By accepting persistent entities as method arguments, the application allows clients to manipulate the object’s properties directly.
What is the potential impact?
Attackers could forge malicious HTTP requests that will alter unexpected properties of persistent objects. This can lead to unauthorized
modifications of the entity’s state. This is known as a mass assignment attack.
Depending on the affected objects and properties, the consequences can vary.
Privilege escalation
If the affected object is used to store the client’s identity or permissions, the attacker could alter it to change their entitlement on the
application. This can lead to horizontal or vertical privilege escalation.
Security checks bypass
Because persistent objects are modified directly without prior logic, attackers could exploit this issue to bypass security measures otherwise
enforced by the application. For example, an attacker might be able to change their e-mail address to an invalid one by directly setting it without
going through the application’s email validation process.
The same could also apply to passwords that attackers could change without complexity validation or knowledge of their current value.
