Mass assignment

A mass assignment attack takes advantage of the model binding that occurs in frameworks like Spring and Microsoft's MVC framework.
The automatic model binding takes the incoming parameters from the request and assigns them to attributes in the model object by looking for an attribute with the same name as the request parameter.

However, a hacker can add extra parameters to a request that the developer was not expecting. These may get automatically bound to attributes of the model if they have the same name.

For example, there may be a screen that allows the user to store some values in his profile. Perhaps the User object contains a perferredName attribute, so a screen may allow the user to choose a nickname instead of his real name.
But say the User object also has an attribute called administrator which gives the user some extra features in the web app.
A hacker could copy the URL that the web app normally uses to save a user's profile but add "administrator=true" as an extra parameter.
Even though you are (hopefully) using a POST to update the user's profile, there are many tools available to manipulate a POST request and add parameters.

The autobinding in the framework sees the administrator parameter, sets the value of the administrator attribute in the User object to true and saves the object to the database.
The user has now made himself an administrator.

To protect an application from a Mass Assignment attack, the developer needs to whitelist or blacklist the fields that the framework can autobind.

In Spring:


In C#, annotate the class:


or use the readonly annotation: