2021-02-27 12:13:03
Found a hidden HTTP param? Look deeper, maybe there is a
mass assignment/autobinding vulnerability.
This issue occurs when a web app automatically binds HTTP parameters to object fields of the same name without filtering fields that should not be assigned.
User class has fields:
email,
password,
role. At sign-up, the browser sends only
email and
password. The web app binds parameters to a user object and sets
role to default
‘user’.
If you send the
role=admin, the web app will assign it to the role field bypassing the default value. (params and code examples are shown in the picture)
How to find:
> Identify the framework (affected: RoR, ASP.NET, Spring and other)
> Use Param Miner to find hidden params
> Make a custom dictionary with the site content (HTML and JS)
Sometimes changes in objects are hidden too and you need to closely explore the app.
Source
#Web #Hidden #Parameters
149 views09:13