Link Search Menu Expand Document
×
Topics

Mass Assignment in NodeJS

Play SecureFlag Play NodeJS Labs on this vulnerability with SecureFlag!

Using MongoDB

Vulnerable Example

This Express.js route allows for an application to be signed up to. The logic checks whether a user already exists with the specified username; otherwise, it creates the new user by passing the whole User object passed from the request to the insert function:

app.post('/signup', function (req, res) {
    const {username} = req.body;
    usersCollection.countDocuments({username}, function (err, count) {
        if (count === 0) {
            const newUser = req.body;
            usersCollection.insert(newUser);
            res.status(201);
        } else {
            res.status(409);
        }
    });
});

Assuming an HTTP form is like this:

<form method="POST" action="/signup">
  <input name="username" />
  <input name="password" />
</form>

And assuming that the web application uses an is_admin field to implement a rudimentary access control mechanism, an attacker could craft a request adding the is_admin POST field with value 1.

Prevention

MongoDB does not provide any specific facility to prevent Mass Assignment; it is up to the developer to create the object to be inserted by only using a subset of all the fields that might be present in the request:

const {username, password} = req.body;
usersCollection.insert({username, password});

References

CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

OWASP - Mass Assignment Cheat Sheet