How to Fix Mass Assignment: Insecure Binder Configuration (Api Abuse, Structural) in Java

How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java

InitBinder can be used for methods. You can try this.

@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","zipcode"});
}


@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
binder.setDisallowedFields(new String[]{"distance","name"});
}

What is the solution for Mass Assignment: Insecure Binder Configuration Vulnerability?

You may refer to the problem Prevent mass assignment in Spring MVC with Roo.

In your case, you can use @InitBinder provided by Spring MVC. @InitBinder would specify the white list for json and bean mapping.

In my experience, I used @RequestBody for auto-binding. I need to add @JsonIgnore to specify the property that would not include for the mapping.

SimpleController.java

@RequestMapping(value="/simple")
public String simple(@Valid @RequestBody User user){
simpleService.doSomething();
}

User.java

public class User{
private String name;

@JsonIgnore
private String dummy;

public void getName(){return name;}
public void setName(name){this.name = name;}
public void getDummy(){return dummy;}
public void setDummy(dummy){this.dummy= dummy;}

}

mass assignment insecure binder configuration Rest framework , JSON http request :I am not using Spring MVC

This can be implemeted via Jacksonson . Jackson is one of the best JSON Providers/parsers and can be used with Jersey in Rest implemetation.The REST services will produce and consume JSON and the JSON serialization and de-serialization happens automatically behind the scenes

Create View class as :

public class View {

public static class Editable {}
public static class Viewable extends Editable {}
public static class Internal extends Viewable {}
}

Create Model class as :

@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement(name = "activateService")
public class ActivateService implements Serializable {

@JsonView(View.Editable.class)
public String mWalletToken;
@JsonView(View.Editable.class)
public String topMerchantEMPID;
@JsonView(View.Editable.class)
public String serviceCategory;
}

and the Rest -full web service method :

@POST
@Path("/TimRestService")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
public Response crunchifyREST(@JsonView(View.Editable.class) final ActivateService model, @Context HttpServletRequest request) {

In JAX-RS, if one model(either request or response) is annotated with @JsonView(View.Editable.class), in our case add method, Jackson will only serialize or deserialize fields that are annotated with @JsonView(View.Editable.class).
In our case, client can only pass editableField, if client pass any other fields, server will just silently ignore them.

Use below dependencies in pom.xml

<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson- 
databind -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.5</version>
</dependency>

<!-- https://mvnrepository.com/artifact/com.sun.jersey/jersey-json -->
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-json</artifactId>
<version>1.19.4</version>
</dependency>

Source :- https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet
and http://lifelongprogrammer.blogspot.com/2015/09/using-jackson-view-to-protect-mass-assignment.html

Mass Assignment: Insecure Binder Configuration with Fortify Java 1.8 EJB

Do you expect all fields to be present in request? You are using @Valid annotation but there are no validation annotations in MyClassRequest model. Try to add some validation annotations like @JsonIgnore for non mandatory fields. Or @JsonInclude on class. If this does not help, may be also try explicitly adding @JsonProperty on each field.



Related Topics



Leave a reply



Submit