{"id":785,"date":"2021-03-24T09:33:47","date_gmt":"2021-03-24T09:33:47","guid":{"rendered":"https:\/\/cas.cybercop-training.ch\/?page_id=785"},"modified":"2021-05-23T15:28:12","modified_gmt":"2021-05-23T15:28:12","slug":"rails-mass-assignment","status":"publish","type":"page","link":"https:\/\/cas.cybercop-training.ch\/index.php\/rails-mass-assignment\/","title":{"rendered":"Rails Mass Assignment"},"content":{"rendered":"<h2>1. Introduction<\/h2>\n<blockquote><p>In order to reduce the work for developers, many frameworks provide convenient mass-assignment functionality. This lets developers inject an entire set of user-entered data from a form directly into an object or database. Without it, developers would be forced to tediously add code specifically for each field of data, cluttering the code base with repeated form mapping code.<\/p><\/blockquote>\n<p>The downside of this functionality is that it is often implemented without a whitelist that prevents users from assigning data to protected fields. An attacker may exploit this vulnerability to gain access to sensitive data or to cause data loss.<\/p>\n<p>Your goal in this exercise is:<\/p>\n<ol>\n<li>Create a comment with a timestamp in the future<\/li>\n<li>Extend an user account with admin rights<\/li>\n<\/ol>\n<h2>2. Solution<\/h2>\n<p>First we need to register a user account and check the sourcecode of the profile page:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/source02.png\" alt=\"\" \/><\/p>\n<p>There we see a div class tag called <code>is_admin<\/code> and a comment called User has role admin: No.<\/p>\n<p>Let&#8217;s start an interception proxy and see if we can manipulate the request when we update our profile:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/set_admin.png\" alt=\"\" \/><\/p>\n<p>We update the request by adding the string <code>&amp;user%5Bis_admin%5D=true<\/code><\/p>\n<p>After that we succesfully elevated our priviledges from user to admin role!<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/admin_profile.png\" alt=\"\" \/><\/p>\n<p>The second challenge is to post a guestbook entry with a timestamp from the future.<\/p>\n<p>By checking the page source code we see a class element <code>&lt;em class=\"created_at\"&gt;<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/source03.png\" alt=\"\" \/><\/p>\n<p><code>created_at<\/code> could be a hint, but I&#8217;ve to guess and tried severeal combinations until I had success:<\/p>\n<blockquote><p>&amp;date%5Bcreated_at%5D=2099-12-31+23%3A59%3A59+UTC&amp;commit=Save<\/p>\n<p>&amp;%5Bcreated_at%5D=2099-12-31+23%3A59%3A59+UTC&amp;commit=Save<\/p>\n<p>&amp;created_at=2099-12-31+23%3A59%3A59+UTC&amp;commit=Save<\/p><\/blockquote>\n<p>With that one I had success:<\/p>\n<blockquote><p>&amp;entry%5Bcreated_at%5D=2099-12-31+23%3A59%3A59+UTC&amp;commit=Save<\/p><\/blockquote>\n<p><img decoding=\"async\" src=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/gb_entry_timestamp.png\" alt=\"\" \/><\/p>\n<h2>3. Mitigation<\/h2>\n<p>The developer should change the code to either explicitly assign the attributes for the allowed fields, or use a whitelisting function provided by the framework (Ruby on Rails in this case).<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\"> def signup\r\n  # Explicit assignment:\r\n\r\n  @user = User.create(\r\n    email: params[:user][:email],\r\n    password: params[:user][:password]\r\n  )\r\n\r\n  # or whitelisting:\r\n\r\n  @user = User.create(\r\n    params.require(:user).permit(:email, :password)\r\n  )\r\nend<\/pre>\n<p>PDF Report<\/p>\n<p><a href=\"https:\/\/cas.cybercop-training.ch\/wp-content\/uploads\/2021\/05\/mass1.pdf\" class=\"mtli_attachment mtli_pdf\">mass#1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Introduction In order to reduce the work for developers, many frameworks provide convenient mass-assignment functionality. This lets developers inject an entire set of user-entered data from a form directly into an object or database. Without it, developers would be forced to tediously add code specifically for each field of data, cluttering the code base [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-785","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/comments?post=785"}],"version-history":[{"count":4,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/785\/revisions"}],"predecessor-version":[{"id":1035,"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/pages\/785\/revisions\/1035"}],"wp:attachment":[{"href":"https:\/\/cas.cybercop-training.ch\/index.php\/wp-json\/wp\/v2\/media?parent=785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}