Chapter 15. Attacking Data and Objects

The majority of modern programming languages implement logical program design utilizing two distinct capabilities: data, which is typically represented in the form of objects, and actions, which are most often represented in the form of functions. Even in programming languages that are not object-oriented programming (OOP), objects are still usually defined as first-class citizens.

The term first-class citizen is a programming language design concept used to refer to an entity within a programming language that can be assigned, reassigned, modified, passed as an argument to a function, and returned from a function. Almost all modern programming languages define objects (data) as first-class citizens, but not all modern languages define functions (actions) as first-class citizens. As such, it could be stated that most modern programming languages split the role of storing data and operating on data into two distinct language features.

This chapter is all about methods of exploiting data while it is being stored in the form of objects and being operated on via functions. These techniques work against a multitude of modern programming languages, and they abuse the powerful side effects of storing data as first-class citizens.

Mass Assignment

The first and most common method of attacking first-class objects is that of the mass assignment attack. While typically referred to using the modern standardized terms mass assignment attack or mass assignment ...