Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Weakness ID: 915
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
+ Extended Description

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability.

This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

+ Alternate Terms
Mass Assignment:
"Mass assignment" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes.
The "Autobinding" term is used in frameworks such as Spring MVC and ASP.NET MVC.
Object injection:
This term seems to be preferred by some PHP application researchers who attack unsafe use of the unserialize() function.
+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
+ Relevant to the view "Development Concepts" (CWE-699)
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Architecture and Design
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.


Ruby (Undetermined Prevalence)

ASP.NET (Undetermined Prevalence)

PHP (Undetermined Prevalence)

Python (Undetermined Prevalence)

Class: Language-Independent (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.


Technical Impact: Modify Application Data

An attacker could modify sensitive data or program variables.

Technical Impact: Execute Unauthorized Code or Commands


Technical Impact: Varies by Context; Alter Execution Logic

+ Observed Examples
Mass assignment allows modification of arbitrary attributes using modified URL.
Source version control product allows modification of trusted key using mass assignment.
Attackers can bypass payment step in e-commerce software.
Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
Use of PHP unserialize function on untrusted input in content management system might allow code execution.
Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
Content management system written in PHP allows code execution through page comments.
Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
Content management system written in Python interprets untrusted data as pickles, allowing code execution.
Python script allows local users to execute code via pickled data.
Python script allows remote attackers to execute arbitrary code using pickled objects.
Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
Grails allows binding of arbitrary parameters to modify arbitrary object properties.
Incorrect deserialization in web browser allows escaping the sandbox.
Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.
+ Potential Mitigations

Phase: Implementation

If available, use features of the language or framework that allow specification of whitelists of attributes or fields that are allowed to be modified. If possible, prefer whitelists over black lists.

For applications written with Ruby on Rails, use the attr_accessible (whitelist) or attr_protected (blacklist) macros in each class that may be used in mass assignment.

Phases: Architecture and Design; Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Phase: Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against a white list of internal object attributes or fields that are allowed to be modified.

Phases: Implementation; Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Notes


The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.
+ References
[REF-885] Stefan Esser. "Shocking News in PHP Exploitation". 2009. <>.
[REF-886] Dinis Cruz. ""Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008)". <>.
[REF-887] Ryan Berg and Dinis Cruz. "Two Security Vulnerabilities in the Spring Framework's MVC". <>.
[REF-888] ASPNETUE. "Best Practices for ASP.NET MVC". 2010-09-17. <>.
[REF-889] Michael Hartl. "Mass assignment in Rails applications". 2008-09-21. <>.
[REF-890] Tobi. "Secure your Rails apps!". 2012-03-06. <>.
[REF-891] Heiko Webers. "Ruby On Rails Security Guide". <>.
[REF-892] Josh Bush. "Mass Assignment Vulnerability in ASP.NET MVC". 2012-03-05. <>.
[REF-893] K. Scott Allen. "6 Ways To Avoid Mass Assignment in ASP.NET MVC". 2012-03-12. <>.
[REF-894] Egidio Romano. "PHP Object Injection". 2013-01-22. <>.
[REF-464] Heine Deelstra. "Unserializing user-supplied data, a bad idea". 2010-08-25. <>.
[REF-466] Nadia Alramli. "Why Python Pickle is Insecure". 2009-09-09. <>.
+ Content History
Submission DateSubmitterOrganization
2013-01-26CWE Content TeamMITRE
Contribution DateContributorOrganization
2013-01-26Dan Amodio, Dave WichersAspect Security
Suggested adding mass assignment, provided references, and clarified relationship with AutoBinding.
Modification DateModifierOrganization
2013-07-17CWE Content TeamMITRE
updated References
2017-05-03CWE Content TeamMITRE
updated Potential_Mitigations
2017-11-08CWE Content TeamMITRE
updated References

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018