• General Solutions
  • Ruby On Rails
  • Jackson (JSON Object Mapper)
  • GSON (JSON Object Mapper)
  • JSON-Lib (JSON Object Mapper)
  • Flexjson (JSON Object Mapper)
  • References and future reading
  • Microservices Security
  • Microservices based Security Arch Doc
  • Mobile Application Security
  • Multifactor Authentication
  • NPM Security
  • Network Segmentation
  • NodeJS Docker
  • Nodejs Security
  • OS Command Injection Defense
  • PHP Configuration
  • Password Storage
  • Prototype Pollution Prevention
  • Query Parameterization
  • REST Assessment
  • REST Security
  • Ruby on Rails
  • SAML Security
  • SQL Injection Prevention
  • Secrets Management
  • Secure Cloud Architecture
  • Secure Product Design
  • Securing Cascading Style Sheets
  • Server Side Request Forgery Prevention
  • Session Management
  • TLS Cipher String
  • Third Party Javascript Management
  • Threat Modeling
  • Transaction Authorization
  • Transport Layer Protection
  • Transport Layer Security
  • Unvalidated Redirects and Forwards
  • User Privacy Protection
  • Virtual Patching
  • Vulnerability Disclosure
  • Vulnerable Dependency Management
  • Web Service Security
  • XML External Entity Prevention
  • XML Security
  • XSS Filter Evasion

Mass Assignment Cheat Sheet ¶

Introduction ¶, definition ¶.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names ¶

Depending on the language/framework in question, this vulnerability can have several alternative names :

  • Mass Assignment: Ruby on Rails, NodeJS.
  • Autobinding: Spring MVC, ASP NET MVC.
  • Object injection: PHP.

Example ¶

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability ¶

This functionality becomes exploitable when:

  • Attacker can guess common sensitive fields.
  • Attacker has access to source code and can review the models for sensitive fields.
  • AND the object with sensitive fields has an empty constructor.

GitHub case study ¶

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

Solutions ¶

  • Allow-list the bindable, non-sensitive fields.
  • Block-list the non-bindable, sensitive fields.
  • Use Data Transfer Objects (DTOs).

General Solutions ¶

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions ¶

Spring mvc ¶, allow-listing ¶.

Take a look here for the documentation.

Block-listing ¶

Nodejs + mongoose ¶, ruby on rails ¶, django ¶, asp net ¶, php laravel + eloquent ¶, grails ¶, play ¶, jackson (json object mapper) ¶.

Take a look here and here for the documentation.

GSON (JSON Object Mapper) ¶

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper) ¶

Flexjson (json object mapper) ¶, references and future reading ¶.

  • Mass Assignment, Rails and You
  • Browse topics

Mass assignment

Be careful with parameters that are automatically bound from requests to objects, select your ecosystem, mass assignment: the basics, what are mass assignment vulnerabilities.

To make it easier to save data submitted via an HTML form into a database or object, many web application frameworks have included libraries to automatically bind HTTP request parameters (typically sent via forms) to the fields of database models or members of an object, requiring only minimal coding.

Let’s say we have a (very simple) HTML form:

When the form is submitted to the web application, it will send the form data as HTTP request parameters, and the backend code will have to read each parameter individually into a corresponding variable. Then, once all the fields have been read, the application will usually execute a database update or insert operation to save the data.

Mass Assignment makes it possible to write less code to handle this process - think about how much coding this technique could save if it was an object that had dozens of fields, and multiply this across a complex application that has many of these objects in its database.

Mass assignment vulnerabilities occur when the database model that is being assigned contains security-relevant fields, and the application user can supply values in the POST request that are saved to those fields, even though they are not present in the HTML form.

For example, if the User model contained a field isAdmin: Boolean , the user could add the POST body parameter isAdmin=true and make themselves an administrator.

For this to occur, an attacker would need to guess the names of the sensitive fields, or the source code for the vulnerable application would have to be available to the attacker (allowing them to see what sensitive fields are present in the data model).

Impacts of this attack can include bypassing authentication or authorization logic or elevation of privilege. This could then result in the destruction or disclosure of data within the application.

About this lesson

In this lesson, you will learn how mass assignment vulnerabilities work and how to protect your applications against them. We will begin by exploiting a Mass Assignment vulnerability in a simple application. Then we will analyze the vulnerable code and explore some options for remediation and prevention.

Mass assignment in the wild

In 2012, a GitHub user exploited a Mass Assignment vulnerability in GitHub’s public key update form. The flaw allowed the user to add their public key to another organization they were not a member of. The user added their key to the Ruby on Rails organization. To demonstrate proof of the exploit, the user added a file to the Rails project repository. GitHub responded, quickly fixing the vulnerability and they conducted a wide audit of their code to ensure the issue was detected and fixed if it existed anywhere else.

Mass assignment in action

New SaaS startup SuperCloudCRM recently launched their web platform designed to help businesses boost their sales and marketing efforts.

Setting the stage

SuperCloudCRM recently launched its web platform. Unfortunately, they suffered a security breach, resulting in data being leaked. What went wrong?

Mass assignment details

As mentioned, SuperCloudCRM’s developers had been logging request data for API endpoints like the POST /user/create endpoint, which creates new user accounts when a user submits the signup form.

A typical JSON payload in the request sent to the /user/create endpoint was supposed to look like this:

But a search of the /user/create endpoint’s logs for the [email protected] account around the time the user was created, found JSON POST data starting with the following excerpt:

It was different to the normal requests, and had a long request body with dozens more fields all starting with the letter r . What was the attacker doing? All of these weird field names that weren’t part of the user model schema, which was:

After doing some testing like the scenario above showed, a few things were discovered.

First, the new user account’s password was apparently being saved to the database in plaintext. Not good! But what stuck out was that the application ignored the non-existent fields and just assigned the fields that were actually part of the User model schema.

The data from the new User document was sent back to the API client and the attacker could then infer which of the list of fields starting with r were part of the User model schema, because if a field existed it was saved and echoed back in the response with the other user data.

A search of the /user/create endpoint’s request log entries around the same time revealed that thousands of similar requests had been sent. Each request testing lists of possible field names in the User model schema.

It was concluded that the attackers had brute-forced HTTP requests with various field name guesses to enumerate the organization and role fields in the schema. Despite them not being referred to anywhere in the client-side JavaScript code, the attackers were able to discover these security-related field names.

So, if the attackers knew these field names, what would they do then? Well, this could have led to a possible mass assignment attack. After hours of reviewing logs for the POST /user/create and POST /user/update endpoints the incident response team found dozens of requests had been submitted to the application, which looked similar to:

The requests appeared to be successful. Each of the requests changed the organization to a different customer, essentially giving the attackers access to each of them as admins. The last request was:

This seemed to explain why [email protected] was an administrator in the Cowmoo Industries organization.

By exploiting this mass assignment vulnerability and adding themselves as the administrator for various customers, the attackers were able to access the organizations’ data within SuperCloudCRM and steal it.

Mass assignment by different names

The concept of mass assignment is known by different names in various programming languages or frameworks. NodeJS and Ruby on Rails call it mass assignment. It is referred to as autobinding in Java Spring MVC and ASP NET MVC. PHP calls it object injection.

Mass assignment under the hood

Let’s have a look at this vulnerable application in more detail by going through the server-side code.

The schema for the User model is defined here, with the user’s credentials, email address, plus their role and organization they belong to. During signup, the credentials and email address are the only values that are supposed to be supplied by the user and accepted by the application.

Firstly, let's recap what took place in the example above.

  • The User schema consisted of several fields: username, password, email, role and organization.
  • Only the username, password and email fields were sent from the web browser to the /user/create endpoint
  • The API endpoint used mass assignment to blindly assign any field from the POST request’s JSON data to the User model in the database (if the field existed in the User schema).
  • The attackers were able to determine the names of security-related fields in the schema (role and organization)
  • The attackers could supply arbitrary values for these fields when creating or updating a user account
  • This let the attackers add themselves to other organizations and elevate their privileges to those of an administrator

Here ( $user = new User($request->post()); ), the endpoint creates a new User object and in doing so, passes all contents of the POST request to the constructor. PHP can “smartly” figure out which parameters go to which attributes of the class; however, this isn’t so smart when those attributes are certain things that shouldn’t be assignable! Even if the form only accepts inputs with username , password and email , a malicious actor can guess the other forms and simply add those fields to the JSON manually. As PHP has no way of discerning what it receives from “good” and “bad”, it simply updates them all. If only there were a way to tell PHP exactly which fields we don’t want to be assignable like that!

Impacts of mass assignment

By exploiting mass assignment vulnerabilities, a malicious actor could create multiple security problems including

  • Data tampering : Attackers can modify sensitive information in the database, such as password or account balance
  • Data theft : Attackers can gain access to confidential information stored in the database
  • Elevation of privilege : Attackers can manipulate the properties of an object to gain additional privileges, such as administrator access
  • Unauthorized access : Attackers can manipulate the properties of an object to gain unauthorized access to sensitive resources

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code doesn't include this or other vulnerabilities?

Mass assignment mitigation

Use an allowlist of fields that can be assigned to.

Most mass assignment libraries or helper libraries should provide the ability to restrict the fields that will be read from a request and assigned to the data model. By restricting the assignment of user-supplied fields to only fields in the schema that are known safe ones, the values of security-sensitive fields will be prevented from tampering.

Using this strategy, the code for the application would be changed to add an allowlist using the pick() method of the underscore package and listing the allowed fields in the userCreateSafeFields array:

Laravel provides a library, eloquent , which, among other things, introduces object injection protection features! It gives you the ability to indicate variables that can be assigned, or otherwise, you can indicate variables that you don’t want assignable. This means that when you use mass assignment to populate a class with request data, the Laravel backend can (with your guiding hand) separate POST request input data from fields that should be populated and those that should not!

Using this strategy, the code for the application can be changed to add an allow-list of class attributes, enforcing that only these will be updated:

Use a Data Transfer Object (DTO)

Another option is to create an intermediary object (the DTO) that only has safe, assignable properties, which would be a subset of the target object that has those same fields plus any sensitive fields. Using our User example, the DTO would be:

The mass assignment operation can assign any user-supplied data to the DTO without the risk of inadvertently assigning any sensitive fields. The DTO can be copied to the final object, and during this process, any sensitive fields can be set to secure default values.

This method might require much more coding though. DTOs need to be created for all classes with sensitive fields. If there are many schemas with sensitive fields that require corresponding DTOs, then this becomes nearly as much work as not using mass assignment.

Use a denylist to declare fields that can’t be assigned to

The opposite of using an allowlist to define fields that are allowed to be assigned is to use a denylist of fields that shouldn’t be assigned. Security wisdom says to use allowlisting over denylisting because it’s safer to accidentally not include a safe field than to accidentally omit a dangerous field. So, following this advice, a denylist would be the less preferred option of the two. If there are 50 fields in a schema and only one is security-sensitive, then it is obviously much quicker to just denylist the one sensitive field. The danger here though would be if additional sensitive fields were added to the schema later and the developer forgot to add them to the denylist, then you would have a mass assignment vulnerability.

