Detailed Technical Analysis of "Mass Assignment Vulnerability in Pass Culture"
Overview:
This write-up by Aeth details an in-depth exploration of a mass assignment vulnerability found in Pass Culture, a French application designed to promote access to culture for young people. The write-up describes the discovery, exploitation, and reporting of the vulnerability, and how it allowed an attacker to escalate privileges and manipulate sensitive data.
Key Technical Details:
-
Mass Assignment Overview:
Mass assignment is a vulnerability where an attacker can exploit improper whitelisting or blacklisting properties during data binding operations. By crafting API requests that include additional parameters, an attacker can modify unintended properties and escalate privileges or manipulate sensitive data. -
The Discovery Process:
The researcher started by exploring the API endpoints and functionality of the Pass Culture application. By intercepting the registration and profile update requests via tools like Burp Suite, they noted which parameters were being sent and their corresponding values. -
Exploitation Steps:
- Initial Analysis: The process began with analyzing JSON payloads during registration. By modifying the payload to include additional fields, the researcher observed that the backend accepted and processed them.
- Identifying Privileged Fields: The researcher then identified privileged fields (e.g.,
isAdmin
,offerType
) by experimenting with different field names and checking the response. This trial-and-error method leveraged knowledge of typical field names from other applications.json { "email": "[email protected]", "password": "Password123", "isAdmin": true }
-
Manipulating Data for Privilege Escalation: By crafting a modified registration request to include a privileged field (like
isAdmin
), they successfully registered an account with elevated privileges. The endpoint did not properly validate that only administrators should set theisAdmin
field:json { "email": "[email protected]", "password": "Password123", "profile": { "firstName": "Attacker", "lastName": "User", "isAdmin": true } }
-
Real-World Impact:
- Privilege Escalation: By becoming an admin, the attacker could access the administrative panel and manage resources with high privileges.
- Accessing Sensitive Information: Admin privileges could potentially allow access to sensitive user information, control over offers and deals, and the ability to manipulate significant portions of the application's functionality.
-
Business Logic Flaws: This vulnerability is an example of how overlooking input validation rules can lead to severe security implications.
-
Reporting and Response:
- Responsible Disclosure: The researcher responsibly reported the issue to Pass Culture, providing detailed steps and proof-of-concept payloads.
- Patch and Fix Implementation: Pass Culture acknowledged the issue and implemented a fix to ensure only whitelisted fields are processed during mass assignment.
- Security Improvements: This incident led to broader security reviews and improvements in handling user input and data binding within their API.
Key Takeaways:
- Field Whitelisting: Always use a strict whitelist approach for data binding to ensure only the intended fields are processed.
- Parameter Validation: Implement comprehensive validation on both client-side and server-side to prevent unauthorized modification of sensitive fields.
- Role-based Access Controls (RBAC): Enforce robust RBAC to check if a user has the appropriate permissions for the requested operations.
- Regular Security Audits: Conduct periodic security audits and penetration testing to identify and address potential vulnerabilities.
- Awareness and Training: Educate developers about common vulnerabilities like mass assignment and best practices for secure coding.
Conclusion:
The write-up effectively showcases mass assignment vulnerabilities' real-world implications and the critical importance of secure data-handling practices. It also underscores the necessity for continuous security testing and responsible disclosure to maintain application integrity and protect user data.
For full details, check the original write-up here.