test for mass assignment

• General Solutions
• Ruby On Rails
• Jackson (JSON Object Mapper)
• GSON (JSON Object Mapper)
• JSON-Lib (JSON Object Mapper)
• Flexjson (JSON Object Mapper)
• References and future reading
• Microservices Security
• Microservices based Security Arch Doc
• Mobile Application Security
• Multifactor Authentication
• NPM Security
• Network Segmentation
• NodeJS Docker
• Nodejs Security
• OS Command Injection Defense
• PHP Configuration
• Password Storage
• Prototype Pollution Prevention
• Query Parameterization
• REST Assessment
• REST Security
• Ruby on Rails
• SAML Security
• SQL Injection Prevention
• Secrets Management
• Secure Cloud Architecture
• Secure Product Design
• Securing Cascading Style Sheets
• Server Side Request Forgery Prevention
• Session Management
• TLS Cipher String
• Third Party Javascript Management
• Threat Modeling
• Transaction Authorization
• Transport Layer Protection
• Transport Layer Security
• Unvalidated Redirects and Forwards
• User Privacy Protection
• Virtual Patching
• Vulnerability Disclosure
• Vulnerable Dependency Management
• Web Service Security
• XML External Entity Prevention
• XML Security
• XSS Filter Evasion

Mass Assignment Cheat Sheet ¶

Introduction ¶, definition ¶.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names ¶

Depending on the language/framework in question, this vulnerability can have several alternative names :

• Mass Assignment: Ruby on Rails, NodeJS.
• Autobinding: Spring MVC, ASP NET MVC.
• Object injection: PHP.

Example ¶

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability ¶

This functionality becomes exploitable when:

• Attacker can guess common sensitive fields.
• Attacker has access to source code and can review the models for sensitive fields.
• AND the object with sensitive fields has an empty constructor.

GitHub case study ¶

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

Solutions ¶

• Allow-list the bindable, non-sensitive fields.
• Block-list the non-bindable, sensitive fields.
• Use Data Transfer Objects (DTOs).

General Solutions ¶

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions ¶

Spring mvc ¶, allow-listing ¶.

Take a look here for the documentation.

Block-listing ¶

Nodejs + mongoose ¶, ruby on rails ¶, django ¶, asp net ¶, php laravel + eloquent ¶, grails ¶, play ¶, jackson (json object mapper) ¶.

Take a look here and here for the documentation.

GSON (JSON Object Mapper) ¶

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper) ¶

Flexjson (json object mapper) ¶, references and future reading ¶.

• Mass Assignment, Rails and You

Mass Assignment

Introduction.

Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.

Attackers can sometimes use this methodology to create new parameters that the developer never intended which in turn creates or overwrites new variable or objects in program code that was not intended.

This is called a Mass Assignment vulnerability.

Alternative Names

Depending on the language/framework in question, this vulnerability can have several alternative names :

• Mass Assignment: Ruby on Rails, NodeJS.
• Autobinding: Spring MVC, ASP NET MVC.
• Object injection: PHP.

Suppose there is a form for editing a user's account information:

Here is the object that the form is binding to:

Here is the controller handling the request:

Here is the typical request:

And here is the exploit in which we set the value of the attribute isAdmin of the instance of the class User :

Exploitability

This functionality becomes exploitable when:

• Attacker can guess common sensitive fields.
• Attacker has access to source code and can review the models for sensitive fields.
• AND the object with sensitive fields has an empty constructor.

GitHub case study

In 2012, GitHub was hacked using mass assignment. A user was able to upload his public key to any organization and thus make any subsequent changes in their repositories. GitHub's Blog Post .

• Whitelist the bindable, non-sensitive fields.
• Blacklist the non-bindable, sensitive fields.
• Use Data Transfer Objects (DTOs).

General Solutions

An architectural approach is to create Data Transfer Objects and avoid binding input directly to domain objects. Only the fields that are meant to be editable by the user are included in the DTO.

Language & Framework specific solutions

Whitelisting.

Take a look here for the documentation.

Blacklisting

Nodejs + mongoose, ruby on rails, php laravel + eloquent, jackson (json object mapper).

Take a look here and here for the documentation.

GSON (JSON Object Mapper)

Take a look here and here for the document.

JSON-Lib (JSON Object Mapper)

Flexjson (json object mapper), references and future reading.

• Mass Assignment, Rails and You

Authors and Primary Editors

Abashkin Anton - [email protected]

results matching " "

No results matching " ".

