5 Unvalidated data

 

This chapter covers

  • Understanding which parts of HTTP may be manipulated
  • Using model validation in ASP.NET Core
  • Preventing mass assignment

In 2012, Russian developer Egor Homakov started a discussion on the GitHub issue tracker for the Ruby on Rails framework (if you’re interested, here is the whole thread: https://github.com/rails/rails/issues/5228). He was worried about a specific attack called mass assignment, and whether Ruby on Rails should change its default behavior to prevent developers from falling into this trap. Not happy with the arguably stern replies he got, he searched and found a mass assignment security issue in GitHub (which, in turn, has been developed in Ruby on Rails). As a result, he managed to grant himself full privileges for the Ruby on Rails project on GitHub. To make it obvious to others that he was indeed able to exploit such a vulnerability, he created a very interesting issue in the bug tracker. The issue has since been updated, but figure 5.1 shows an archived version (the URL of the issue is https://github.com/rails/rails/issues/5239, and the screenshot shows a version from 2013, using Internet Archive’s Wayback Machine: http://web.archive.org/web/20130818070952/https://github.com/rails/rails/issues/5239).

Figure 5.1 Bug reports from the future
CH05_F01_Wenz

It looks like the issue was created in 3012, about 1,000 years in the future. The bug title and description refer to the Futurama TV series, which is set in the 31st century.

5.1 Looking at HTTP

5.2 ASP.NET Core validation

5.3 Mass assignment

5.4 Secure deserialization

Summary