To use denylists, the code for the application would be changed in a similar manner to the code shown in the allow-list strategy shown earlier, except it would use the omit() method of the underscore package and listing the disallowed fields in the userCreateDisallowedFields array:

To use deny-lists, the code for the application would be changed in a similar manner to the code shown in the allow-list strategy shown earlier, the only difference being the User class is changed to have a “hidden” array:

Utilize a static analysis tool

Adding a static application security testing ( SAST ) tool to your devops pipeline as an additional line of defense is an excellent way to catch vulnerabilities before they make it to production. There are many, but Snyk Code is our personal favorite, as it scans in real-time, provides actionable remediation advice, and is available from your favorite IDE.

Keep learning

To learn more about mass assignment vulnerabilities, check out some other great content:

  • OWASP guide to mass assignment vulnerabilties
  • Find mass assignment in our top 10 list

Congratulations

You have taken your first step into learning what mass assignment is, how it works, what the impacts are, and how to protect your own applications. We hope that you will apply this knowledge to make your applications safer.

We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.

What is mass assignment?

Mass assignment is a type of security vulnerability that occurs when an application code allows user-provided data to be used to set properties on an object without verifying that the user has the right to do so.

What to learn next?

Runc process.cwd container breakout vulnerability, insecure default variable initialization, expression language injection (eli).

Mass Assignment

Introduction.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names :

  • Mass Assignment: Ruby on Rails, NodeJS.
  • Autobinding: Spring MVC, ASP NET MVC.
  • Object injection: PHP.

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability

This functionality becomes exploitable when:

  • Attacker can guess common sensitive fields.
  • Attacker has access to source code and can review the models for sensitive fields.
  • AND the object with sensitive fields has an empty constructor.

GitHub case study

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

  • Whitelist the bindable, non-sensitive fields.
  • Blacklist the non-bindable, sensitive fields.
  • Use Data Transfer Objects (DTOs).

General Solutions

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions

Whitelisting.

Take a look here for the documentation.

Blacklisting

Nodejs + mongoose, ruby on rails, php laravel + eloquent, jackson (json object mapper).

Take a look here and here for the documentation.

GSON (JSON Object Mapper)

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper)

Flexjson (json object mapper), references and future reading.

  • Mass Assignment, Rails and You

Authors and Primary Editors

Abashkin Anton - [email protected]

results matching " "

No results matching " ".

Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

  • our pentesters
  • integrations

what-is-pentesting-icon

  • other cobalt offerings

Marketing & Strategy Blue Icon 61

  • get started

Cobalt-linkedin-img

Mass Assignment & APIs - Exploitation in the Wild

database mass assignment

The APIs (Application Programmable Interfaces) are widely used to power applications, and one of the popular choices for implementing API is  REST APIs . With this increase in popularity and usage, many security risks also come into the picture. 

APIs have their own  OWASP API Top 10  list, which describes the vulnerabilities commonly found in the APIs, including Mass Assignment. 

This blog will dive deeply into understanding and exploiting mass assignment vulnerabilities. 

Mass Assignment - A 20ft Overview: 

Modern frameworks allow developers a convenient mass assignment functionality that lets developers directly take a “user-supplied Key-Value Pair” input to the object database. This reduces the requirement of writing code for such custom Key-Value pairs and increases the development efficiency but at the cost of security risks if not implemented correctly. 

A mass assignment without a whitelist of allowed “Key-Value Pairs” could allow an attacker to use arbitrary values to create or update the resources abusing the applications’ regular workflow. Privilege escalation is one of the most common vulnerabilities arising from Mass Assignment vulnerability. 

According to OWASPthis  vulnerability  depends on the language/framework in question can have several alternative names:

Mass Assignment: Ruby on Rails, NodeJS.

Autobinding: Spring MVC, ASP NET MVC.

Object injection: PHP.

For example, consider an API that allows users to update their profile information. The API may accept a JSON payload that contains multiple fields such as name, email, and address. Without proper validation, an attacker can add additional fields such as "isAdmin":true” or "isSuperUser":true and gain elevated privileges as an admin or superuser. 

Let’s understand this attack further with the help of a vulnerable code snippet as described below: 

const express = require('express');

const app = express();

app.post('/users', (req, res) => {

  const newUser = {

    username: req.body.username,

    password: req.body.password,

    isAdmin: req.body.isAdmin

  };

  // Save new user to database

app.listen(3000, () => {

  console.log('Server started on port 3000');

In the above code, the “newUser” object is created from the request body without validation or filtering. An attacker can attempt to craft a request with an additional field named “isAdmin”:true and send it to the server to escalate the privileges. 

To remotely exploit this issue, an attacker can send a POST request with an additional "isAdmin" field set to "true" to register as an administrator. In this case, isAdmin is an optional body parameter.

POST /users HTTP/1.1

Host: example.com

Content-Type: application/json

  "username": "attacker",

  "password": "password",

  "isAdmin": true

Now, to mitigate this issue, simply adding a check to ensure that only the user with an admin session can trigger this parameter will fix the underlying vulnerability as described in below code: 

Const port = 3000;

    password: req.body.password

if (req.user.isAdmin && req.body.isAdmin) {

  // Only admins can set isAdmin field

  newUser.isAdmin = req.body.isAdmin;

app.listen(port, () => {

  console.log(`Server started on port {port}`);

Hunting for Mass Assignment Attack in the Wild - A Practical Approach

Mass Assignment is not necessarily to be found in the user profile to perform privilege escalations. You can find it on any API endpoint, which could be using a parameter of interest to the attacker, causing significant damage to the application and its user’s reputation. 

Note: Always read the API documentation to understand and identify interesting parameters/key-value pairs that could cause significant impact.

Let’s understand how to approach the Mass Assignment Attack in a black-box/grey-box assessment with the help of the “crAPI” Demo Lab. 

Locally set up the  crAPI demo lab .

Navigate to the shop -  http://127.0.0.1:8888/shop

Screenshot 2023-04-18 at 11.24.51 AM

Note that the Available Balance by default is $100, and now Buy any item while capturing the request in Burp Suite or another proxy tool. 

Send the Request to the repeater for later use.

Screenshot 2023-04-18 at 11.24.58 AM

Observe after purchasing the items; Available Balance is changed. 

Screenshot 2023-04-18 at 11.25.05 AM

In the repeater tab, modify the request by changing the request method to  GET  and adding â€œ/all” route to retrieve the information of all orders.

Screenshot 2023-04-18 at 11.25.11 AM

Observe that the application has returned all information about past orders.

Modify the request, and change the â€œall” to any random order ID. 

Send the request, and observe the methods allowed and the order status.

Screenshot 2023-04-18 at 11.25.17 AM

Again, modify the request by changing the request method to  PUT  and adding the status as a return.

Send the request and observe the error message in the response.

Screenshot 2023-04-18 at 11.25.23 AM-1

Send the request again by adding the status as returned and observing that the order status has changed to returned.

Screenshot 2023-04-18 at 11.25.32 AM

Navigate to the shop, and observe that credit transfers to the account.

Screenshot 2023-04-18 at 11.25.39 AM

In the above lab scenario, as an attacker, it was possible to mark a delivered item as returned to get the cashback allowing an attacker to financially abuse the application with the help of a mass assignment attack. 

Since now you know what chaos this attack can bring to the organization from the user integrity and the financial aspects, it is essential to understand how to implement a fix to prevent such attacks. 

Fixing Mass Assignment - Remediation Approach 

Some common ways to fix mass assignment issues include:

  • Disable Automatic Property Mapping: Ensure that your applications have the automatic mapping disabled and always map the properties manually.
  • Read-Only Key-Value Pairs: Ensure to set the fields retrieved from the “request body” that is not present in the “request body” should be read-only, and a user should not be allowed to tamper them.

You can find a detailed remediation guide  here .

References and Further Reads

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

https://www.impart.security/post/mass-assignment-101

https://crashtest-security.com/api-mass-assignment/

https://www.wallarm.com/what/mass-assignment

About Harsh Bothra

Related resources.

Pacman Attack Example

How Low Severity Vulns Become Critical: PACMAN Attack Example

A Pentester’s Guide to SQL Injection (SQLi) cover image

A Pentester’s Guide to SQL Injection (SQLi)

Common Network Security Vulnerabilities cover image

Common Network Security Vulnerabilities

Never miss a story.

  • schedule a demo
  • our platform
  • pentest services
  • agile pentesting
  • offensive security
  • cybersecurity services
  • enterprise solutions
  • resource library
  • events & webinars
  • vulnerability wiki
  • trust center
  • refer a friend

Cobalt-linkedin-img-alt

This is a title

Cobalt-twitter-X-img-alt

  • © 2023 Cobalt
  • terms of use
  • your privacy settings
  • do not sell my data

HatchJS Logo

HatchJS.com

Cracking the Shell of Mystery

Mass Assignment: How to Protect Your Application from Insecure Binder Configuration

Avatar

Mass Assignment: An Insecure Binder Configuration

In software development, mass assignment is the act of sending a large number of parameters to a function or method. This can be a useful technique for quickly creating new objects or updating existing ones. However, if not done correctly, mass assignment can also lead to security vulnerabilities .

One common way to implement mass assignment is to use a binder . A binder is a type of object that maps between a set of input parameters and a set of properties on an object. When mass assignment is used with a binder, the binder will automatically set the properties on the object to the corresponding values from the input parameters.

This can be a convenient way to create or update objects, but it can also be dangerous if the binder is not configured correctly. If a binder allows untrusted input, an attacker could use it to inject malicious code into an application. This could lead to a variety of security problems, such as cross-site scripting (XSS) , SQL injection , and remote code execution (RCE) .

In this article, we will discuss the risks of mass assignment and how to secure binder configurations. We will also provide some examples of how attackers can exploit insecure binder configurations.

By the end of this article, you will be able to:

  • Identify the risks of mass assignment
  • Understand how to secure binder configurations
  • Recognize the signs of an insecure binder configuration

| Column | Data | |—|—| | Name | Description | | Example | Vulnerability | | Mitigation | How to fix | |—|—|—| | `allow_all_fields` | Whether or not to allow all fields to be mass assigned. | `allow_all_fields = true` | This is a very insecure setting and should never be used. | Set `allow_all_fields = false`. | | `whitelist` | A list of fields that are allowed to be mass assigned. | `whitelist = [“name”, “email”]` | This is a more secure setting than `allow_all_fields = true`, but it is still possible to mass assign fields that are not in the whitelist. | Make sure the whitelist is as comprehensive as possible. | | `blacklist` | A list of fields that are not allowed to be mass assigned. | `blacklist = [“password”]` | This is the most secure setting, as it prevents all fields from being mass assigned except for those that are explicitly allowed. | Make sure the blacklist is as comprehensive as possible. |

Mass assignment is a vulnerability that allows an attacker to send a single request to a web application and modify multiple rows of data in a database. This can be done by sending a request with a list of values for each field of a table, or by sending a single value that is used to update multiple rows of data.

Mass assignment is a serious vulnerability because it can allow an attacker to take control of a web application or to steal sensitive data. In this blog post, we will discuss what mass assignment is, how it works, and how to prevent it.

  • What is mass assignment?

Mass assignment is a vulnerability that occurs when a web application allows an attacker to send a single request to update multiple rows of data in a database. This can be done by sending a request with a list of values for each field of a table, or by sending a single value that is used to update multiple rows of data.

