE-2012-2055

    Source version control product allows modification of trusted key using mass assignment.

  • CVE-2008-7310

    Attackers can bypass payment step in e-commerce product.

  • CVE-2013-1465

    Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.

  • CVE-2012-3527

    Use of PHP unserialize function on untrusted input in content management system might allow code execution.

  • CVE-2012-0911

    Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.

  • CVE-2012-0911

    Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    This function sets object attributes based on a dot-separated path.

  2. 2

    This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

  3. 3

    By using a denylist of dangerous attributes, this weakness can be eliminated.

Exemplo de código vulnerável

Vulnerable JavaScript

This function sets object attributes based on a dot-separated path.

Vulnerável JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
  		if (typeof objectToModify[attr] !== 'object') {
  			objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
Exemplo de código seguro

Secure JavaScript

By using a denylist of dangerous attributes, this weakness can be eliminated.

Seguro JavaScript 
function setValueByPath (object, path, value) {
  	 const pathArray = path.split(".");
  	 const attributeToSet = pathArray.pop();
  	 let objectToModify = object;
  	 for (const attr of pathArray) {
```
// Ignore attributes which resolve to object prototype* 
  		 if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
  		
  		```
  			 continue;
  			 }
  		 if (typeof objectToModify[attr] !== "object") {
  			 objectToModify[attr] = {};
  			 }
  		 objectToModify = objectToModify[attr];
  		 }
  	 objectToModify[attributeToSet] = value;
  	 return object;
  	 }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-915

  • Implementation If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
  • Architecture and Design / Implementation If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • Implementation For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
  • Implementation / Architecture and Design Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Sinais de deteção

How to detect CWE-915

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-915 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-915?

This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to.

Qual a gravidade do CWE-915?

A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.

Que linguagens ou plataformas são afetadas pelo CWE-915?

MITRE lists the following affected platforms: Ruby, ASP.NET, PHP, Python.

Como posso prevenir o CWE-915?

If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted.…

Como é que o Plexicus deteta e corrige o CWE-915?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-915 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-915?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/915.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-915

CWE-913 Pai

Improper Control of Dynamically-Managed Code Resources

This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime,…

CWE-1321 Irmão

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Prototype pollution occurs when an application takes user-supplied input and uses it to improperly modify the properties of a JavaScript…

CWE-470 Irmão

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide…

CWE-502 Irmão

Deserialization of Untrusted Data

This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation,…

CWE-914 Irmão

Improper Control of Dynamically-Identified Variables

This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing…

CWE-94 Irmão

Improper Control of Generation of Code ('Code Injection')

This vulnerability occurs when an application builds executable code using unvalidated external input, such as user data. Because the…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo