Link Search Menu Expand Document

Mass Assignment in PHP

Play SecureFlag Play PHP Labs on this vulnerability with SecureFlag!

Laravel

Laravel allows for the use of user-provided objects for model creation in order to simplify the field-setting process. This functionality might introduce Mass Assignment vulnerabilities.

Vulnerable Example

In this snippet, a malicious user might send an is_admin parameter through an HTTP request, which is then passed to your User model’s create method, allowing the user to escalate themselves to an administrator.

class User extends Authenticatable {}

class RegistrationController extends Controller
{
    
    public function store()
    {
        $u = new User(request()->all());

        // ...
    }
}

Prevention

One way to prevent overwriting properties is using the fillable property to ensure only a specific set of properties can be updated.

class User extends Authenticatable
{
    protected $fillable = [
        'name', 'email', 'password',
    ];
}

References

Laravel - Eloquent: Mass Assignment

CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

OWASP - Mass Assignment Cheat Sheet