Rails Mass Assignment

high Web App Scanning Plugin ID 112808

Language:

Synopsis

Rails Mass Assignment

Description

Ruby On Rails is a popular framework used to build web applications based on the Model-View-Controller (MVC) architectural pattern.

A mass assignment vulnerability occurs when an application automatically performs the mapping between a request parameters and a model attributes. This vulnerability can be leveraged by an attacker to modify internal attributes which should not be exposed to the end user and can have multiple impacts depending on the application logic like the gain of privileges or the leak of sensitive information.

Solution

The application should control the access to the attributes by using an explicit allowlist of parameters through the attr_accessible method.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

https://guides.rubyonrails.org/v3.2.9/security.html#mass-assignment

https://stephensclafani.com/2010/01/04/ruby-on-rails-secure-mass-assignment/

Plugin Details

Severity: High

ID: 112808

Type: remote

Family: Component Vulnerability

Published: 6/18/2021

Updated: 8/29/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 915

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A6, 2021-A8

WASC: Improper Input Handling

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(e)

ISO: 27001-A.13.1.3, 27001-A.13.2.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5

NIST: sp800_53-AC-4, sp800_53-CM-6b

OWASP API: 2019-API6, 2023-API3

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.2

PCI-DSS: 3.2-6.2, 3.2-6.5.1