• Browse topics

SNYK LEARN LOGIN

• 🌍 Snyk (recommended)

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

• 🇦🇺 Snyk AUS

Mass assignment

Be careful with parameters that are automatically bound from requests to objects, select your ecosystem, mass assignment: the basics, what are mass assignment vulnerabilities.

To make it easier to save data submitted via an HTML form into a database or object, many web application frameworks have included libraries to automatically bind HTTP request parameters (typically sent via forms) to the fields of database models or members of an object, requiring only minimal coding.

Let’s say we have a (very simple) HTML form:

When the form is submitted to the web application, it will send the form data as HTTP request parameters, and the backend code will have to read each parameter individually into a corresponding variable. Then, once all the fields have been read, the application will usually execute a database update or insert operation to save the data.

Mass Assignment makes it possible to write less code to handle this process - think about how much coding this technique could save if it was an object that had dozens of fields, and multiply this across a complex application that has many of these objects in its database.

Mass assignment vulnerabilities occur when the database model that is being assigned contains security-relevant fields, and the application user can supply values in the POST request that are saved to those fields, even though they are not present in the HTML form.

For example, if the User model contained a field isAdmin: Boolean , the user could add the POST body parameter isAdmin=true and make themselves an administrator.

For this to occur, an attacker would need to guess the names of the sensitive fields, or the source code for the vulnerable application would have to be available to the attacker (allowing them to see what sensitive fields are present in the data model).

Impacts of this attack can include bypassing authentication or authorization logic or elevation of privilege. This could then result in the destruction or disclosure of data within the application.

About this lesson

In this lesson, you will learn how mass assignment vulnerabilities work and how to protect your applications against them. We will begin by exploiting a Mass Assignment vulnerability in a simple application. Then we will analyze the vulnerable code and explore some options for remediation and prevention.

Mass assignment in the wild

In 2012, a GitHub user exploited a Mass Assignment vulnerability in GitHub’s public key update form. The flaw allowed the user to add their public key to another organization they were not a member of. The user added their key to the Ruby on Rails organization. To demonstrate proof of the exploit, the user added a file to the Rails project repository. GitHub responded, quickly fixing the vulnerability and they conducted a wide audit of their code to ensure the issue was detected and fixed if it existed anywhere else.

Mass assignment in action

New SaaS startup SuperCloudCRM recently launched their web platform designed to help businesses boost their sales and marketing efforts.

Setting the stage

SuperCloudCRM recently launched its web platform. Unfortunately, they suffered a security breach, resulting in data being leaked. What went wrong?

Mass assignment details

As mentioned, SuperCloudCRM’s developers had been logging request data for API endpoints like the POST /user/create endpoint, which creates new user accounts when a user submits the signup form.

A typical JSON payload in the request sent to the /user/create endpoint was supposed to look like this:

But a search of the /user/create endpoint’s logs for the [email protected] account around the time the user was created, found JSON POST data starting with the following excerpt:

It was different to the normal requests, and had a long request body with dozens more fields all starting with the letter r . What was the attacker doing? All of these weird field names that weren’t part of the user model schema, which was:

After doing some testing like the scenario above showed, a few things were discovered.

First, the new user account’s password was apparently being saved to the database in plaintext. Not good! But what stuck out was that the application ignored the non-existent fields and just assigned the fields that were actually part of the User model schema.

The data from the new User document was sent back to the API client and the attacker could then infer which of the list of fields starting with r were part of the User model schema, because if a field existed it was saved and echoed back in the response with the other user data.

A search of the /user/create endpoint’s request log entries around the same time revealed that thousands of similar requests had been sent. Each request testing lists of possible field names in the User model schema.

It was concluded that the attackers had brute-forced HTTP requests with various field name guesses to enumerate the organization and role fields in the schema. Despite them not being referred to anywhere in the client-side JavaScript code, the attackers were able to discover these security-related field names.

So, if the attackers knew these field names, what would they do then? Well, this could have led to a possible mass assignment attack. After hours of reviewing logs for the POST /user/create and POST /user/update endpoints the incident response team found dozens of requests had been submitted to the application, which looked similar to:

The requests appeared to be successful. Each of the requests changed the organization to a different customer, essentially giving the attackers access to each of them as admins. The last request was:

This seemed to explain why [email protected] was an administrator in the Cowmoo Industries organization.

By exploiting this mass assignment vulnerability and adding themselves as the administrator for various customers, the attackers were able to access the organizations’ data within SuperCloudCRM and steal it.

Mass assignment by different names

The concept of mass assignment is known by different names in various programming languages or frameworks. NodeJS and Ruby on Rails call it mass assignment. It is referred to as autobinding in Java Spring MVC and ASP NET MVC. PHP calls it object injection.

Mass assignment under the hood

Let’s have a look at this vulnerable application in more detail by going through the server-side code.

The schema for the User model is defined here, with the user’s credentials, email address, plus their role and organization they belong to. During signup, the credentials and email address are the only values that are supposed to be supplied by the user and accepted by the application.

Firstly, let's recap what took place in the example above.

• The User schema consisted of several fields: username, password, email, role and organization.
• Only the username, password and email fields were sent from the web browser to the /user/create endpoint
• The API endpoint used mass assignment to blindly assign any field from the POST request’s JSON data to the User model in the database (if the field existed in the User schema).
• The attackers were able to determine the names of security-related fields in the schema (role and organization)
• The attackers could supply arbitrary values for these fields when creating or updating a user account
• This let the attackers add themselves to other organizations and elevate their privileges to those of an administrator

Here ( $user = new User($request->post()); ), the endpoint creates a new User object and in doing so, passes all contents of the POST request to the constructor. PHP can “smartly” figure out which parameters go to which attributes of the class; however, this isn’t so smart when those attributes are certain things that shouldn’t be assignable! Even if the form only accepts inputs with username , password and email , a malicious actor can guess the other forms and simply add those fields to the JSON manually. As PHP has no way of discerning what it receives from “good” and “bad”, it simply updates them all. If only there were a way to tell PHP exactly which fields we don’t want to be assignable like that!

Impacts of mass assignment

By exploiting mass assignment vulnerabilities, a malicious actor could create multiple security problems including

• Data tampering : Attackers can modify sensitive information in the database, such as password or account balance
• Data theft : Attackers can gain access to confidential information stored in the database
• Elevation of privilege : Attackers can manipulate the properties of an object to gain additional privileges, such as administrator access
• Unauthorized access : Attackers can manipulate the properties of an object to gain unauthorized access to sensitive resources

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code doesn't include this or other vulnerabilities?

Mass assignment mitigation

Use an allowlist of fields that can be assigned to.

Most mass assignment libraries or helper libraries should provide the ability to restrict the fields that will be read from a request and assigned to the data model. By restricting the assignment of user-supplied fields to only fields in the schema that are known safe ones, the values of security-sensitive fields will be prevented from tampering.

Using this strategy, the code for the application would be changed to add an allowlist using the pick() method of the underscore package and listing the allowed fields in the userCreateSafeFields array:

Laravel provides a library, eloquent , which, among other things, introduces object injection protection features! It gives you the ability to indicate variables that can be assigned, or otherwise, you can indicate variables that you don’t want assignable. This means that when you use mass assignment to populate a class with request data, the Laravel backend can (with your guiding hand) separate POST request input data from fields that should be populated and those that should not!

Using this strategy, the code for the application can be changed to add an allow-list of class attributes, enforcing that only these will be updated:

Use a Data Transfer Object (DTO)

Another option is to create an intermediary object (the DTO) that only has safe, assignable properties, which would be a subset of the target object that has those same fields plus any sensitive fields. Using our User example, the DTO would be:

The mass assignment operation can assign any user-supplied data to the DTO without the risk of inadvertently assigning any sensitive fields. The DTO can be copied to the final object, and during this process, any sensitive fields can be set to secure default values.

This method might require much more coding though. DTOs need to be created for all classes with sensitive fields. If there are many schemas with sensitive fields that require corresponding DTOs, then this becomes nearly as much work as not using mass assignment.

Use a denylist to declare fields that can’t be assigned to

The opposite of using an allowlist to define fields that are allowed to be assigned is to use a denylist of fields that shouldn’t be assigned. Security wisdom says to use allowlisting over denylisting because it’s safer to accidentally not include a safe field than to accidentally omit a dangerous field. So, following this advice, a denylist would be the less preferred option of the two. If there are 50 fields in a schema and only one is security-sensitive, then it is obviously much quicker to just denylist the one sensitive field. The danger here though would be if additional sensitive fields were added to the schema later and the developer forgot to add them to the denylist, then you would have a mass assignment vulnerability.

To use denylists, the code for the application would be changed in a similar manner to the code shown in the allow-list strategy shown earlier, except it would use the omit() method of the underscore package and listing the disallowed fields in the userCreateDisallowedFields array:

To use deny-lists, the code for the application would be changed in a similar manner to the code shown in the allow-list strategy shown earlier, the only difference being the User class is changed to have a “hidden” array:

Utilize a static analysis tool

Adding a static application security testing ( SAST ) tool to your devops pipeline as an additional line of defense is an excellent way to catch vulnerabilities before they make it to production. There are many, but Snyk Code is our personal favorite, as it scans in real-time, provides actionable remediation advice, and is available from your favorite IDE.

Keep learning

To learn more about mass assignment vulnerabilities, check out some other great content:

• OWASP guide to mass assignment vulnerabilties
• Find mass assignment in our top 10 list

Congratulations

You have taken your first step into learning what mass assignment is, how it works, what the impacts are, and how to protect your own applications. We hope that you will apply this knowledge to make your applications safer.

We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.

What is mass assignment?

Mass assignment is a type of security vulnerability that occurs when an application code allows user-provided data to be used to set properties on an object without verifying that the user has the right to do so.

What to learn next?

Overreliance on llms, insecure plugins for llms, snyk apprisk pro - using application analytics (tenant->analytics->applications).

Point of Contact

• Vulnerability 101

Mass Assignment Vulnerability: Understanding & Mitigating the Risks in API

Mass assignment vulnerability is a critical security concern that often goes unnoticed in API development. Understanding the risks associated with this vulnerability is crucial for protecting sensitive user data. In this article, we will delve into the details of mass assignment vulnerabilities and explore effective mitigation strategies.

Introduction:

The "Mass Assignment" vulnerability is a security flaw that occurs when an application assigns user input directly to model attributes without proper validation or sanitization. This can lead to unauthorized access and modification of sensitive data, potentially compromising the security of the application and its users.

Addressing the "Mass Assignment" vulnerability is crucial for developers as it can have serious consequences, including data breaches, unauthorized access, and legal implications. Understanding and mitigating this vulnerability is essential to ensure the integrity and security of an application.

Understanding the "Mass Assignment" Vulnerability:

The "Mass Assignment" vulnerability occurs when an attacker is able to manipulate the values of model attributes by submitting unexpected or malicious data. This can happen when developers use frameworks or libraries that automatically map user input to object properties without proper validation or filtering.

Common scenarios where developers may unintentionally introduce the "Mass Assignment" vulnerability include:

• Using frameworks or libraries that provide automatic mapping of user input to object properties without considering the security implications.
• Allowing users to submit data that directly maps to sensitive attributes without proper validation.
• Failing to implement proper input validation and sanitization techniques.

The impact of the "Mass Assignment" vulnerability can be severe. Attackers can exploit this vulnerability to gain unauthorized access to sensitive data, modify user privileges, or even execute arbitrary code on the server. This can lead to data breaches, compromised user accounts, and potential legal issues.

Common Examples of "Mass Assignment":

There are several common examples of the "Mass Assignment" vulnerability. Let's explore a few of them:

User Profile Update: Suppose an application allows users to update their profile information, including their email address and password. If the application blindly maps user input to the corresponding model attributes without proper validation, an attacker can manipulate the request to update other sensitive fields such as admin privileges.

Role-Based Access Control: In applications with role-based access control, developers often use a single parameter to assign roles to users. If this parameter is not properly validated, an attacker can modify it to gain unauthorized access to sensitive functionality or elevate their privileges.

API Endpoints: APIs that accept JSON or XML payloads are also susceptible to the "Mass Assignment" vulnerability. If the API endpoint maps the incoming request directly to model attributes without proper validation, an attacker can manipulate the payload to modify sensitive data or gain unauthorized access.

These examples highlight the importance of implementing proper validation and sanitization techniques to mitigate the risks associated with the "Mass Assignment" vulnerability.

Risks and Consequences:

The "Mass Assignment" vulnerability poses significant risks and consequences for both developers and users. Some of the potential risks and consequences include:

Data Breaches: Exploiting the "Mass Assignment" vulnerability can lead to unauthorized access to sensitive data, including personal information, financial records, and confidential business data. This can result in serious privacy breaches and financial losses.

Unauthorized Access and Privilege Escalation: Attackers can manipulate the values of model attributes to gain unauthorized access to restricted functionality or elevate their privileges within the application. This can lead to unauthorized actions, such as modifying critical settings, accessing sensitive data, or impersonating other users.

Reputation Damage: Security breaches resulting from the "Mass Assignment" vulnerability can severely damage the reputation of the application and its developers. Users lose trust in the application's ability to protect their data, leading to a loss of user base and potential legal consequences.