For example, consider a web application that allows users to create and manage accounts. If the application is not properly configured, an attacker could send a request to create a new account with a list of usernames and passwords. This would allow the attacker to create multiple accounts with the same username and password, which could then be used to access the application.

Another example would be a web application that allows users to create and manage products. If the application is not properly configured, an attacker could send a request to update the price of all products in the database. This would allow the attacker to change the prices of all products, which could lead to financial loss for the company.

How does insecure binder configuration lead to mass assignment?

In order to prevent mass assignment, web applications typically use a binder to sanitize user input before it is used to update a database. The binder checks the input to make sure that it is in the correct format and that it does not contain any malicious code.

If the binder is not configured correctly, it may allow user input to be passed directly to the database. This could allow an attacker to send a request with a list of values for each field of a table, or with a single value that is used to update multiple rows of data.

How to prevent mass assignment

There are a number of ways to prevent mass assignment. Here are some tips:

  • Use a binder to sanitize user input. A binder is a security mechanism that can be used to prevent mass assignment. The binder checks the input to make sure that it is in the correct format and that it does not contain any malicious code.
  • Limit the number of rows that can be updated in a single request. This will help to prevent an attacker from sending a request to update multiple rows of data.
  • Use role-based access control. This will help to ensure that users only have access to the data that they need to access.
  • Monitor your web application for suspicious activity. This will help you to identify and respond to mass assignment attacks.

Mass assignment is a serious vulnerability that can allow an attacker to take control of a web application or to steal sensitive data. By following the tips in this blog post, you can help to prevent mass assignment and protect your web application from attack.

Additional resources

  • [OWASP Top 10: A1 – Injection](https://owasp.org/www-project-top-ten/2017/A1_Injection)
  • [Preventing Mass Assignment Attacks](https://www.owasp.org/index.php/Preventing_Mass_Assignment_Attacks)
  • [Mass Assignment Attacks: How to Prevent and Mitigate](https://www.cisa.gov/uscert/ncas/tips/ST16-008)

3. What are the risks of insecure binder configuration?

Insecure binder configuration is a serious security vulnerability that can allow attackers to bypass access controls and modify data in a database. This can lead to a variety of serious consequences, including data loss, data corruption, denial of service, and identity theft.

An attacker can use mass assignment to delete data from a database by sending a malicious request that contains a list of record IDs. The binder will then attempt to update each record with the data provided in the request, which could include a delete operation. If the binder is not configured correctly, it may not properly validate the request data and could delete records that the user does not have permission to delete.

Data corruption

An attacker can use mass assignment to modify data in a database by sending a malicious request that contains a list of record IDs and new data values. The binder will then attempt to update each record with the data provided in the request, which could include invalid or malicious data. If the binder is not configured correctly, it may not properly validate the request data and could update records with data that could corrupt the database.

Denial of service

An attacker can use mass assignment to make a web application unavailable by sending a malicious request that contains a large number of record IDs. The binder will then attempt to update each record with the data provided in the request, which could consume a significant amount of resources and slow down or crash the web application.

Identity theft

An attacker can use mass assignment to steal sensitive data, such as usernames, passwords, and credit card numbers, by sending a malicious request that contains a list of record IDs and the data values that they want to steal. The binder will then attempt to update each record with the data provided in the request, which could include the attacker’s own data values. If the binder is not configured correctly, it may not properly validate the request data and could update records with the attacker’s data values, which could then be used to steal the victim’s identity.

4. How can you prevent insecure binder configuration?

There are a number of steps that you can take to prevent insecure binder configuration, including:

  • Use a secure binder library. There are a number of secure binder libraries available that can help you to prevent insecure binder configuration. These libraries typically include features such as input validation, parameter binding, and type checking.
  • Configure the binder correctly. When you configure the binder, you should make sure to set the appropriate security options. For example, you should make sure that the binder only allows trusted users to update data in the database.
  • Sanitize user input before it is used to update a database. Even if you use a secure binder library and configure it correctly, you should still sanitize user input before it is used to update a database. This will help to protect your application from attacks that exploit vulnerabilities in the binder library.
  • Monitor your web application for signs of mass assignment attacks. You should monitor your web application for signs of mass assignment attacks. This can be done by using a security monitoring tool or by manually reviewing your application logs. If you detect any suspicious activity, you should investigate it immediately and take steps to mitigate the threat.

By following these steps, you can help to prevent insecure binder configuration and protect your web application from a variety of serious security vulnerabilities.

Q: What is mass assignment?

A: Mass assignment is a security vulnerability that occurs when an application allows an attacker to send a single request that sets multiple properties of an object. This can be exploited to create new users, modify existing users, or delete users.

Q: What is an insecure binder configuration?

A: An insecure binder configuration is a configuration that allows mass assignment to occur. This can happen when a developer forgets to add the `attr` or `only` parameters to a `Form::model()` or `Form::create()` call.

Q: What are the risks of mass assignment?

A: Mass assignment can allow an attacker to do the following:

  • Create new users with administrator privileges
  • Modify existing user accounts
  • Delete user accounts
  • Read sensitive data from user accounts

Q: How can I protect my application from mass assignment?

There are a few things you can do to protect your application from mass assignment:

  • Use the `attr` or `only` parameters to restrict the properties that can be mass assigned.
  • Use the `csrf_field()` helper to protect against cross-site request forgery (CSRF) attacks.
  • Use a framework that has built-in protection against mass assignment.

Q: What are some additional resources on mass assignment?

  • [Laravel’s documentation on mass assignment](https://laravel.com/docs/8.x/securitymass-assignment)
  • [The PHP Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/PHP_Security_Cheat_Sheet.html)
  • [OWASP’s Top 10 Most Critical Web Application Security Risks](https://owasp.org/www-project-top-ten/)

In this blog post, we discussed the security risks of mass assignment and how to secure your application against it. We covered the following topics:

  • How does mass assignment work?
  • What are the security risks of mass assignment?
  • How to secure your application against mass assignment

We hope that this blog post has helped you to understand the security risks of mass assignment and how to secure your application against it. If you have any questions or feedback, please feel free to contact us.

Key takeaways:

  • Mass assignment is a vulnerability that allows an attacker to send arbitrary data to a server-side application.
  • Mass assignment can be exploited to inject malicious code into a server-side application, which can lead to a variety of security breaches.
  • To secure your application against mass assignment, you should use a whitelist of allowed fields and use input validation to ensure that all data is properly sanitized.

Author Profile

Marcus Greenwood

Latest entries

  • December 26, 2023 Error Fixing User: Anonymous is not authorized to perform: execute-api:invoke on resource: How to fix this error
  • December 26, 2023 How To Guides Valid Intents Must Be Provided for the Client: Why It’s Important and How to Do It
  • December 26, 2023 Error Fixing How to Fix the The Root Filesystem Requires a Manual fsck Error
  • December 26, 2023 Troubleshooting How to Fix the `sed unterminated s` Command

Similar Posts

How to check if a checkbox is checked in c.

**Checkboxes are a common UI element that allow users to select multiple options from a set. In C, you can check if a checkbox is checked using the `IsChecked` property.** To check if a checkbox is checked, you can use the following code: c if (checkbox.IsChecked) { // The checkbox is checked. } else {…

How to Install a Hand-Held Bidet: A Step-by-Step Guide

How to Install a Hand-Held Bidet A hand-held bidet is a convenient and affordable way to add a touch of luxury to your bathroom. It’s also a great way to save water, as you only need a small amount of water to clean yourself. Installing a hand-held bidet is a simple DIY project that can…

How to Show the Desktop in Ubuntu 22.04

Ubuntu 22.04: A New Desktop Experience Ubuntu 22.04 LTS, codenamed “Jammy Jellyfish,” is the latest long-term support release of the popular Linux distribution. It was released on April 21, 2022, and is available for download now. Ubuntu 22.04 brings a number of new features and improvements to the desktop experience, including: A new user interface…

How to Select the Maximum Date in SQL

The Importance of Knowing How to Select the Max Date in SQL In a world where data is constantly being generated, it’s more important than ever to be able to quickly and easily find the most recent information. Whether you’re working with a database of customer records, sales figures, or product inventory, knowing how to…

How to Install Floating Shelves Without Brackets: A Step-by-Step Guide

Floating shelves are a great way to add storage and display space to your home, without the need for unsightly brackets. They’re also relatively easy to install, even if you’re not a DIY expert. In this article, we’ll show you how to install floating shelves without brackets. We’ll provide step-by-step instructions, as well as tips…

How to Find the Second Derivative of Parametric Equations

How to Find the Second Derivative of Parametric Equations Parametric equations are a powerful tool for describing curves and surfaces in mathematics. They can be used to represent everything from simple lines and circles to complex curves like the conic sections and the cycloid. In this article, we will show you how to find the…

DEV Community

DEV Community

Zubair Mohsin

Posted on Feb 20, 2020 • Updated on Jan 27, 2021

Understanding Mass Assignment in Laravel Eloquent ORM

Laravel Eloquent ORM provides a simple API to work with database. It is an implementation of Active Record pattern. Each database table is mapped to a Model class which is used for interacting with that table.

Mass Assignment

Let's break down this word.

  • Mass means large number
  • Assignment means the assignment operator in programming

In order to make developers life easier, Eloquent ORM offers Mass Assignment functionality which helps them assign (insert) large number of input to database.

Life, without Mass Assignment đŸ˜©

Let's consider that there is a form with 10 fields of user information.

and our Controller's store method looks like:

We are assigning each input manually to our model and then saving to database.

What if there was a way to insert all the coming input without the manual assignment?

Life, with Mass Assignment đŸ„ł

Laravel Eloquent ORM provides a create method which helps you save all the input with single line.

How cool is that, right? đŸ€“ With single line we are saving all input to database. In future, if we add more input fields in our HTML form, we don't need to worry about our saving to database part.

Input fields name attribute must match the column name in our database.

Potential Vulnerability

For the sake of understanding, let's consider that we have an is_admin column on users table with true / false value.

A malicious user can inject their own HTML, a hidden input as below:

With Mass Assignment, is_admin will be assigned true and the user will have Admin rights on website, which we don't want 😡

Avoiding the vulnerability

There are two ways to handle this.

  • We can specify (whitelist) which columns can be mass assigned.

Laravel Eloquent provides an easy way to achieve this. In your model class, add $fillable property and specify names of columns in the array like below:

Any input field other than these passed to create() method will throw MassAssignmentException .

  • We can specify ( blacklist ) which columns cannot be mass assigned.

You can achieve this by adding $guarded property in model class:

All columns other than is_admin will now be mass assignable.

You can either choose $fillable or $guarded but not both.

So there you have it. Happy Mass Assigning with Laravel Eloquent đŸ„ł đŸ‘šđŸœâ€đŸ’»

Top comments (7)

pic

Templates let you quickly answer FAQs or store snippets for re-use.

mazentouati profile image

  • Location The Netherlands
  • Education Media Engineering Master's degree
  • Work Back-end developer
  • Joined Nov 6, 2018

Great breakdown I would like to add these extra tips:

If all of your table fields are fillable you should consider using protected $guarded = []

You can use $request->only(array $fields) to pick only certain columns.

Assuming you're using Laravel form request ( learn more here ) you can simply use $request->validated() to get the validated data.

