Wednesday, 23 January 2013

OData ASP.NET Web API: An Mass Assignment vulnerability in the making?

When I saw Getting started with OData services in ASP.NET Web API (via reddit) :


I immediately thought Mass Assignment Vulnerability!

The part that raised my alarm was:




There are no mentions in that article of the words ‘security’ or ‘mass assignment’ so I wonder how much awareness there is for this issue?

Anybody has cycles to test it out?

Is there any documentation for the OData ASP.NET Web API on this topic? I couldn't find any references in OData in WebAPI – RC release and OData support in ASP.NET Web API

Mass Assignment Vulnerability references:
Auto-Binding Vulnerability references (another name for Mass Assignment):