Legal Implications: Depending on the nature of the application and the data involved, security breaches resulting from the "Mass Assignment" vulnerability can have legal implications. Developers may face legal actions, regulatory fines, and potential lawsuits for failing to protect user data adequately.

Real-world examples of security breaches resulting from the "Mass Assignment" vulnerability include the 2012 GitHub incident, where an attacker exploited the vulnerability to gain administrative access to repositories. This incident highlighted the severity and impact of this vulnerability.

Best Practices for Mitigating the "Mass Assignment" Vulnerability:

To mitigate the risks associated with the "Mass Assignment" vulnerability, developers should follow these best practices:

Whitelist Input Validation: Developers should implement strong input validation techniques to ensure that only expected and valid data is accepted. This includes whitelisting allowed attributes and rejecting any unexpected or malicious input.

Use Role-Based Access Control (RBAC): Implement RBAC to control user privileges and access to sensitive functionality. Do not rely solely on user input to determine roles and permissions.

Implement Attribute-Level Access Controls: Instead of blindly mapping all user input to corresponding attributes, developers should implement attribute-level access controls. This ensures that only authorized users can modify specific attributes.

Sanitize and Filter User Input: Before assigning user input to model attributes, developers should sanitize and filter the data to remove any potential malicious content. This includes validating data types, length restrictions, and ensuring data integrity.

Implement Secure Coding Practices: Follow secure coding practices, such as avoiding dynamic attribute assignment, using strong encryption for sensitive data, and regularly updating frameworks and libraries to their latest secure versions.

Regular Security Testing and Auditing: Conduct regular security testing and auditing of the application to identify and mitigate any vulnerabilities, including the "Mass Assignment" vulnerability. This includes penetration testing, code review, and vulnerability scanning.

Tools and Resources:

To aid developers in addressing the "Mass Assignment" vulnerability, the following tools, libraries, and resources can be helpful:

OWASP Cheat Sheet - Mass Assignment: The OWASP Cheat Sheet provides guidelines and recommendations for securing web applications against the "Mass Assignment" vulnerability. It offers practical advice and code snippets for developers to implement secure coding practices.

Security-Focused Libraries and Frameworks: Many programming languages and frameworks provide security-focused libraries and modules that can help mitigate the "Mass Assignment" vulnerability. Examples include Django's ModelForm, Laravel's Mass Assignment Protection, and Ruby on Rails' Strong Parameters.

Platform-Specific Security Guidelines: Developers should refer to platform-specific security guidelines and resources provided by the framework or platform they are using. These guidelines often include best practices and recommendations for securing applications against common vulnerabilities, including "Mass Assignment."

Code Review and Testing Tools: Developers should leverage code review and testing tools to identify and mitigate the "Mass Assignment" vulnerability. Tools like SonarQube, OWASP ZAP, and Burp Suite can help identify security flaws in the code and test the application for vulnerabilities.

The Role of Security Testing and Auditing:

Regular security testing and auditing play a crucial role in identifying and mitigating the "Mass Assignment" vulnerability. Various testing techniques can be employed, including:

Penetration Testing: Conducting penetration tests can help identify vulnerabilities and potential attack vectors, including the "Mass Assignment" vulnerability. Ethical hackers simulate real-world attacks to identify security weaknesses and provide recommendations for improvement.

Code Review: Manual code review or automated tools can help identify insecure coding practices, including instances of the "Mass Assignment" vulnerability. Developers should review their code regularly and ensure it follows best practices for secure coding.

Vulnerability Scanning: Automated vulnerability scanning tools can scan the application for known vulnerabilities, including the "Mass Assignment" vulnerability. These tools can help identify potential weaknesses and provide guidance on how to address them.

By employing these testing techniques, developers can proactively identify and mitigate the "Mass Assignment" vulnerability, ensuring the security and integrity of their applications.

Conclusion:

Addressing the "Mass Assignment" vulnerability is crucial for developers to protect the integrity and security of their applications. By understanding the definition, risks, and consequences of the vulnerability, developers can take proactive measures to mitigate its impact.

Implementing best practices, such as whitelisting input validation, utilizing role-based access control, and regular security testing and auditing, can significantly reduce the risks associated with the "Mass Assignment" vulnerability.

Need Help? Hire us part-time

Hire a dedicated, part-time security consultant with over 10+ years of experience to work closely with your dev/security team. you only pay for the time you need, with no long-term contracts. learn more.

Secured High Growth Companies Worldwide

Let's find out if we are a good fit with a 30-min intro call

Plans start from $1,000. No Contracts, Cancel Anytime.

Get smart with tips for securing AI applications. Register today to learn how to secure your environment with an expanding attack surface.

