Link Search Menu Expand Document
×
Topics

Mass Assignment in .NET

Play SecureFlag Play .NET Labs on this vulnerability with SecureFlag!

ASP.NET Core MVC allows automatic model binding of request parameters into objects which may introduce Mass Assignment vulnerabilities.

Vulnerable Example

In this snippet, the unprotected User model accepts dynamic user input, which could allow an attacker to POST a new User with an administrative Role to then become administrator.

public class User
{
    public string Login { get; set; }
    public string Password { get; set; }
    public string Role { get; set; }
}

// /Create?Login=username&Password=pwd
public IActionResult Create(User user)
{
    _context.Update(user);
    return View(user);
}

Prevention

To prevent unwanted property binding, consider using [BindNever], [Editable(false)] or [JsonIgnore] attribute model.

Note: The [BindNever] and [Editable(false)] attributes do not impact input formatters that handle JSON and XML request bodies. These attributes specifically affect model binding when the source of values is posted form data.

public class User
{
    public string Login { get; set; }
    public string Password { get; set; }
    [Editable(false)]
    public string Role { get; set; }
}

References

CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

OWASP - Mass Assignment Cheat Sheet