PS: for tip 2 & 3 you probably should opt for protected $guarded = []

zubairmohsin33 profile image

  • Email [email protected]
  • Location Lahore, Pakistan
  • Education BS(Computer Sciences)
  • Work Engineering Lead at ThePacketHub
  • Joined Mar 4, 2019

Hey thank you so much for sharing these tips. There are multiple ways to achieve the same objective. To get better understanding, I kept the options minimal.

wakeupneo47 profile image

  • Location Turkey
  • Work Laravel Developer
  • Joined Feb 23, 2021

Great job , great explanation.

victorallen22 profile image

  • Location Nairobi, Kenya
  • Joined Sep 21, 2017

Very well put...you got me sorted! Thanks for sharing 👍

roelofjanelsinga profile image

  • Email [email protected]
  • Location Groningen, The Netherlands
  • Education Hanzehogeschool Groningen
  • Work Owner of Plant care for Beginners
  • Joined Aug 26, 2019

I've used Laravel professionally for 5 years and even though I assumed this is how it worked, I learned something new here! Great post, thank you for this!

Awesome :) Glad you liked it.

ypaatil profile image

  • Joined Oct 1, 2021

Great job. You are cleared my concept.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

gaurbprajapati profile image

Why Python has No REAL Private Method :- Understanding the Absence of True Private Methods in Python.

gaurbprajapati - Jan 23

manthanank profile image

Building an OTP Verification System with Node.js and MongoDB

Manthan Ankolekar - Feb 14

drsimplegraffiti profile image

Manual Mapping .NET Web Api

Abayomi Ogunnusi - Jan 22

philhawksworth profile image

Netlify tip: Explore and download assets generated by your builds

Phil Hawksworth - Feb 12

Once suspended, zubairmohsin33 will not be able to comment or publish posts until their suspension is removed.

Once unsuspended, zubairmohsin33 will be able to comment and publish posts again.

Once unpublished, all posts by zubairmohsin33 will become hidden and only accessible to themselves.

If zubairmohsin33 is not suspended, they can still re-publish their posts from their dashboard.

Once unpublished, this post will become invisible to the public and only accessible to Zubair Mohsin .

They can still re-publish the post if they are not suspended.

Thanks for keeping DEV Community safe. Here is what you can do to flag zubairmohsin33:

zubairmohsin33 consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy.

Unflagging zubairmohsin33 will restore default visibility to their posts.

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

database mass assignment

Mass Assignment

  • September 30, 2023

# Mass Assignment

Many web-frameworks automate the process of assigning parameters from an incoming HTTP request to the fields on an in-memory object. You need to ensure that you are using assignment logic in your code in such a way that only permitted fields are written to. Otherwise, an attacker can perform a **mass assignment** attack, overwriting sensitive data fields (like permissions and roles) they should not be able to access.

## Mass Assignment in JavaScript

A common design pattern is to take data from an HTTP request – either the HTTP parameters or from JSON in the body of the request – and to update the contents of an object in-memory or in the database. JavaScript’s object syntax makes this very easy, since every object is made up of dynamically assigned properties. It is easy to write code that takes untrusted input and allows an attacker to overwrite unintended properties.

For example, consider the following code that allows a user to update their profile details in the database:

This code is vulnerable to a *mass assignment* attack since the properties are not being specifically enumerated in the server-side code. An attacker can simply modify the names of the form fields (or add extra) and directly manipulate their profile in the database, setting administrative flags as they see fit.

When taking data from an HTTP request, the properties of the data-object being updated *must* be explicitly stated in server-side code:

Mass assignment vulnerabilities are especially common when taking JSON from the HTTP request and updating in-memory JavaScript objects. You need to be sure you are only updating properties you expect to change, by enumerating them your server-side code.

* [CWE-915] (https://cwe.mitre.org/data/definitions/915.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

See for yourself – run a scan on your code right now

Newsletter sign up.

Stay informed of the latest news and critical events in AppSec space:

  • Leadership Team

Platform Overview

  • Integrations
  • Code Property Graph

Platform Components

  • Intelligent SCA
  • Press & News
  • Privacy Policy
  • Terms of Service

© 2023 Qwiet. All rights reserved.

HackerWhite

  • Vulnerability 101

Mass Assignment Vulnerability: Understanding & Mitigating the Risks in API

Mass assignment vulnerability is a critical security concern that often goes unnoticed in API development. Understanding the risks associated with this vulnerability is crucial for protecting sensitive user data. In this article, we will delve into the details of mass assignment vulnerabilities and explore effective mitigation strategies.

Table of Contents

Introduction:.

The "Mass Assignment" vulnerability is a security flaw that occurs when an application assigns user input directly to model attributes without proper validation or sanitization. This can lead to unauthorized access and modification of sensitive data, potentially compromising the security of the application and its users.

Addressing the "Mass Assignment" vulnerability is crucial for developers as it can have serious consequences, including data breaches, unauthorized access, and legal implications. Understanding and mitigating this vulnerability is essential to ensure the integrity and security of an application.

Understanding the "Mass Assignment" Vulnerability:

The "Mass Assignment" vulnerability occurs when an attacker is able to manipulate the values of model attributes by submitting unexpected or malicious data. This can happen when developers use frameworks or libraries that automatically map user input to object properties without proper validation or filtering.

Common scenarios where developers may unintentionally introduce the "Mass Assignment" vulnerability include:

  • Using frameworks or libraries that provide automatic mapping of user input to object properties without considering the security implications.
  • Allowing users to submit data that directly maps to sensitive attributes without proper validation.
  • Failing to implement proper input validation and sanitization techniques.

The impact of the "Mass Assignment" vulnerability can be severe. Attackers can exploit this vulnerability to gain unauthorized access to sensitive data, modify user privileges, or even execute arbitrary code on the server. This can lead to data breaches, compromised user accounts, and potential legal issues.

Common Examples of "Mass Assignment":

There are several common examples of the "Mass Assignment" vulnerability. Let's explore a few of them:

User Profile Update: Suppose an application allows users to update their profile information, including their email address and password. If the application blindly maps user input to the corresponding model attributes without proper validation, an attacker can manipulate the request to update other sensitive fields such as admin privileges.

Role-Based Access Control: In applications with role-based access control, developers often use a single parameter to assign roles to users. If this parameter is not properly validated, an attacker can modify it to gain unauthorized access to sensitive functionality or elevate their privileges.

API Endpoints: APIs that accept JSON or XML payloads are also susceptible to the "Mass Assignment" vulnerability. If the API endpoint maps the incoming request directly to model attributes without proper validation, an attacker can manipulate the payload to modify sensitive data or gain unauthorized access.

These examples highlight the importance of implementing proper validation and sanitization techniques to mitigate the risks associated with the "Mass Assignment" vulnerability.

Risks and Consequences:

The "Mass Assignment" vulnerability poses significant risks and consequences for both developers and users. Some of the potential risks and consequences include:

Data Breaches: Exploiting the "Mass Assignment" vulnerability can lead to unauthorized access to sensitive data, including personal information, financial records, and confidential business data. This can result in serious privacy breaches and financial losses.

Unauthorized Access and Privilege Escalation: Attackers can manipulate the values of model attributes to gain unauthorized access to restricted functionality or elevate their privileges within the application. This can lead to unauthorized actions, such as modifying critical settings, accessing sensitive data, or impersonating other users.

Reputation Damage: Security breaches resulting from the "Mass Assignment" vulnerability can severely damage the reputation of the application and its developers. Users lose trust in the application's ability to protect their data, leading to a loss of user base and potential legal consequences.

Legal Implications: Depending on the nature of the application and the data involved, security breaches resulting from the "Mass Assignment" vulnerability can have legal implications. Developers may face legal actions, regulatory fines, and potential lawsuits for failing to protect user data adequately.

Real-world examples of security breaches resulting from the "Mass Assignment" vulnerability include the 2012 GitHub incident, where an attacker exploited the vulnerability to gain administrative access to repositories. This incident highlighted the severity and impact of this vulnerability.

Best Practices for Mitigating the "Mass Assignment" Vulnerability:

To mitigate the risks associated with the "Mass Assignment" vulnerability, developers should follow these best practices:

Whitelist Input Validation: Developers should implement strong input validation techniques to ensure that only expected and valid data is accepted. This includes whitelisting allowed attributes and rejecting any unexpected or malicious input.

Use Role-Based Access Control (RBAC): Implement RBAC to control user privileges and access to sensitive functionality. Do not rely solely on user input to determine roles and permissions.

Implement Attribute-Level Access Controls: Instead of blindly mapping all user input to corresponding attributes, developers should implement attribute-level access controls. This ensures that only authorized users can modify specific attributes.

Sanitize and Filter User Input: Before assigning user input to model attributes, developers should sanitize and filter the data to remove any potential malicious content. This includes validating data types, length restrictions, and ensuring data integrity.

Implement Secure Coding Practices: Follow secure coding practices, such as avoiding dynamic attribute assignment, using strong encryption for sensitive data, and regularly updating frameworks and libraries to their latest secure versions.

Regular Security Testing and Auditing: Conduct regular security testing and auditing of the application to identify and mitigate any vulnerabilities, including the "Mass Assignment" vulnerability. This includes penetration testing, code review, and vulnerability scanning.

Tools and Resources:

To aid developers in addressing the "Mass Assignment" vulnerability, the following tools, libraries, and resources can be helpful:

OWASP Cheat Sheet - Mass Assignment: The OWASP Cheat Sheet provides guidelines and recommendations for securing web applications against the "Mass Assignment" vulnerability. It offers practical advice and code snippets for developers to implement secure coding practices.

Security-Focused Libraries and Frameworks: Many programming languages and frameworks provide security-focused libraries and modules that can help mitigate the "Mass Assignment" vulnerability. Examples include Django's ModelForm, Laravel's Mass Assignment Protection, and Ruby on Rails' Strong Parameters.

Platform-Specific Security Guidelines: Developers should refer to platform-specific security guidelines and resources provided by the framework or platform they are using. These guidelines often include best practices and recommendations for securing applications against common vulnerabilities, including "Mass Assignment."

Code Review and Testing Tools: Developers should leverage code review and testing tools to identify and mitigate the "Mass Assignment" vulnerability. Tools like SonarQube, OWASP ZAP, and Burp Suite can help identify security flaws in the code and test the application for vulnerabilities.

The Role of Security Testing and Auditing:

Regular security testing and auditing play a crucial role in identifying and mitigating the "Mass Assignment" vulnerability. Various testing techniques can be employed, including:

Penetration Testing: Conducting penetration tests can help identify vulnerabilities and potential attack vectors, including the "Mass Assignment" vulnerability. Ethical hackers simulate real-world attacks to identify security weaknesses and provide recommendations for improvement.

Code Review: Manual code review or automated tools can help identify insecure coding practices, including instances of the "Mass Assignment" vulnerability. Developers should review their code regularly and ensure it follows best practices for secure coding.

Vulnerability Scanning: Automated vulnerability scanning tools can scan the application for known vulnerabilities, including the "Mass Assignment" vulnerability. These tools can help identify potential weaknesses and provide guidance on how to address them.

By employing these testing techniques, developers can proactively identify and mitigate the "Mass Assignment" vulnerability, ensuring the security and integrity of their applications.

