Web Development  >>  Ruby On Rails

Hackers Love Mass Assignment

Language : English Quality : High Has Audio : true Source : Other Media : QuickTime
Your site may be at risk! When using mass assignment, you are giving the user complete control over that model and its associations. See how a hacker might use this vulnerability and learn how to stop it in this episode.

Tags: Ruby On Rails, Ruby, Web Development, Hacking, Security,     [SUGGEST  A  TAG]

Resources referenced in this screencast
  • Ruby on Rails

    		•   OR 
    Created : 2007-05-02   Duration : 06:14 (15.2 MB)


    (Requires : MPEG-4 Video Player)
    Download file is iPod compatable

    Articles Realted to this Topic

    		 [SUGGEST  A  ARTICLE]
    Do not create records directly from form parameters
    If the attacker knows that the User model has an “admin” column, the newly created user will have administrator rights. One solution to this problem is, not to use mass-assignment and assign each value individually. Another solution is, to protect several properties so they can't be assigned using mass-assignment, but have to be set individually. The following line in your model will protect the “admin” attribute, i.e. it will be ignored during mass-assignment.
    Creating records directly from form parameters
    Active Record provides two ways of securing sensitive attributes from being overwritten by malicious users that change the form. The first is attr_protected that denies mass-assignment the right to change the named parameters.