• Application Pentest
• Secure Code Review
• LLM Pentest
• Network Pentest
• Red Teaming
• Digital Risk Assessment
• Social Engineering
• Device Hardening
• IoT Testing

• get started

Mass Assignment & APIs - Exploitation in the Wild

The APIs (Application Programmable Interfaces) are widely used to power applications, and one of the popular choices for implementing API is  REST APIs . With this increase in popularity and usage, many security risks also come into the picture. 

APIs have their own  OWASP API Top 10  list, which describes the vulnerabilities commonly found in the APIs, including Mass Assignment. 

This blog will dive deeply into understanding and exploiting mass assignment vulnerabilities. 

Mass Assignment - A 20ft Overview: 

Modern frameworks allow developers a convenient mass assignment functionality that lets developers directly take a “user-supplied Key-Value Pair” input to the object database. This reduces the requirement of writing code for such custom Key-Value pairs and increases the development efficiency but at the cost of security risks if not implemented correctly. 

A mass assignment without a whitelist of allowed “Key-Value Pairs” could allow an attacker to use arbitrary values to create or update the resources abusing the applications’ regular workflow. Privilege escalation is one of the most common vulnerabilities arising from Mass Assignment vulnerability. 

According to OWASPthis  vulnerability  depends on the language/framework in question can have several alternative names:

Mass Assignment: Ruby on Rails, NodeJS.

Autobinding: Spring MVC, ASP NET MVC.

Object injection: PHP.

For example, consider an API that allows users to update their profile information. The API may accept a JSON payload that contains multiple fields such as name, email, and address. Without proper validation, an attacker can add additional fields such as "isAdmin":true” or "isSuperUser":true and gain elevated privileges as an admin or superuser. 

Let’s understand this attack further with the help of a vulnerable code snippet as described below: 

const express = require('express');

const app = express();

app.post('/users', (req, res) => {

  const newUser = {

    username: req.body.username,

    password: req.body.password,

    isAdmin: req.body.isAdmin

  };

  // Save new user to database

app.listen(3000, () => {

  console.log('Server started on port 3000');

In the above code, the “newUser” object is created from the request body without validation or filtering. An attacker can attempt to craft a request with an additional field named “isAdmin”:true and send it to the server to escalate the privileges. 

To remotely exploit this issue, an attacker can send a POST request with an additional "isAdmin" field set to "true" to register as an administrator. In this case, isAdmin is an optional body parameter.

POST /users HTTP/1.1

Host: example.com

Content-Type: application/json

  "username": "attacker",

  "password": "password",

  "isAdmin": true

Now, to mitigate this issue, simply adding a check to ensure that only the user with an admin session can trigger this parameter will fix the underlying vulnerability as described in below code: 

Const port = 3000;

    password: req.body.password

if (req.user.isAdmin && req.body.isAdmin) {

  // Only admins can set isAdmin field

  newUser.isAdmin = req.body.isAdmin;

app.listen(port, () => {

  console.log(`Server started on port {port}`);

Hunting for Mass Assignment Attack in the Wild - A Practical Approach

Mass Assignment is not necessarily to be found in the user profile to perform privilege escalations. You can find it on any API endpoint, which could be using a parameter of interest to the attacker, causing significant damage to the application and its user’s reputation. 

Note: Always read the API documentation to understand and identify interesting parameters/key-value pairs that could cause significant impact.

Let’s understand how to approach the Mass Assignment Attack in a black-box/grey-box assessment with the help of the “crAPI” Demo Lab. 

Locally set up the  crAPI demo lab .

Navigate to the shop -  http://127.0.0.1:8888/shop

Note that the Available Balance by default is $100, and now Buy any item while capturing the request in Burp Suite or another proxy tool. 

Send the Request to the repeater for later use.

Observe after purchasing the items; Available Balance is changed. 

In the repeater tab, modify the request by changing the request method to  GET  and adding “/all” route to retrieve the information of all orders.

Observe that the application has returned all information about past orders.

Modify the request, and change the “all” to any random order ID. 

Send the request, and observe the methods allowed and the order status.

Again, modify the request by changing the request method to  PUT  and adding the status as a return.

Send the request and observe the error message in the response.

Send the request again by adding the status as returned and observing that the order status has changed to returned.

Navigate to the shop, and observe that credit transfers to the account.

In the above lab scenario, as an attacker, it was possible to mark a delivered item as returned to get the cashback allowing an attacker to financially abuse the application with the help of a mass assignment attack. 

