CWE-915 in APIs

CWE-915, titled "Improperly Controlled Modification of Dynamically-Determined Object Attributes," describes a weakness where software allows an attacker to modify object attributes that were not intended to be changed. This occurs when an application dynamically determines which attributes of an object can be modified, but fails to properly restrict or validate these modifications.

The core issue stems from improper access control over object properties. When an application accepts user input to modify object attributes without proper validation, attackers can manipulate properties that should remain immutable or restricted. This can lead to unauthorized data modification, privilege escalation, or other security violations.

For example, consider a user profile object where an application allows clients to update their own profile information. If the application blindly accepts all attribute modifications without validating whether the user should be allowed to change specific properties (like user role, permissions, or account status), it creates a significant security vulnerability.

In API environments, CWE-915 commonly manifests through several attack patterns. The most prevalent is when APIs accept JSON or XML payloads that map directly to object properties without proper validation. Attackers can exploit this by including unexpected or unauthorized fields in their requests.

Consider a REST API endpoint that updates user profiles:

PUT /api/users/{id}
{
  "username": "newuser",
  "email": "[email protected]",
  "isAdmin": true
}

If the API blindly updates all provided fields without checking whether the authenticated user has permission to modify the "isAdmin" attribute, this represents a classic CWE-915 vulnerability. The application dynamically determined that "isAdmin" is a valid attribute but failed to control whether it should be modifiable by the current user.

Another common scenario involves API responses that include sensitive object properties. If an API returns more data than necessary or exposes internal object state that should be hidden, attackers can leverage this information for further exploitation. This often appears in GraphQL APIs where clients can request specific fields, potentially accessing properties they shouldn't see.

Mass assignment vulnerabilities are a specific form of CWE-915 where APIs automatically bind request parameters to object properties. Frameworks that provide automatic data binding without proper attribute filtering are particularly susceptible. An attacker might send additional parameters that get assigned to object properties, bypassing intended access controls.

Detecting CWE-915 requires both static analysis and dynamic testing approaches. Static analysis tools can examine code for patterns where object properties are dynamically assigned without proper validation. Look for code that directly maps request parameters to object attributes, uses reflection or dynamic property access, or implements generic update methods without attribute filtering.

Dynamic testing involves sending API requests with unexpected or unauthorized attributes to observe how the system responds. Security scanners like middleBrick can automate this process by testing APIs with crafted payloads that attempt to modify restricted attributes. The scanner evaluates whether the API properly validates and restricts attribute modifications.

middleBrick specifically tests for CWE-915 through its Property Authorization check, which examines whether APIs properly control access to object properties. The scanner sends requests attempting to modify sensitive attributes and verifies whether the API enforces appropriate restrictions. This includes testing for:

• Privilege escalation through unauthorized attribute modification
• Property exposure in API responses
• Mass assignment vulnerabilities
• Insufficient input validation for object properties
• Access control bypass through attribute manipulation

The scanner provides a security risk score (A–F) along with detailed findings that identify specific CWE-915 vulnerabilities, their severity, and remediation guidance. This helps developers understand exactly where their APIs are vulnerable and how to fix them.

Fixing CWE-915 requires implementing proper attribute validation and access control. The fundamental principle is to explicitly define which attributes can be modified by which users or roles, rather than allowing dynamic, unrestricted modification.

Here's a secure implementation pattern in Node.js with Express:

const allowedUpdates = {
  'username': true,
  'email': true,
  'profile.bio': true
};

function validateUpdates(user, updates) {
  const errors = [];
  
  for (const [key, value] of Object.entries(updates)) {
    // Check if the attribute is allowed to be updated
    if (!allowedUpdates[key]) {
      errors.push(`Attribute '${key}' is not allowed to be modified`);
      continue;
    }
    
    // Check if the user has permission to modify this attribute
    if (key === 'isAdmin' && !user.isAdmin) {
      errors.push(`Insufficient permissions to modify '${key}'`);
      continue;
    }
    
    // Additional validation logic
    if (key === 'email' && !isValidEmail(value)) {
      errors.push(`Invalid email format for '${key}'`);
    }
  }
  
  return errors;
}

// Usage in API endpoint
app.put('/api/users/:id', async (req, res) => {
  const errors = validateUpdates(req.user, req.body);
  if (errors.length > 0) {
    return res.status(400).json({ errors });
  }
  
  // Proceed with safe updates
  const updatedUser = await User.findByIdAndUpdate(
    req.params.id, 
    req.body, 
    { new: true }
  );
  
  res.json(updatedUser);
});

For frameworks with automatic data binding, implement attribute whitelisting:

// Using a whitelist approach
const userUpdateSchema = {
  type: 'object',
  properties: {
    username: { type: 'string' },
    email: { type: 'string', format: 'email' }
  },
  required: ['username', 'email'],
  additionalProperties: false // Prevent unknown properties
};

// Validate against schema before processing
const validateResult = validate(userUpdateSchema, req.body);
if (!validateResult.valid) {
  return res.status(400).json({ errors: validateResult.errors });
}

Implement role-based attribute access control:

const attributePermissions = {
  admin: ['username', 'email', 'isAdmin', 'permissions'],
  user: ['username', 'email', 'profile.bio']
};

function canModifyAttribute(user, attribute) {
  return attributePermissions[user.role]?.includes(attribute) || false;
}

// In your update logic
if (!canModifyAttribute(req.user, key)) {
  throw new Error(`User role ${req.user.role} cannot modify ${key}`);
}

Always implement comprehensive logging for attribute modification attempts, especially failed ones. This helps detect potential attack patterns and provides audit trails for compliance purposes.