2023-09-28 14:44:41 +02:00
With Spring, when a request mapping method is configured to accept bean objects
as arguments, the framework will automatically bind HTTP parameters to those
objects' properties. If the targeted beans are also persistent entities, the
framework will also store those properties in the storage backend, usually the
application's database.
2023-05-03 11:06:20 +02:00
== Why is this an issue?
2023-09-28 14:44:41 +02:00
By accepting persistent entities as method arguments, the application allows
clients to manipulate the object's properties directly.
=== What is the potential impact?
Attackers could forge malicious HTTP requests that will alter unexpected
properties of persistent objects. This can lead to unauthorized modifications of
the entity's state. This is known as a *mass assignment* attack.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
Depending on the affected objects and properties, the consequences can vary.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
==== Privilege escalation
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
If the affected object is used to store the client's identity or permissions,
the attacker could alter it to change their entitlement on the application. This
can lead to horizontal or vertical privilege escalation.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
==== Security checks bypass
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
Because persistent objects are modified directly without prior logic, attackers
could exploit this issue to bypass security measures otherwise enforced by the
application. For example, an attacker might be able to change their e-mail
address to an invalid one by directly setting it without going through the
application's email validation process.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
The same could also apply to passwords that attackers could change without
complexity validation or knowledge of their current value.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
== How to fix it in Java EE
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
=== Code examples
2021-04-28 18:08:03 +02:00
2023-09-28 14:44:41 +02:00
The following code is vulnerable to a mass assignment attack because it allows
modifying the `User` persistent entities thanks to maliciously forged `Wish`
object properties.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
2021-04-28 16:49:39 +02:00
----
import javax.persistence.Entity;
@Entity
public class Wish {
Long productId;
Long quantity;
Client client;
}
@Entity
public class Client {
String clientId;
String name;
String password;
}
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
2023-09-28 14:44:41 +02:00
public class PurchaseOrderController {
2021-04-28 16:49:39 +02:00
@RequestMapping(path = "/saveForLater", method = RequestMethod.POST)
2023-09-28 14:44:41 +02:00
public String saveForLater(Wish wish) { // Noncompliant
2021-04-28 16:49:39 +02:00
session.save(wish);
}
}
----
2023-09-28 14:44:41 +02:00
==== Compliant solution
2021-04-28 18:08:03 +02:00
2023-09-28 14:44:41 +02:00
[source,java,diff-id=1,diff-type=compliant]
2021-04-28 16:49:39 +02:00
----
public class WishDTO {
Long productId;
Long quantity;
Long clientId;
}
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class PurchaseOrderController {
@RequestMapping(path = "/saveForLater", method = RequestMethod.POST)
public String saveForLater(WishDTO wish) {
Wish persistentWish = new Wish();
2023-09-28 14:44:41 +02:00
persistentWish.productId = wish.productId
persistentWish.quantity = wish.quantity
persistentWish.client = getClientById(with.clientId)
2021-04-28 16:49:39 +02:00
session.save(persistentWish);
}
}
----
2023-09-28 14:44:41 +02:00
=== How does this work?
2021-04-28 18:08:03 +02:00
2023-09-28 14:44:41 +02:00
The compliant code implements a Data Transfer Object (DTO) layer. Instead of
accepting a persistent `Wish` entity as a parameter, the vulnerable method
accepts a `WishDTO` object with a safe, minimal set of properties. It then
instantiates a persistent entity and initializes it based on the DTO properties'
values. The resulting object can safely be persisted in the database.
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
== Resources
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
=== Documentation
2021-04-28 18:08:03 +02:00
2023-09-28 14:44:41 +02:00
* OWASP - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html[Mass Assignment Cheat Sheet]
=== Standards
* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 - Category A8 - Software and Data Integrity Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 - Category A5 - Broken Access Control]
* CWE - https://cwe.mitre.org/data/definitions/915[CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes]
=== Articles & blog posts
2021-04-28 16:49:39 +02:00
2023-09-28 14:44:41 +02:00
OWASP O2 Platform Blog - https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf[Two Security Vulnerabilities in the Spring Framework's MVC]
2021-04-28 18:08:03 +02:00
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
2023-05-25 14:18:12 +02:00
=== Message
Replace this persistent entity with a simple POJO or DTO object.
2021-09-20 15:38:42 +02:00
endif::env-github,rspecator-view[]