Since now you know what chaos this attack can bring to the organization from the user integrity and the financial aspects, it is essential to understand how to implement a fix to prevent such attacks. 

Fixing Mass Assignment - Remediation Approach 

Some common ways to fix mass assignment issues include:

• Disable Automatic Property Mapping: Ensure that your applications have the automatic mapping disabled and always map the properties manually.
• Read-Only Key-Value Pairs: Ensure to set the fields retrieved from the “request body” that is not present in the “request body” should be read-only, and a user should not be allowed to tamper them.

You can find a detailed remediation guide  here .

References and Further Reads

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

https://www.impart.security/post/mass-assignment-101

https://crashtest-security.com/api-mass-assignment/

https://www.wallarm.com/what/mass-assignment

About Harsh Bothra

Related resources.

How Low Severity Vulns Become Critical: PACMAN Attack Example

Common Network Security Vulnerabilities

A Pentester’s Guide to SQL Injection (SQLi)

Never miss a story.

• schedule a demo
• Cobalt Platform
• Offensive Security
• Application Security
• Network Security
• Cloud Security
• Brand Protection
• Device Security
• Core Community
• Product Documentation
• Resource Library
• Events & Webinars
• Vulnerability Wiki
• Trust Center

This is a title

• © 2024 Cobalt
• Terms of use
• Your privacy settings
• Do not sell my data

Burp Scanner

Burp Suite's web vulnerability scanner

Product comparison

What's the difference between Pro and Enterprise Edition?

Download the latest version of Burp Suite.

• Web Security Academy
• API testing

Lab: Exploiting a mass assignment vulnerability

PRACTITIONER

To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket . You can log in to your own account using the following credentials: wiener:peter .

Required knowledge

To solve this lab, you'll need to know:

• What mass assignment is.
• Why mass assignment may result in hidden parameters.
• How to identify hidden parameters.
• How to exploit mass assignment vulnerabilities.

These points are covered in our API Testing Academy topic.

Launching labs may take some time, please hold on while we build your environment.

In Burp's browser, log in to the application using the credentials wiener:peter .

Click on the Lightweight "l33t" Leather Jacket product and add it to your basket.

Go to your basket and click Place order . Notice that you don't have enough credit for the purchase.

In Proxy > HTTP history , notice both the GET and POST API requests for /api/checkout .

Notice that the response to the GET request contains the same JSON structure as the POST request. Observe that the JSON structure in the GET response includes a chosen_discount parameter, which is not present in the POST request.

Right-click the POST /api/checkout request and select Send to Repeater .

In Repeater, add the chosen_discount parameter to the request. The JSON should look like the following:

{ "chosen_discount":{ "percentage":0 }, "chosen_products":[ { "product_id":"1", "quantity":1 } ] }

Send the request. Notice that adding the chosen_discount parameter doesn't cause an error.

Change the chosen_discount value to the string "x" , then send the request. Observe that this results in an error message as the parameter value isn't a number. This may indicate that the user input is being processed.

Change the chosen_discount percentage to 100 , then send the request to solve the lab.

Community solutions

Register for free to track your learning progress

Practise exploiting vulnerabilities on realistic targets.

Record your progression from Apprentice to Expert.

See where you rank in our Hall of Fame.

Already got an account? Login here

Test APIs for vulnerabilities using Burp Suite

Automated Black-Box Testing of Mass Assignment Vulnerabilities in RESTful APIs

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Webinar on Scaling AppSec ft. Stripe Security Partners

Register Now

Find your API Security Test

Jumpstart your API Security testing with our pre-built YAML tests. A library of 100+ API Security tests and growing everyday

Search…

Mass Assignment (MA)

Clear filter

mass-assignment

Mass assignment leading to modification of account

The endpoint appears to be vulnerable to Mass Assignment attack. The original request was replayed by changing account value in request body. The application responded with 2XX success code in response.

Mass assignment granting low privilege user admin role access

The endpoint appears to be vulnerable to Mass Assignment attack. The original request was replayed by modifying admin param in request body. The application responded with 2XX success code in response.

Mass assignment leading to modification of role

The endpoint appears to be vulnerable to Mass Assignment attack. The original request was replayed by modifyinh role param in request body. The application responded with 2XX success code in response.

Mass assignment leading to creation of admin role

The endpoint appears to be vulnerable to Mass Assignment attack. The original request was replayed by adding role with admin permissions in request body. The application responded with 2XX success code in response.

