OData ASP.NET Web API: An Mass Assignment vulnerability in the making?

When I saw Getting started with OData services in ASP.NET Web API (via reddit) :



I immediately thought Mass Assignment Vulnerability!

The part that raised my alarm was:



and



There are no mentions in that article of the words ‘security’ or ‘mass assignment’ so I wonder how much awareness there is for this issue?

Anybody has cycles to test it out?

Is there any documentation for the OData ASP.NET Web API on this topic? I couldn't find any references in OData in WebAPI – RC release and OData support in ASP.NET Web API

Mass Assignment Vulnerability references:

• Mass assignment in Rails applications « blog.mhartl | Michael Hartl's tech blog and Finding and fixing mass assignment problems in Rails applications « blog.mhartl | Michael Hartl's tech blog
• #26 Hackers Love Mass Assignment – RailsCasts
• Ruby on Rails Guides: Ruby On Rails Security Guide
• http://en.wikipedia.org/wiki/Mass_assignment_vulnerability
• 6 Ways To Avoid Mass Assignment in ASP.NET MVC
• On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
• OWASP Heiko Webers Ruby on Rails Security (pdf)
• Newest 'mass-assignment' Questions - Stack Overflow

Auto-Binding Vulnerability references (another name for Mass Assignment):

• "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)
• Why ASP.NET MVC is 'insecure by design' , just like Spring MVC (and why SAST can help)
• Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
• Solution for fixing Spring's JPetStore AutoBinding vulnerabilities
• Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
• Finally ... here is how I have been analysing Spring MVC apps using O2
• Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
• Starting to use the O2 Spring MVC viewer on ThreadFix
• ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)