Conclusion:

Addressing the "Mass Assignment" vulnerability is crucial for developers to protect the integrity and security of their applications. By understanding the definition, risks, and consequences of the vulnerability, developers can take proactive measures to mitigate its impact.

Implementing best practices, such as whitelisting input validation, utilizing role-based access control, and regular security testing and auditing, can significantly reduce the risks associated with the "Mass Assignment" vulnerability.

Secured High Growth Companies Worldwide

Hire a fractional, remote cybersecurity consultant for all of your cybersecurity needs

  • Share this article:

API6:2019 — Mass assignment

The API takes data that client provides and stores it without proper filtering for whitelisted properties. Attackers can try to guess object properties or provide additional object properties in their requests, read the documentation, or check out API endpoints for clues where to find the openings to modify properties they are not supposed to on the data objects stored in the backend.

The API works with the data structures without proper filtering and blindly stores payloads as objects.

  • The API works with the data structures without proper filtering.
  • NodeJS: var user = new User(req.body); user.save();
  • Rails: @user = User.new(params[:user])
  • Attackers can guess the fields by looking at the GET request data.

How to prevent

  • Do not automatically bind incoming data and internal objects.
  • Explicitly define all the parameters and payloads you are expecting.
  • Use the readOnly property set to true in object schemas for all properties that can be retrieved through APIs but should never be modified.
  • Precisely define the schemas, types, and patterns you will accept in requests at design time and enforce them at runtime.

Copyright 42Crunch 2021

Many web-frameworks automate the process of assigning parameters from an incoming HTTP request to the fields on an in-memory object. You need to ensure that you are using assignment logic in your code in such a way that only permitted fields are written to.

database mass assignment

Mass assignment vulnerabilities allow an attacker update state they should not be permitted to change, which is often an easy way to escalate privileges.

Anatomy of a Mass Assignment Attack

A common design pattern is to take data from an HTTP request - either the HTTP parameters or from JSON in the body of the request - and to update the contents of an object in-memory or in the database. Using modern web-frameworks, it is easy to write code that takes untrusted input and allows an attacker to overwrite unintended properties.

For example, consider the following code samples that allow a user to update their profile details in the database:

These examples are vulnerable to a mass assignment attack since the properties are not being specifically enumerated in the server-side code. An attacker can simply modify the names of the form fields (or add extra) and directly manipulate their profile in the database, setting administrative flags as they see fit.

When taking data from an HTTP request, the properties of the data-object being updated must be explicitly stated in server-side code:

Use Strong Parameters to safely assign values from the HTTP request to an ActiveModel object:

Further Reading

  • Mass Assignment in Ruby on Rails

Related Vulnerabilities

database mass assignment

Popular with:

Application security, what is mass assignment.

Have you ever wondered about the potential dangers of seemingly innocent features within your codebase?

Mass Assignment - a seemingly innocent feature that can play the role of either your app's Achilles' heel or a hidden shield against security breaches.

Back in 2012, GitHub learned their lesson the hard way when a seemingly innocent feature turned into a gaping security hole. A GitHub user exploited a Mass Assignment vulnerability in the public key update form, enabling them to add their public key to an organization they didn't belong to - the Ruby on Rails organization, no less!

Mass Assignment refers to the process of directly assigning values to object properties during data processing, often done through user input. While seemingly innocuous, improper handling of this feature can lead to unauthorized access, data manipulation, and potential security breaches.

Understanding Mass Assignment in Web Development

When it comes to web application development, Mass Assignment is a pivotal concept that can either empower users or expose your application to grave security risks. In simple terms, Mass Assignment allows users to submit data that is then used to update the corresponding model attributes with ease. It streamlines the process, enabling developers to set multiple attributes of a model using a single request, which significantly enhances efficiency and user experience.

However, behind this seemingly convenient feature lies a potential Pandora's box. If not handled diligently, Mass Assignment can become a lurking vulnerability, granting unauthorized users access to sensitive areas and the ability to tamper with critical data. One wrong move and your application might be susceptible to data breaches, malicious exploits, and even complete system compromise

How Mass Assignment Works

Mass Assignment works like a well-choreographed dance, seamlessly linking user input to the attributes of the underlying data model. In the world of web applications, it streamlines the process of updating object properties, making it feel effortless.

When a user submits a form with various fields, such as username, email, and role. As this data reaches the server, the application takes center stage. It extracts the user's input, typically through request parameters or form data. Here comes the best part - the application dynamically maps the data from user input to the corresponding attributes of the underlying data model.

In our earlier example, the data sent by the user would be mapped to the User model's username, email, and role attributes. Thanks to Mass Assignment, developers don't need to tediously set each attribute manually; instead, the data is automatically assigned to its rightful place.

The Security Implications of Mass Assignment

Ah, Mass Assignment, the seemingly innocent enabler of web application efficiency! But beware, for beneath its charm lies a world of security implications that demand our utmost attention. 

Unauthorized Changes to Critical Attributes

Mass Assignment can be exploited by attackers to manipulate crucial attributes, granting them unauthorized access and control over sensitive functionalities. For example, an attacker could elevate their privileges by updating a role attribute from a regular user to an admin, potentially compromising the entire system.

Manipulation of Hidden or Restricted Attributes

Crafty attackers may attempt to manipulate attributes that are not directly exposed in forms or interfaces but play a crucial role in the application's functionality. These hidden attributes could be mistakenly updated through Mass Assignment that leads to unforeseen consequences or security vulnerabilities.

Data Breaches and Exposure of Sensitive Information

Mass Assignment could inadvertently allow attackers to update sensitive data fields that should remain restricted. For instance, a user might have access to their own account details but could manipulate the request to modify someone else's private information, potentially leading to data breaches and privacy violations.

Elevated Privileges

Mass Assignment can enable attackers to grant themselves elevated privileges by modifying attributes related to user roles or permissions. This may give them access to administrative functions or other sensitive areas within the application.

Injection Attacks

Attackers can use Mass Assignment as a vector to inject malicious code into the application, causing it to execute unintended actions or open security vulnerabilities.

Data Corruption

Improper Mass Assignment handling can lead to unintended updates to data, potentially corrupting the database or causing unintended side effects

How to Mitigate the Security Risks of Mass Assignment

  • Whitelist Allowed Attributes. Implement a whitelist approach where you explicitly define the attributes that are allowed to be updated through Mass Assignment. This restricts the input to only those attributes deemed safe, preventing attackers from manipulating critical or restricted fields.
  • Blacklist Unsafe Attributes. On the flip side, maintain a blacklist of attributes that should never be updated using Mass Assignment. By explicitly excluding certain attributes, you can safeguard against potential vulnerabilities.
  • Use Role-Based Access Control (RBAC). Role-Based Access Control ensures that users can only update attributes based on their roles and permissions. This prevents unauthorized elevation of privileges and unauthorized data access.
  • Sanitize and Validate Input. Always validate and sanitize the user input before processing it through Mass Assignment. Ensure that the data adheres to the expected format and is free from malicious content to prevent injection attacks.
  • Employ Strong Authentication and Authorization. Robust authentication mechanisms and authorization checks ensure that only authorized users have access to sensitive functionalities.
  • Implement Two-Factor Authentication (2FA). For critical operations, Two-Factor Authentication adds an extra layer of security to reduce the risk of unauthorized access even if an attacker gains control over user credentials.
  • Monitor and Log Activities. Comprehensive logging and monitoring mechanisms help to keep track of Mass Assignment activities. Regularly review the logs to detect any suspicious behavior and respond promptly to potential threats.
  • Regular Security Audits. Conduct regular security audits and code reviews to identify potential vulnerabilities related to Mass Assignment or other aspects of your application's security.
  • Keep Dependencies Up-to-date. Ensure that all third-party libraries and frameworks used in your application are up-to-date, as outdated dependencies may have known vulnerabilities that attackers can exploit.
  • Educate Developers. Train your development team about the security risks associated with Mass Assignment and educate them on best practices for secure coding.

AppSecEngineer Empowering Users without Compromising Security

As security-conscious developers and engineers, we must strive to strike the delicate balance between user empowerment and safeguarding our applications against potential vulnerabilities. 

Now, to take our security practices to the next level, we can be your ally that can significantly boost our defenses. As a full-stack application security platform, AppSecEngineer equips security engineers with a comprehensive suite of tools and features to detect, prevent, and remediate security threats.

With AppSecEngineer backing you up, you can confidently showcase your expertise as a security engineer , impress potential employers, and increase your chances of landing interviews in the competitive information security landscape.

Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Abhay Bhargav

Teams that train together, work together

database mass assignment

Contact Support [email protected] ‍ 1603 Capitol Avenue, Suite 413A #2898, Cheyenne, Wyoming 82001, United States

Test Library

Search for API Security Tests

API Security

How to Test Mass Assignment in APIs using Akto

This blog is about learning mass assignment vulnerability, how to find it manually, how to test for it using Akto and finally how to prevent it.

Test mass assignment vulnerability

In 2017, Equifax, an American multinational consumer credit reporting agency, experienced a data breach . Hackers exploited a vulnerability in Equifax's web application that allowed them to access sensitive personal information of millions of customers. The vulnerability was caused by an unpatched version of Apache Struts, a popular open-source framework used for building web applications. The hackers were able to exploit the vulnerability to gain access to sensitive data by modifying the values of certain parameters using a technique called mass assignment . The result was a massive data breach that compromised the personal information of millions of people, causing widespread damage and leading to numerous lawsuits and investigations.

This highlights the importance of properly securing APIs, particularly from mass assignment vulnerabilities, through regular testing and validation of user input, as well as limiting the properties that can be modified through user input. In this blog, we will cover the following:

1. What is Mass Assignment?

2. How to find Mass Assignment Vulnerability?

3. Automation with Akto

4. How to prevent mass assignment?

What is Mass Assignment?

Mass Assignment vulnerability is a security flaw that can occur in API when user input is directly used to modify the properties of an object. This can allow attackers to modify data and perform unauthorized actions on an application. To prevent this vulnerability, it is important to validate and sanitize user input, and to limit the properties that can be modified through user input. Mass Assignment is one of the OWASP Top 10 API vulnerabilities. Therefore, it is crucial to test for it from a security standpoint.

OWASP API Top 10: https://owasp.org/www-project-api-security/

How to find Mass Assignment Vulnerability?

The most effective method to discover mass assignment vulnerabilities in an API endpoint is by analyzing an it’s requests and responses. The recommended tool for this task is a web application scanner, such as BurpSuite.

Steps to find APIs with potential Mass Assignment vulnerability:

1. Turn on the Burp Suite proxy and start visiting every endpoint in a web application. Focus on endpoints that allow a user to create resources into the application such as creating account, updating, creating wallet or inviting a user.

2. Once you have added the target to the scope in BurpSuite, try to interact with the application in a variety of ways. This could include submitting different types of input or performing different actions within the application.

3. If you encounter any parameters or variables in the response that are being assigned to the user, take note of them. These variables can often be manipulated to gain access to sensitive data or functionality. For example, variables like " role:authenticated ", " role:customer ", " balance:0 ", " timestamp:XX ", " user_id:XXX ", etc.

4. Additionally, make sure to explore all of the functionality of the application, including any areas that may not be immediately obvious. This can help you identify additional vulnerabilities that may not be apparent at first glance.

Let's assume that, after account creation, you find a variable in the response such as " role:customer ". The server assigns this "role" variable to identify the user's role and assign privileges accordingly.

How to exploit manually?

To perform this test, follow the steps below:

1. Search for the request that assigns a role to the user on the server-side.

2. Once you have found the request, try modifying the JSON data of the request by changing the value of the variable that assigns the user's role (e.g., "admin").

3. Analyze the response from the server. If the response returns " role:admin ", it means that the variable has been successfully overwritten by the user.

4. Another way to exploit is to attempt various HTTP methods such as POST, PUT, and PATCH, and send the request.

5. To confirm the vulnerability, return to the application and check if there are any additional features or pages that you can now access. For example, you may be able to access a page that previously displayed a 403 error, or access the admin dashboard.

6. If you can access additional features or pages, it is likely that the application is vulnerable to a privilege escalation attack, and further investigation is required.

Test for Mass Assignment using the best proactive API Security product

Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.

Start Testing

How much time does it take?

Finding and exploiting vulnerabilities in an API endpoint can take hours or even days to complete. The duration depends on the number of API endpoints and their complexity which is too cumbersome.

Automation with Akto

Each step I described above takes time and requires proper analysis of requests and responses. Doing so manually, could take hours or even days, depending on the complexity of the APIs. Just imagine doing this for thousands of APIs! It sounds difficult, right?

Akto can make this task easier for you by scanning thousands of endpoints with just one click!

If you have not yet installed Akto, you can do so from the Akto GitHub page along with the Akto extension in Burp Suite. For demonstration purposes, we will use OWASP Juice Shop .

Akto Burp Extension

There are multiple ways to create an API inventory in Akto that work in both the Community and Professional editions. You can do this by importing a .har file or forwarding traffic from BurpSuite.

Steps to Create API Inventory using Akto Extension:-

1. Run Akto in docker

2. Launch BurpSuite

3. Download Akto Burp extension. Check this out for setup.

4. Turn on burp proxy and browse the target application

database mass assignment

While browsing, you will soon notice that the Akto extension captures many requests. To filter the requests you are interested in, simply left-click on the target request and choose "Use Request.path Value as Log Filter". This will automatically add a filter to the filter bar since the extension captures all requests from the proxy tab.

database mass assignment

Open the Akto Dashboard, where you will be able to see that an API Inventory is created automatically with a name. The default name of the collection is " burp ," but it can be changed through the "options" menu in the Akto burp extension.

Exploitation: Run Test

database mass assignment

Click on "Run Test". A "Configure Test" box will pop up, asking for the vulnerabilities you want to test for. Select and deselect as needed, then run the test. Afterward, move to the "Testing" tab to see the status of the test.

database mass assignment

As you can see, I've selected Mass Assignment for my testing and left the other default settings as they are.

Findings: Test Results

Move to the Testing tab to see test results

database mass assignment

Below, you can see a list of endpoints that were tested, along with their severity. Since I wanted to test for mass assignment, I selected "Mass Assignment" from the " Issue Category " tab to filter the endpoints that are vulnerable to mass assignment.

Clicking on the first request, I can see three options – “Description, Original, Attempt”.

Description: Information about the found vulnerability.

Original : Intended or normal client request and response.

Attempt : Akto attempt to exploit the vulnerability.

database mass assignment

In the original tab request, we can see that the response says "role:customer". Therefore, this is the variable that the server is using to assign roles and privileges. In this case, it's a customer role with fewer privileges.

database mass assignment

Now switch to the attempt option, the Akto engine was able to identify the variable used and hence tried assigning " role:admin " by sending a request to the server. The server updated the variable value to "admin," leading to a successful mass assignment exploitation. Now, any normal user can become an admin just by assigning a variable in the client request, which is a critical vulnerability We found it in just seconds.

When to use Burp vs Akto?

Both manual and automated testing are helpful for detecting vulnerabilities in an API endpoint. When you have just deployed a new API inventory, start by testing in Akto to cover all the popular mass assignment vulnerability attacks. After you finish testing, manually explore the critical APIs in Burp to find vulnerabilities you couldn’t find using Akto. This approach can help you save time and focus on critical endpoints.

How to Prevent it?

APIs take input inside the JSON body and set data according to it. Therefore, it is vulnerable to injection attacks. The most important step is input sanitization to prevent such attacks. Also, here are some additional points to keep in mind while writing code.

Limit the properties that can be modified by the user. It can be done by ensuring that the payload meets the defined schema, and rejecting any payload that does not.

Whitelist or blacklist to specify which properties can or cannot be updated by the client. If your system allows it, try making properties read-only using the @read-only annotation.

If possible, use a separate API endpoint for admin functionality instead of using parameters to assign roles to the user in the same API endpoint.

Try to avoid using functions like unserialize() in PHP applications.

When using ASP.NET Core or Apache Structs, automatic binding of request parameters into objects can sometimes cause issues. In such cases, use the [Bind] attribute model to select only bindable attributes.

Provide explicit definitions for all the parameters that the server is expecting, as well as those that it is not expecting.

Getting Started

Start your API testing with Akto. You can download it from the GitHub page and follow the instructions for a successful installation. Also, don't forget the BurpSuite Akto extension, which you can download by following steps from here .

Looking forward to hearing from you. Please let us know if you have any ideas that you would like us to include.

Happy API security testing!

Share this post

Monthly product updates in your inbox. no spam., keep reading.

Akto GenAI Security Platform

Product updates

Introducing Akto’s GenAI Security Testing Solution

Today, We launched Akto's GenAI Security Testing solution, an unparalleled automated approach that directly addresses LLM Security challenges. The solution is currently in closed beta.

LLM Model Risks

LLM Risks: Insights & Real-World Case Studies

LLM security involves protecting AI systems like ChatGPT, Bard from potential risks such as biased outputs, malicious use and maintaining privacy in their applications.

Insecure Output Handling

Insecure Output Handling in LLMs: Insights into OWASP LLM02

This blog is about "Insecure Output Handling" that pertains to the potential risk that may arise when the content generated by an LLM is not adequately sanitized or filtered prior to being presented to the end user.

VAADATA – Ethical Hacking Services

What is Mass Assignment? Attacks and Security Tips

What is a mass assignment vulnerability.

database mass assignment

To make things easier for developers, many frameworks include features that automatically associate the parameters of an HTTP request with variables linked to an object in the application code.

A Mass Assignment vulnerability occurs when the server does not correctly filter the data transmitted by the user and associates it directly with an object without verification.

In this way, an attacker can add new parameters to the HTTP request, which will create or replace variables in the application code although this was not initially intended.

Depending on the framework, these are also known as “autobinding” or “object injection” vulnerabilities.

Impact of a Mass Assignment vulnerability

The main impact of a Mass Assignment vulnerability is linked to modifying or creating variables. Depending on the variables or objects affected, the impact can be more or less significant, ranging from the simple modification of a value with no impact to a privilege escalation.

Indeed, when the vulnerability is present in a feature linked to the creation or modification of users, it is not uncommon to be able to escalate privileges.

This was the case, for example, on the Github platform in 2012, when a Mass Assignment vulnerability enabled users to upload their SSH public key to any organisation, potentially resulting in a massive data leak.

Such a vulnerability is not to be taken lightly, as it can have a severe impact.

How to identify this type of vulnerability?

As an attacker or pentester does not necessarily have a list of all the variables and values associated with the modified object on the server side, identifying a Mass Assignment vulnerability can be complex.

Depending on the technical conditions of the pentest, here are a few ways of identifying this type of security flaw:

  • In white box, i.e. with access to the source code, it is possible to refer to the data models to identify sensitive fields that would not be transmitted by default in HTTP requests.
  • Without access to the source code, this is more complex. One technique is to test known or probable parameters. This involves fuzzing the parameters. For example, adding a “role” field to the user creation request with standard values such as “admin” or “root” can lead to a privilege escalation in the event of Mass Assignment.
  • In some cases, using the API documentation, it is possible to identify parameters that are not used by default. For example, with access to the introspection of a GraphQL API, i.e. to the list of fields associated with an entity, it is possible to try to add a variable in certain queries or mutations in the hope that this will be taken into account.
  • Another technique is to observe the server responses. If additional fields are returned, it may be useful to reuse them in requests to detect Mass Assignment. Let’s imagine, for example, that we have access to the list of users. If you access the API route used to list users, you can see a “role” field associated with each user in the server response. It may therefore be useful to add this role parameter with a valid value in the request used to modify the profile information or the request used to create a user.

What are the common exploits of Mass Assignment vulnerabilities?

Mass assignment and privilege escalation.

During a grey box pentest , we had access to an application with several levels of user privileges. We had a user access (not admin), but which nevertheless allowed us to create other users with the same level of privileges.

Using the graphic interface, the request to add a user looked like this:

database mass assignment

The content of the server response in JSON was as follows:

database mass assignment

As we can see, a “Profiles” field is returned in the JSON object corresponding to the new user we have just created. It seems to correspond to the user’s rights. This field has been added automatically. In particular, we can see that the newly created user has a profile of type “customer” associated with ID 5. This profile has certain roles.

The fact that this “Profiles” field is present in the response even though it was not initially filled in should immediately alert us. We can now try to replay the creation of a user by adding a “Profiles” field.

Here, we know that profile ID 5 corresponds to a “customer” type user. Let’s try this with ID 1. We’ve left the other fields empty because we didn’t know the existing values:

database mass assignment

Server response:

database mass assignment

The Mass Assignment attack has been taken into account. The profile ID “1” has been associated with the user we have just created. The response tells us that we have successfully created an administrator type user.

This means that on the server side, the entire JSON object sent by the attacker is used to link the transmitted fields to the user object created. This is done without checking what data is being transmitted and by accepting an unexpected field.

We can now connect with the new user. Our privileges have been escalated and we can perform all the actions restricted to administrators.

Mass Assignment on a GraphQL API and privilege escalation

During a pentest on an application running with a GraphQL API, a mutation was used to update the user’s profile. By default and using the graphical interface, the mutation transmitted was as follows:

database mass assignment

At first glance, there’s nothing particularly interesting about this mutation. It allows a user to change his/her surname, first name and telephone number.

However, we had access to GraphQL introspection (the equivalent of the documentation for a classic API) and we were able to see that the GraphQL “User” object also had a “role” field.

By modifying the previous mutation, we were able to change the role of our user due to a Mass Assignment. This enabled us to escalate our privileges:

database mass assignment

Full request:

database mass assignment

Following this request, our user became an administrator because the mutation took into account the role field even though it was not sent by default.

How to prevent Mass Assignment vulnerabilities?

Fortunately, preventing or correcting this type of vulnerability is fairly straightforward.

It involves setting up a white list of fields that are authorised to be used on the server side to create or modify an object. In addition, only non-sensitive fields should be authorised. And if other fields are present in the request received, they must not be taken into account by the server.

Frameworks often allow this type of whitelist to be configured simply. A list of potential existing solutions by framework can be found on the OWASP website.

If we go back to the previous examples, in the first case, the white list must not include the “profiles” field. If a user tries to send a value for this field, the value transmitted should not be taken into account when creating the user.

