Web Mass Assignment Vulnerabilities

Explanation

Assuming we have a User model with the following attributes

class User < ActiveRecord::Base
  attr_accessible :username, :email
end

attackers can modify other attributes by tampering with the parameters sent to the server. Let's assume that the server receives the following parameters.

{ "user" => { "username" => "hacker", "email" => "hacker@example.com", "admin" => true } }

Although the User model does not explicitly state that the admin attribute is accessible, the attacker can still change it because it is present in the arguments. Bypassing any access controls that may be in place, the attacker can send this data as part of a POST request to the server to establish a user with admin privileges.

Last updated