Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Allowing mass assignment of sensitive attributes like ‘admin’ or ‘account_id’ using permit can let users modify critical fields they shouldn’t have access to. This exposes your application to unauthorized privilege changes or account takeovers.
Impact#
If exploited, attackers could escalate their privileges, gain admin access, or manipulate account ownership by changing protected attributes. This can lead to data breaches, unauthorized actions, and a loss of control over user accounts and permissions.