Simple Ruby on Rails Mass Assignment Testing Part I : Through Browser Concole


As rails 4 is making the Strong Parametersgem its default, debates are going on about the previous Protect Attributes gem. Both are aimed to counterpart mass assignment vulnerability. But what is it really? I will demonstrate with a simple example:

1.Create a new rails project, let’s call it mass_assign:

rails new mass_assign


cd mass_assign


bundle install
  1. Now it’s time to use rails scaffold to generate a simple User model. We will give it a name and an admin attribute. As you have guessed, a hacker may find ways to make him/herself to be an admin for your website.

    rails g scaffold User name:string admin:integer

  2. rake db:migrate and start the server.

4.Now go to your browser and try to create a new user,

5.open your browser console, and change the user[name] html attribute to user[admin]:

6.Submit the form, you will see:

This is because you have permitted mass assignment of the attribute :admin, which you should not be in this case.

  1. We need to fix this problem! Now go to your users_controller.rb, and change
1
2
3
4
5
6
7
def user_params


  params.require(:user).permit(:name,:admin)


end

to

1
2
3
4
5
6
7
def user_params


  params.require(:user).permit(:name)


end

 

Pretend you are the hacker and do step 1 to 6 again, this time you will see this in your rails console,

And the admin attribute wouldn’t be set for this time:

Read more about this topic

RailsCast
Github Public Key Security Vulnerability and Mitigation

« OOP and Access Control Tutorial I :Private vs Public (and Why) Simple Ruby On Rails Mass Assignment Testing Part II : Through Post Request »