In the second case, the mutation used to modify the profile must not accept the “role” value. It must be limited to the “first_name”, “last_name” and “language” parameters only.

Author : Yoan MONTOYA – Pentester @Vaadata

Related Posts

Exploring password reset vulnerabilities and security best practices, introduction to burp suite, the tool dedicated to web application security, rce (remote code execution): exploitations and security tips.

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

  • Notifications

Suggestions or feedback?

MIT News | Massachusetts Institute of Technology

  • Machine learning
  • Social justice
  • Black holes
  • Classes and programs

Departments

  • Aeronautics and Astronautics
  • Brain and Cognitive Sciences
  • Architecture
  • Political Science
  • Mechanical Engineering

Centers, Labs, & Programs

  • Abdul Latif Jameel Poverty Action Lab (J-PAL)
  • Picower Institute for Learning and Memory
  • Lincoln Laboratory
  • School of Architecture + Planning
  • School of Engineering
  • School of Humanities, Arts, and Social Sciences
  • Sloan School of Management
  • School of Science
  • MIT Schwarzman College of Computing

MIT researchers remotely map crops, field by field

Press contact :, media download.

Four Google Street View photos show rice, cassava, sugarcane, and maize fields.

*Terms of Use:

Images for download on the MIT News office website are made available to non-commercial entities, press and the general public under a Creative Commons Attribution Non-Commercial No Derivatives license . You may not alter the images provided, other than to crop them to size. A credit line must be used when reproducing images; if one is not provided below, credit the images to "MIT."

Four Google Street View photos show rice, cassava, sugarcane, and maize fields.

Previous image Next image

Crop maps help scientists and policymakers track global food supplies and estimate how they might shift with climate change and growing populations. But getting accurate maps of the types of crops that are grown from farm to farm often requires on-the-ground surveys that only a handful of countries have the resources to maintain.

Now, MIT engineers have developed a method to quickly and accurately label and map crop types without requiring in-person assessments of every single farm. The team’s method uses a combination of Google Street View images, machine learning, and satellite data to automatically determine the crops grown throughout a region, from one fraction of an acre to the next. 

The researchers used the technique to automatically generate the first nationwide crop map of Thailand — a smallholder country where small, independent farms make up the predominant form of agriculture. The team created a border-to-border map of Thailand’s four major crops — rice, cassava, sugarcane, and maize — and determined which of the four types was grown, at every 10 meters, and without gaps, across the entire country. The resulting map achieved an accuracy of 93 percent, which the researchers say is comparable to on-the-ground mapping efforts in high-income, big-farm countries.

The team is applying their mapping technique to other countries such as India, where small farms sustain most of the population but the type of crops grown from farm to farm has historically been poorly recorded.

“It’s a longstanding gap in knowledge about what is grown around the world,” says Sherrie Wang, the d’Arbeloff Career Development Assistant Professor in MIT’s Department of Mechanical Engineering, and the Institute for Data, Systems, and Society (IDSS). “The final goal is to understand agricultural outcomes like yield, and how to farm more sustainably. One of the key preliminary steps is to map what is even being grown — the more granularly you can map, the more questions you can answer.”

Wang, along with MIT graduate student Jordi Laguarta Soler and Thomas Friedel of the agtech company PEAT GmbH, will present a paper detailing their mapping method later this month at the AAAI Conference on Artificial Intelligence.

Ground truth

Smallholder farms are often run by a single family or farmer, who subsist on the crops and livestock that they raise. It’s estimated that smallholder farms support two-thirds of the world’s rural population and produce 80 percent of the world’s food. Keeping tabs on what is grown and where is essential to tracking and forecasting food supplies around the world. But the majority of these small farms are in low to middle-income countries, where few resources are devoted to keeping track of individual farms’ crop types and yields.

Crop mapping efforts are mainly carried out in high-income regions such as the United States and Europe, where government agricultural agencies oversee crop surveys and send assessors to farms to label crops from field to field. These “ground truth” labels are then fed into machine-learning models that make connections between the ground labels of actual crops and satellite signals of the same fields. They then label and map wider swaths of farmland that assessors don’t cover but that satellites automatically do.

“What’s lacking in low- and middle-income countries is this ground label that we can associate with satellite signals,” Laguarta Soler says. “Getting these ground truths to train a model in the first place has been limited in most of the world.”

The team realized that, while many developing countries do not have the resources to maintain crop surveys, they could potentially use another source of ground data: roadside imagery, captured by services such as Google Street View and Mapillary, which send cars throughout a region to take continuous 360-degree images with dashcams and rooftop cameras.

In recent years, such services have been able to access low- and middle-income countries. While the goal of these services is not specifically to capture images of crops, the MIT team saw that they could search the roadside images to identify crops.

Cropped image

In their new study, the researchers worked with Google Street View (GSV) images taken throughout Thailand — a country that the service has recently imaged fairly thoroughly, and which consists predominantly of smallholder farms.

Starting with over 200,000 GSV images randomly sampled across Thailand, the team filtered out images that depicted buildings, trees, and general vegetation. About 81,000 images were crop-related. They set aside 2,000 of these, which they sent to an agronomist, who determined and labeled each crop type by eye. They then trained a convolutional neural network to automatically generate crop labels for the other 79,000 images, using various training methods, including iNaturalist — a web-based crowdsourced  biodiversity database, and GPT-4V, a “multimodal large language model” that enables a user to input an image and ask the model to identify what the image is depicting. For each of the 81,000 images, the model generated a label of one of four crops that the image was likely depicting — rice, maize, sugarcane, or cassava.

The researchers then paired each labeled image with the corresponding satellite data taken of the same location throughout a single growing season. These satellite data include measurements across multiple wavelengths, such as a location’s greenness and its reflectivity (which can be a sign of water). 

“Each type of crop has a certain signature across these different bands, which changes throughout a growing season,” Laguarta Soler notes.

The team trained a second model to make associations between a location’s satellite data and its corresponding crop label. They then used this model to process satellite data taken of the rest of the country, where crop labels were not generated or available. From the associations that the model learned, it then assigned crop labels across Thailand, generating a country-wide map of crop types, at a resolution of 10 square meters.

This first-of-its-kind crop map included locations corresponding to the 2,000 GSV images that the researchers originally set aside, that were labeled by arborists. These human-labeled images were used to validate the map’s labels, and when the team looked to see whether the map’s labels matched the expert, “gold standard” labels, it did so 93 percent of the time.

“In the U.S., we’re also looking at over 90 percent accuracy, whereas with previous work in India, we’ve only seen 75 percent because ground labels are limited,” Wang says. “Now we can create these labels in a cheap and automated way.”

The researchers are moving to map crops across India, where roadside images via Google Street View and other services have recently become available.

“There are over 150 million smallholder farmers in India,” Wang says. “India is covered in agriculture, almost wall-to-wall farms, but very small farms, and historically it’s been very difficult to create maps of India because there are very sparse ground labels.”

The team is working to generate crop maps in India, which could be used to inform policies having to do with assessing and bolstering yields, as global temperatures and populations rise.

“What would be interesting would be to create these maps over time,” Wang says. “Then you could start to see trends, and we can try to relate those things to anything like changes in climate and policies.”

Share this news article on:

Related links.

  • Sherrie Wang
  • Institute for Data, Systems, and Society
  • Department of Mechanical Engineering

Related Topics

  • Agriculture
  • Computer modeling
  • Computer vision
  • Developing countries
  • Environment
  • Mechanical engineering

Related Articles

Collage of eleven new faculty member's headshots, arranged in two rows

School of Engineering welcomes new faculty

Landscape of a peat bog under a blue sky. In the foreground, several islands of peat are surrounded by water.

Satellite-based method measures carbon in peat bogs

Three women, researchers from the GEAR Lab, stand on a dirt road in a field in Jordan holding laptops.

Smart irrigation technology covers “more crop per drop”

The village has about 20 huts that form a large a ring around an empty, brown, circular area. Lots of trees are around the village.

Ancient Amazonians intentionally created fertile “dark earth”

Aerial view of an abandoned agricultural terrace in France

3 Questions: Can disused croplands help mitigate climate change?

Previous item Next item

More MIT News

Three layers show a glob of glue, shiny circular metal bits, and the colorful blue computer chip. Pink lasers go through the chip and hit the circular metal bits and bounce back. A lock icon is to the right.

This tiny, tamper-proof ID tag can authenticate almost anything

Read full story →

An aerial view shows trees and sports stadiums and parking lots. The areas are measured with a road measuring “921.97ft” and a parking lot measuring, “614,232.74 ft squared.”

Stitch3D is powering a new wave of 3D data collaboration

Headshots of Thea Keith-Lucas, Sarah Johnson, and Natalie Hill

MIT course aids social connection, better relationships, and happiness

Illustration of U shaped vaccine moledules with tails attach to three-lobed albumin molecules. The background is an image of a oval shaped lymph node.

Hitchhiking cancer vaccine makes progress in the clinic

Portrait photo of Leon Sandler standing in the foyer of an MIT building

A passion for innovation and education

Graphic of glowing moleculars being touched by an electrical charge against black background

With just a little electricity, MIT researchers boost common catalytic reactions

  • More news on MIT News homepage →

Massachusetts Institute of Technology 77 Massachusetts Avenue, Cambridge, MA, USA

  • Map (opens in new window)
  • Events (opens in new window)
  • People (opens in new window)
  • Careers (opens in new window)
  • Accessibility
  • Social Media Hub
  • MIT on Facebook
  • MIT on YouTube
  • MIT on Instagram

Kansas City police link Super Bowl rally shooting to dispute, not extremism

Police detain a person following a shooting near an outdoor celebration of the NFL champion Chiefs' Super Bowl victory, in Kansas City

MORE SUSPECTS?

Reporting by Brad Brooks in Longmont, Colorado, Rich McKay in Atlanta, and Brendan O'Brien in Chicago; Additional reporting by Steve Gorman, Daniel Trotta, Dan Whitcomb, and Kanishka Singh; Editing by Howard Goller and Stephen Coates

Our Standards: The Thomson Reuters Trust Principles. , opens new tab

Police officer issues a citation to a man for smoking fentanyl in Portland

Democratic US senator opposes Biden pause on liquefied natural gas exports

Democratic U.S. Senator Michael Bennet opposes President Joe Biden's decision to pause approvals of new exports of liquefied natural gas, saying on Sunday that it could undercut U.S. efforts to supply gas to Europe as it replaces Russian exports.

British Prime Minister Rishi Sunak and European Commission President Ursula von der Leyen hold a news conference at Windsor Guildhall

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

Red Sox roster battle includes ex-No. 1 prospect who ‘knows the situation’

  • Published: Feb. 18, 2024, 10:36 a.m.

Bryan Mata

Red Sox prospect Bryan Mata delivers a pitch during a game in 2022 at Polar Park. (Katie Morrison-O'Day/MassLive)

FORT MYERS, Fla. — Bryan Mata, once the top pitching prospect in the Red Sox organization, is out of minor league options. He must make the Opening Day roster or else be designated for assignment (or traded).

The 24-year-old hard-throwing righty has been on Boston’s 40-man roster since Nov. 20, 2020. But he has yet to pitch in the majors because injuries, including Tommy John surgery in April 2021 , have limited him to 110 innings in the minors the past four seasons. Baseball America had him as the Red Sox’ highest-ranked pitching prospect entering spring training 2023. He pitched only 23 innings for Triple-A Worcester last year though. He spent most of the season on the IL with right shoulder inflammation.

