# 批量赋值

软件框架有时允许开发人员自动将HTTP请求参数绑定到程序代码变量或对象中，以使开发人员更容易使用该框架。这有时会造成危害。

攻击者有时可以使用这种方法来创建开发人员从未预期的新参数，从而在程序代码中创建或覆盖未预期的变量或对象。

当满足以下条件时，此功能变得可被利用：

* 攻击者可以猜测常见的敏感字段。
* 攻击者可以访问源代码并可以审查模型中的敏感字段。
* 并且包含敏感字段的对象具有空构造函数。

## 示例

假设有一个用于编辑用户账户信息的表单：

```html
<form>
     <input name="userId" type="text">
     <input name="password" type="text">
     <input name="email" text="text">
     <input type="submit">
</form>
```

以下是表单绑定的对象：

```java
@Data
public class User {
   private String userid;
   private String password;
   private String email;
   private boolean isAdmin;
}
```

以下是处理请求的控制器：

```java
@RequestMapping(value = "/addUser", method = RequestMethod.POST)
public String submit(User user) {
   userService.add(user);
   return "successPage";
}
```

以下是典型的请求：

```http
POST /addUser
...
userid=attacker&password=s3cret_pass&email=attacker@attacker-website.com
```

以下是我们在其中设置User类实例的isAdmin属性值的漏洞利用：

```http
POST /addUser
...
userid=attacker&password=s3cret_pass&email=attacker@attacker-website.com&isAdmin=True
```

## 参考

* [OWASP Mass Assignment Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Mass_Assignment_Cheat_Sheet.md)
* [Spring MVC, protect yourself from Mass Assignment](https://domineospring.wordpress.com/2015/05/18/spring-mvc-proteja-se-do-mass-assignment/)
* [Security of your application and frameworks: the attack on GitHub](https://blog.caelum.com.br/seguranca-de-sua-aplicacao-e-os-frameworks-ataque-ao-github/)
* [Write up: Spring's setDisallowedFields bypass in the VolgaCTF2019 Shop task](https://gitlab.com/salted-crhackers/writeups/-/tree/master/2019/volgactf-qualifier/shop)
* [Write up: The VolgaCTF2019 Shop v2 task](https://balsn.tw/ctf_writeup/20190329-volgactfqual/#shop-v2)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.cdxiaodong.life/kuang-jia-an-quan/spring/mass-assignment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.