Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Allowing sensitive attributes like :admin, :role, :banned, or :account_id to be mass assigned via permit or attr_accessible exposes your app to attackers who can modify these fields through crafted requests. Using params.permit! is especially risky as it permits all input fields without restriction.
Impact#
If exploited, attackers could escalate their privileges, ban users, or hijack other accounts by manipulating these critical attributes. This could lead to unauthorized access, data breaches, or loss of control over user roles and permissions within the application.