“I know the situation I’m in,” Mata said Sunday through translator Carlos Villoria Benítez. “My goal is to go out there and compete every day to give the best of me and try to win a spot here.”

Another major league team could claim him off waivers if the Red Sox were to designate him for assignment before Opening Day. If not, he would be outrighted off the 40-man roster and sent to Worcester. He’s obviously hoping to pitch in the big leagues this year no matter the outcome at the end of spring training.

The Red Sox never placed Mata on the 60-day IL, which allowed them to retain all his service time. He is still under team control for another six years. But in the process, he ran out of options without ever pitching in the big leagues.

“Even if they don’t give me the opportunity here, that (the major leagues) is where I want to pitch,” Mata said. “That’s what I’ve wanted my whole career. And I want to fulfill that goal of becoming a major leaguer. If it doesn’t happen here, if another organization gives me that opportunity, it’s fine. But yeah, I definitely want it to happen here.”

With no options remaining, his best shot is to make the team as a reliever. The Red Sox have communicated that to him. Mata — who throws “consistently in the upper-90s” — certainly could provide needed velo to a bullpen that lacked it last year. The Red Sox ranked 25th out of 30 major league clubs in relief pitcher average fastball velocity (93.8 mph) in 2023,  per Baseball Savant . That was down from an average of  94.9 mph in 2022 . Within the organization, there was a feeling the bullpen could use more high-end velocity after last season.

“When I’m 100% healthy, I know I can count on my fastball and it can be a good one,” said Mata, who has reached 100 mph post-Tommy John surgery . “Right now, I’m focused on throwing strikes and staying healthy. That’s the main goal of this camp.”

Strike-throwing is an area that must improve. He has averaged 4.7 walks per nine innings in 425 minor league innings.

“I think my mindset and my pitch mix doesn’t change (as a reliever),” Mata said. “Right now, I’m focusing on throwing strikes and staying in the zone and doing my job. But my mentality or anything doesn’t change because of the role.”

  • Massachusetts sports betting apps are live and legal for online wagering. Sign-up for the top sportsbooks in MA. Bet now with FanDuel Massachusetts , DraftKings Massachusetts , and Caesars Sportsbook Massachusetts .

His slider is his best secondary pitch.

“For me, that’s a pitch I can locate whenever I want and I have a lot of trust and confidence in that pitch,” he said. “So for me, that’s why it’s my second best pitch.”

Mata was able to return from the IL in late September, then pitched 9 innings of relief in the Arizona Fall League.

“I think that was a big step for me. The Arizona Fall League last year was very special and very important because it was a difficult year for me,” he said. “I had a lot of ups and downs from injuries and all that. So to be able to go out and compete and be healthy meant a lot to me.”

If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.

IMAGES

  1. How to use laravel mass assignment Fillable or Guarded

    database mass assignment

  2. configure mass assignment in eloquent model || database Eloquent

    database mass assignment

  3. API6:2019

    database mass assignment

  4. How to Test Mass Assignment in APIs using Akto

    database mass assignment

  5. API6:2019

    database mass assignment

  6. What is Mass Assignment? Attacks and Security Tips

    database mass assignment

VIDEO

  1. MCM101 Introduction to Mass Communication QUIZ 2 FALL 2023 Virtual University of Pakistan

  2. MCM101 Introduction to Mass Communication Quiz 3 Fall 2023 Virtual University of Pakistan

  3. Database Management System (DBMS)

  4. [API-08] Mass Assignment Attacks

  5. Mass media and Society assignment #1

  6. Mass Assignment

COMMENTS

  1. Mass Assignment

    GitHub case study In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post. Solutions Allow-list the bindable, non-sensitive fields. Block-list the non-bindable, sensitive fields. Use Data Transfer Objects (DTOs).

  2. What is mass assignment?

    Mass assignment Be careful with parameters that are automatically bound from requests to objects Select your ecosystem JavaScript Mass assignment: the basics What are mass assignment vulnerabilities?

  3. What does "Mass Assignment" mean in Laravel?

    Mass assignment is when you send an array to the model creation, basically setting a bunch of fields on the model in a single go, rather than one by one, something like: $user = new User (request ()->all ()); (This is instead of explicitly setting each value on the model separately.)

  4. API6:2019

    How To Prevent External API6:2019 - Mass Assignment Is the API Vulnerable? Objects in modern applications might contain many properties. Some of these properties should be updated directly by the client (e.g., user.first_name or user.address) and some of them should not (e.g., user.is_vip flag).

  5. Mass Assignment · OWASP Cheat Sheet Series

    Mass Assignment is a common vulnerability that occurs when a web application assigns user-supplied data to properties of an object without proper validation. This cheat sheet provides guidance on how to prevent and mitigate mass assignment attacks in different frameworks and languages. Learn how to use whitelists, blacklists, annotations, and other techniques to protect your web application ...

  6. API Security 101: Mass Assignment & Exploitation in the Wild

    Mass Assignment: Ruby on Rails, NodeJS. Autobinding: Spring MVC, ASP NET MVC. Object injection: PHP. For example, consider an API that allows users to update their profile information. The API may accept a JSON payload that contains multiple fields such as name, email, and address.

  7. Mass Assignment: How to Protect Your Application from Insecure Binder

    Mass assignment is a vulnerability that occurs when a web application allows an attacker to send a single request to update multiple rows of data in a database. This can be done by sending a request with a list of values for each field of a table, or by sending a single value that is used to update multiple rows of data.

  8. Mass assignment vulnerability

    Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.

  9. OWASP API #6: Mass Assignment

    Mass Assignment, occurs when an application is implemented in such way, that it actually accepts broader modifications than those intended and described in the documentation. Is my API...

  10. Understanding Mass Assignment in Laravel Eloquent ORM

    Mass Assignment Let's break down this word. Mass means large number Assignment means the assignment operator in programming In order to make developers life easier, Eloquent ORM offers Mass Assignment functionality which helps them assign (insert) large number of input to database. Life, without Mass Assignment đŸ˜©

  11. Mass Assignment

    This code is vulnerable to a *mass assignment* attack since the properties are not being specifically enumerated in the server-side code. An attacker can simply modify the names of the form fields (or add extra) and directly manipulate their profile in the database, setting administrative flags as they see fit.

  12. Mass Assignment Vulnerability: Understanding & Mitigating the Risks in

    The "Mass Assignment" vulnerability is a security flaw that occurs when an application assigns user input directly to model attributes without proper validation or sanitization. This can lead to unauthorized access and modification of sensitive data, potentially compromising the security of the application and its users.

  13. API6:2019

    How to prevent Do not automatically bind incoming data and internal objects. Explicitly define all the parameters and payloads you are expecting. Use the readOnly property set to true in object schemas for all properties that can be retrieved through APIs but should never be modified.

  14. Avoiding mass assignment vulnerabilities in Node.js

    Mass assignment is a vulnerability that allows attackers to exploit predictable record patterns and invoke illegal actions. Mass assignment usually occurs when properties are not filtered when binding client-provided data-to-data models. Vulnerabilities of this type allow an attacker to create additional objects in POST request payloads ...

  15. Mass Assignment

    CWE-915 Mass Assignment in Ruby on Rails Related Vulnerabilities Got all that? Take our quiz to make sure everything is clear Automatically unpacking data from the HTTP request can sometimes be too easy. Let's learn about mass assignment vulnerabilities. →

  16. What is Mass Assignment?

    Mass Assignment refers to the process of directly assigning values to object properties during data processing, often done through user input. While seemingly innocuous, improper handling of this feature can lead to unauthorized access, data manipulation, and potential security breaches. ‍ ‍ Understanding Mass Assignment in Web Development

  17. How to Test Mass Assignment in APIs using Akto

    To perform this test, follow the steps below: 1. Search for the request that assigns a role to the user on the server-side. 2. Once you have found the request, try modifying the JSON data of the request by changing the value of the variable that assigns the user's role (e.g., "admin"). 3.

  18. 【API Mass Assignment】Definition and Examples

    What is a Mass Assignment Vulnerability? OWASP attributes the API mass assignment vulnerability as an input validation flaw that allows hackers to perform advanced attacks by manipulating payload data. The threat arises when the API endpoints save a request body as it is instead of extracting request parameters one by one.

  19. Understanding "Mass Assignment" in Laravel

    While mass assignment can be a powerful tool for efficient data handling, it is essential to be aware of the potential security risks associated with it. Improper use of mass assignment can lead to mass assignment vulnerabilities, where malicious users may exploit the ability to assign values to sensitive attributes that should not be directly ...

  20. What is Mass Assignment? Attacks and Security Tips

    A Mass Assignment vulnerability occurs when the server does not correctly filter the data transmitted by the user and associates it directly with an object without verification. In this way, an attacker can add new parameters to the HTTP request, which will create or replace variables in the application code although this was not initially ...

  21. Mass Assignment Cheat Sheet

    A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. <a href=\"https://blog.github.com/2012-03-04-public-key-security-vulnerability-and-mitigation/\">GitHub's Blog Post</a>.</p>\n<h3 tabindex=\"-1\" dir=\"auto\"><a id=\"user-content-solutions\" class=\"anchor\" aria-hidden=\"tru...

  22. In Laravel, how would you prevent mass-assignment vulnerabilities

    In Laravel, mass assignment vulnerabilities can be exploited when a user passes an unexpected HTTP parameter through requests, and that parameter changes a database column that you did not expect.

  23. Samsung asks US court to block mass arbitration in privacy case

    Samsung told the Chicago-based 7th U.S. Circuit Court of Appeals that leaving the lower court's decision in place could force it to pay millions of dollars in arbitration processing fees, giving ...

  24. MIT researchers remotely map crops, field by field

    The team realized that, while many developing countries do not have the resources to maintain crop surveys, they could potentially use another source of ground data: roadside imagery, captured by services such as Google Street View and Mapillary, which send cars throughout a region to take continuous 360-degree images with dashcams and rooftop ...

  25. Japan Carmakers Forge Ahead With EV Investments Despite Slowdown

    Japan's carmakers are keeping their foot on the accelerator when it comes to investing in electric vehicles.

  26. Europe Train Routes Threatened By Climate Change, But Resilience Is

    Increasing train travel is critical to decarbonizing transportation. As extreme heat, flooding and erosion pose risks to railways, investment in upgrades remains flat.

  27. Kansas City police link Super Bowl rally shooting to dispute, not

    A quarrel among several people sparked the shooting spree in Kansas City, Missouri, that killed a woman and wounded 22 people after a celebration of the city's NFL Super Bowl victory, police said ...

  28. India Farmers Mass Near Capital to Push for Government Deal

    Tens of thousands of farmers pressing for guaranteed crop prices and debt relief camped en route to the Indian capital on Friday, waiting for weekend negotiations with government officials.

  29. Red Sox roster battle includes ex-No. 1 prospect who 'knows the

    The 24-year-old hard-throwing righty has been on Boston's 40-man roster since Nov. 20, 2020. But he has yet to pitch in the majors because injuries, including Tommy John surgery in April 2021 ...