What is Mass Assignment? | Security Engineer Interview Questions

Mass Assignment is a powerful Authorization Vulnerability that has been used by researchers and attackers to compromise popular sites like Github in the past. Mass Assignment relies on attackers being able to discover and tamper with parameters that are passed through to the server-side. Attackers identify and exploit insecure implementation of authorization that are caused by developer error in terms of validating and handling parameters in popular #MVC (Model View Controller) frameworks. #MassAssignment was made popular when Github, a Ruby on Rails application, was compromised. However, this vulnerability affects apps across languages and frameworks alike. More recently, Mass Assignment has been quite a serious vulnerability against APIs, including REST and GraphQL. In fact it has made it to one of the key items in the OWASP #APISecurity Top 10 over the last year. In this video Abhay explores Mass Assignment in typical #AppSecEngineer style. He explains what Mass Assignment is, and how it can affect your application and API. Subsequently, he demonstrates a Mass Assignment attack against a NodeJS Express Web API using the Mongoose ODM. After that he walks us through some of the key parameters of defense against Mass Assignment
0:00 - Intro
1:07 - What is Mass Assignment?
8:09 - Exploiting and Defending Mass Assignment Demo
Be the first to comment