mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
@@ -0,0 +1,100 @@
|
||||
# API Reference: Mass Assignment Vulnerability Testing
|
||||
|
||||
## OWASP API3:2023 — Broken Object Property Level Authorization
|
||||
|
||||
### Description
|
||||
API accepts and processes fields that should not be client-settable.
|
||||
Attackers add extra fields (role, isAdmin) to modify server-side properties.
|
||||
|
||||
## Common Vulnerable Fields
|
||||
|
||||
| Field | Impact |
|
||||
|-------|--------|
|
||||
| `role` / `isAdmin` | Privilege escalation |
|
||||
| `permissions` | Authorization bypass |
|
||||
| `verified` / `email_verified` | Account verification bypass |
|
||||
| `balance` / `credits` | Financial manipulation |
|
||||
| `plan` / `subscription` | Service tier elevation |
|
||||
|
||||
## Testing Methodology
|
||||
|
||||
### Step 1: Observe Normal Request
|
||||
```bash
|
||||
curl -X PUT https://api.target.com/users/me \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-d '{"name": "Test User"}'
|
||||
```
|
||||
|
||||
### Step 2: Add Privilege Fields
|
||||
```bash
|
||||
curl -X PUT https://api.target.com/users/me \
|
||||
-H "Authorization: Bearer $TOKEN" \
|
||||
-d '{"name": "Test User", "role": "admin", "isAdmin": true}'
|
||||
```
|
||||
|
||||
### Step 3: Verify Changes
|
||||
```bash
|
||||
curl https://api.target.com/users/me -H "Authorization: Bearer $TOKEN"
|
||||
```
|
||||
|
||||
## Python Testing Script
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
||||
base_payload = {"name": "Test"}
|
||||
privilege_fields = {
|
||||
"role": "admin",
|
||||
"isAdmin": True,
|
||||
"permissions": ["*"],
|
||||
}
|
||||
|
||||
for field, value in privilege_fields.items():
|
||||
payload = {**base_payload, field: value}
|
||||
resp = requests.put(url, json=payload, headers=headers)
|
||||
if resp.status_code == 200 and field in resp.text:
|
||||
print(f"VULNERABLE: {field} accepted")
|
||||
```
|
||||
|
||||
## Framework-Specific Vulnerabilities
|
||||
|
||||
### Ruby on Rails
|
||||
```ruby
|
||||
# Vulnerable
|
||||
User.new(params[:user])
|
||||
|
||||
# Fixed
|
||||
User.new(params.require(:user).permit(:name, :email))
|
||||
```
|
||||
|
||||
### Node.js/Express
|
||||
```javascript
|
||||
// Vulnerable
|
||||
User.findByIdAndUpdate(id, req.body)
|
||||
|
||||
// Fixed
|
||||
const { name, email } = req.body;
|
||||
User.findByIdAndUpdate(id, { name, email })
|
||||
```
|
||||
|
||||
### Django REST Framework
|
||||
```python
|
||||
# Vulnerable: all fields writable
|
||||
class UserSerializer(serializers.ModelSerializer):
|
||||
class Meta:
|
||||
model = User
|
||||
fields = '__all__'
|
||||
|
||||
# Fixed: explicit fields
|
||||
class UserSerializer(serializers.ModelSerializer):
|
||||
class Meta:
|
||||
model = User
|
||||
fields = ['name', 'email']
|
||||
read_only_fields = ['role', 'is_admin']
|
||||
```
|
||||
|
||||
## Remediation
|
||||
1. Use allowlists for acceptable fields (never blocklists)
|
||||
2. Implement read-only fields for sensitive properties
|
||||
3. Use separate DTOs for input and output
|
||||
4. Validate request schema against OpenAPI spec
|
||||
Reference in New Issue
Block a user