Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Hey, everyone, welcome back to the course. So in this video, we're gonna talk about mass assignment so we'll talk about what it is as well as ways we can prevent against it.
00:09
So what is mass assignment so basically and the AP eyes taking data from the client
00:14
and then storing it without actually filtering it through to to make sure it's got why listed properties. So what that means is that an attacker can then try to guess certain object properties or provide additional object properties in their A p. I recall request. Or they can also do things like reading the A P I documentation checking out a p I. M. Points for clues.
00:34
And basically what they're looking for is anyway,
00:36
that they can modify the properties that they're not supposed to have be able to access on the data objects that are stored in the back end. You might remember this from the harbour privilege escalation breach. So how can we prevent against this? Well number one don't automatically buying the incoming data and internal objects, so put some kind of filtering in place.
00:55
Also defining all the parameters and payloads that you're expecting and for object She Mazz used to read only set to true for all properties that could be retrieved via the AP eyes
01:06
but the ones that should not be modified.
01:08
And then you, of course, defining Shima is defining the patterns that you're gonna actually, except in the A p I call request and enforcing them at run time.
01:19
So just a quick quiz question here for the object. Seimas set this to true for properties that could be retrieved via the AP eyes. But that should never be modified.
01:27
Is that read only? Is that read? Write or is that a P I call?
01:34
So if you guess green on Lee, you are correct.
01:38
So in this video, we just talked about what mass assignment is. We also talked about some ways we can prevent it again. Make sure you're putting some kind of filtering in place. You don't want to automatically bind the incoming data with the internal objects.
01:51
You also want to set definition for the parameters and payloads that you're actually expecting so again, going back to white listing,
01:57
defining the types and patterns. And she means that you're going to accept him requests and then off, ***, enforcing those at run time
02:06
and then using read on Lee

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor