This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
gsman1
Absent Member.
Absent Member.
‎2015-07-20 14:17
13744 views

What to do with "Mass Assignment: Insecure Binder Configuration"?

Heated discussions at my client around this relatively new (well since 2015.1) rule. "Mass Assignment: Insecure Binder Configuration"

After reading the explanantion and resolution advise most peoples response is: "yes, sure but our implementation is not so naive. we only have backing objects that only contain the fields that need to be exposed." Even the advise for fixing is a bit misleading and give a false sense of security (another place you need to update when adding fields).

So we have most teams mark these as false positives.

What do you do with them?

Tags (2)
0 Likes
Reply
Report Inappropriate Content
2 Replies
dacoursey
Absent Member.
Absent Member.
‎2015-08-14 13:29

Same here, I have yet to see a good "fix" for this category so they get marked false positive.  I have also not seen an exploit PoC for this one.

David

0 Likes
Reply
Report Inappropriate Content
michaella_hess
Absent Member.
Absent Member.
‎2016-04-01 23:13

Apparently these flaws are exploitable, see below.  Hoping to find a solution to remedy this.

http://www.codeproject.com/Articles/471784/Exploiting-Microsoft-MVC-vulnerabilities-using-OWA

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.