Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Allowing user input to set sensitive attributes like ‘role’ or ‘banned’ using the ‘permit’ method can let attackers assign themselves elevated privileges or bypass restrictions. This exposes critical parts of your application’s security model to manipulation.
Impact#
If exploited, attackers could grant themselves admin access, unban their accounts, or otherwise alter protected user properties. This can lead to unauthorized actions, data breaches, and loss of control over who can perform sensitive operations in your application.