I immediately thought Mass Assignment Vulnerability!
The part that raised my alarm was:
There are no mentions in that article of the words ‘security’ or ‘mass assignment’ so I wonder how much awareness there is for this issue?
Anybody has cycles to test it out?
Is there any documentation for the OData ASP.NET Web API on this topic? I couldn't find any references in OData in WebAPI – RC release and OData support in ASP.NET Web API
Mass Assignment Vulnerability references:
- Mass assignment in Rails applications « blog.mhartl | Michael Hartl's tech blog and Finding and fixing mass assignment problems in Rails applications « blog.mhartl | Michael Hartl's tech blog
- #26 Hackers Love Mass Assignment – RailsCasts
- Ruby on Rails Guides: Ruby On Rails Security Guide
- 6 Ways To Avoid Mass Assignment in ASP.NET MVC
- On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
- OWASP Heiko Webers Ruby on Rails Security (pdf)
- Newest 'mass-assignment' Questions - Stack Overflow
- "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)
- Why ASP.NET MVC is 'insecure by design' , just like Spring MVC (and why SAST can help)
- Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
- Solution for fixing Spring's JPetStore AutoBinding vulnerabilities
- Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
- Finally ... here is how I have been analysing Spring MVC apps using O2
- Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
- Starting to use the O2 Spring MVC viewer on ThreadFix
- ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)