A6: Mass Assignment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 43 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in this video, we're gonna talk about mass assignment so we'll talk about what it is as well as ways we can prevent against it.
So what is mass assignment so basically and the AP eyes taking data from the client
and then storing it without actually filtering it through to to make sure it's got why listed properties. So what that means is that an attacker can then try to guess certain object properties or provide additional object properties in their A p. I recall request. Or they can also do things like reading the A P I documentation checking out a p I. M. Points for clues.
And basically what they're looking for is anyway,
that they can modify the properties that they're not supposed to have be able to access on the data objects that are stored in the back end. You might remember this from the harbour privilege escalation breach. So how can we prevent against this? Well number one don't automatically buying the incoming data and internal objects, so put some kind of filtering in place.
Also defining all the parameters and payloads that you're expecting and for object She Mazz used to read only set to true for all properties that could be retrieved via the AP eyes
but the ones that should not be modified.
And then you, of course, defining Shima is defining the patterns that you're gonna actually, except in the A p I call request and enforcing them at run time.
So just a quick quiz question here for the object. Seimas set this to true for properties that could be retrieved via the AP eyes. But that should never be modified.
Is that read only? Is that read? Write or is that a P I call?
So if you guess green on Lee, you are correct.
So in this video, we just talked about what mass assignment is. We also talked about some ways we can prevent it again. Make sure you're putting some kind of filtering in place. You don't want to automatically bind the incoming data with the internal objects.
You also want to set definition for the parameters and payloads that you're actually expecting so again, going back to white listing,
defining the types and patterns. And she means that you're going to accept him requests and then off, ***, enforcing those at run time
and then using read on Lee
Up Next