Software frameworks sometimes allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier. This can sometimes cause harm.
Attackers can sometimes use this methodology to create new parameters that the developer never intended, which in turn creates or overwrites new variables or objects in program code.
This is called a Mass Assignment vulnerability.
How to solve it
- Whitelist the bindable, non-sensitive fields
- Blacklist the non-bindable, sensitive fields
- Use Data Transfer Objects (DTOs)
- Use Hdiv to prevent any type of Mass Assignment attack