CWE-915 (overpost/mass assignment) and antiforgery when not saving posted object to storage

Question

Veracode has found overpost or mass-assignment flaws (CWE 915) in our MVC portal. Technically, this is true, but I am wondering how much of an effort we would need to put into this, especially since we are already using antiforgery tokens, require SSL, and don't allow our pages to be shown in iframes from a different origin.

In this given example, the MVC request is a post for getting security answers for password recovery. A whole view model is posted to the MVC action. the view model includes the answers, the user's login id, AND the questions (along with page title and a few other things). We validate the answers against the user's answers, and if they are wrong, we redisplay the page with that same view model.

public class ViewModelClassName 
{
    public string SecurityQuestion1 { get; set; }
    public string SecurityAnswer1 { get; set; }
    public string SecurityQuestion2 { get; set; }
    public string SecurityAnswer2 { get; set; }
    public string userId { get; set; }
    public string PageTitle { get; set; }
}

[HttpPost, ValidateAntiForgeryToken]
public ActionResult PasswordRecovery(ViewModelClassName model)
{
    if (!_service.ValidateAnswers(model))
    {
        model.ShowSecurityAnswersMustMatchMessage = true;
        ModelState.AddModelError("answersdontmatch", Resource.SomeLocalizedErrorMessage);
    }
    
    if (ModelState.IsValid)
    {
        return RedirectToAction("Index", "ChangePassword");
    }

    return View(model); <--- model isn't getting rebuild, just redisplayed if there are validation errors
}

The ValidateAnswers functions uses the userid value to load the user record, and conpaires the answers in the db to the answers in the view model.

We are not writing this viewmodel to the database. But we DO reshow that view model if the answers aren't correct or there is a another issue with the ModelState.

An attack would need to get a user's antiforgery token, and then mimic one of our forms to post the data. And the result would be to reshow the Online recovery page with possibly the wrong security questions or page title or whatever.

This seems unlikely and esoteric. Do I need to worry about this, or is CWE-915 more focused on blindly updating the database with a object that's posted to a webpage?

the attack they mention seems to be a certain user elevating their privileges. (So they can inject that field, "isAdmin" on their own end... which already has the anti-forgery token.) What they're suggesting is to separate the db-model and view-model. (So update only the DB fields that you know the form provides... it's a better route anyway when checking for concurrency issues. Check view against DB before updating... if someone else has updated a record that won't be the same...) — pcalkins, Aug 11 '21 at 19:40
The code you posted doesn't update any DB records, so I don't see how you're vulnerable to this. You've also separated the DB and view models. — pcalkins, Aug 11 '21 at 19:52

CWE-915 (overpost/mass assignment) and antiforgery when not saving posted object to storage

0 Answers0