Broken Object Property Level Authorization
摘要
In March 2012, GitHub experienced a severe security breach that shook the developer community. A security researcher, Egor Homakov, discovered he could gain administrative access to any repository on GitHub, including the Ruby on Rails project itself. The vulnerability was deceptively simple yet devastating in its impact. GitHub's mass assignment vulnerability allowed attackers to modify any property of an object by simply adding extra parameters to API requests