Read our blog

Akto’s Spring Roadshow: A Retrospective

April Product News: API Access Type-Based Testing, Removing Bad Endpoints, and more

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

• Knowledge Base
• Pentest services

Application Penetration Testing

• Tale of a Wormable Twitter XSS
• URL Redirection – Attack and Defense
• Manipulating Numeric Parameters
• wkhtmltopdf File Inclusion Vulnerability
• Preventing Cross-site Scripting In PHP
• Pentesting User Interfaces: How to Phish Any Chrome, Outlook, or Thunderbird User
• Cross-domain Referer Leakage
• Pentesting Basic Authentication
• Username Enumeration
• iOS Frida Objection Pentesting Cheat Sheet
• Jailbreaking iOS 13 with unc0ver
• X-Runtime Header Timing Attacks

API Mass Assignment Vulnerability

• Web Server TRACE Enabled

AWS Pentesting

• HTTP Request Smuggling (AWS)
• Create an AWS Read-Only Access Token
• ScoutSuite Quickstart
• Protecting S3 buckets using IAM and KMS
• Misconfigured S3 Bucket
• S3 Storage Does Not Require Authentication

DevOps Security

• Securing Travis CI
• SSH Weak Key Exchange Algorithms Enabled
• SSH Weak MAC Algorithms Enabled
• TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
• OpenSSL ‘ChangeCipherSpec’ (CCS) MiTM Vulnerability
• Null Ciphers Supported
• ‘Export Ciphers’ Enabled

Network Penetration Testing

• F5 BIG-IP Cookie Remote Information Disclosure
• DNS Server Dynamic Update Record Injection
• rlogin Service Enabled
• Unauthenticated MongoDB – Attack and Defense
• SNMP ‘GETBULK’ Denial of Service
• Responder / MultiRelay Pentesting Cheatsheet
• NTP Mode 6 Vulnerabilities
• Cisco Information Disclosure (CVE-2014-3398 – CSCuq65542)
• SSH Tunneling for Pentesters
• .NET Handler Enumeration
• TLS_FALLBACK_SCSV Not Supported
• PHP Easter Eggs Enabled
• MySQL Multiple Vulnerabilities
• Debian Predictable Random Number Generator Weakness
• Cisco IKE Fragmentation Vulnerability

Pentesting Fundamentals

• GET vs POST
• Cache Controls Explained
• Cookie Security Attributes
• Essential Wireshark Skills for Pentesting
• Testing Cookie Based Session Management

Windows Hardening

• Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)

Home » API Mass Assignment Vulnerability

Table of Contents

• 1. API Mass Assignment

API Mass Assignment

Mass assignment vulnerabilites occur when a user is able to initialize or overwrite server-side variables for which are not intended by the application. By manually crafting a request to include additional parameters in a request, a malicious user may adversely affect application functionality.

Common root causes of mass assignment vulnerabilities may include the following:

Framework-level “autobinding” features. Spring and .NET MVC are two of many frameworks that allow HTTP parameters to be directly mapped to model objects. While this feature is useful to easily set server-side values, it does not prevent arbitrary parameters from being injected.

• https://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html

Parsing a request body as an object. Although copying an object is easier than selecting numerous individual values within that object, this practice should be avoided. When using data formats such as JSON, developers should only extract values that are intended to be modified by users.

Below shows a common example of this vulnerability in a user registration endpoint: POST /api/register HTTP/1.1 [..] {“email”:”[email protected]”}

HTTP/1.1 200 OK [..] {”userid”:”112345”,“email”:”[email protected]”,”email_verified”:false}

A malicious user may want to bypass email verification for a number of reasons. To attack this endpoint, a value is inserted into the request body:

POST /api/register HTTP/1.1 [..] {“email”:”[email protected]”,”email_verified”:true}

HTTP/1.1 200 OK [..] {”userid”:”112346”,“email”:”[email protected]”,”email_verified”:true}

Developers should also ensure that values do not include nested objects or arrays which may undermine application logic. Below shows another style of attack leveraging JSON arrays:

POST /api/register HTTP/1.1 [..] {“email”:[”[email protected]”,”[email protected]”]}

HTTP/1.1 200 OK [..] {”userid”:”112347”,“email”:[”[email protected]”,”[email protected]”],”email_verified”:false}

In the above example an array is provided where a single string value was expected. This would likely have significant security implications for account access and associations.

• Application

What is a mass-assignment attack?

Mass-assignment, sometimes also referred to as an over-posting attack, is an attack on (web) applications in which an attacker can arbitrarily modify elements of an object. Applications that use model binding in a request in particular can be vulnerable to this attack. With model binding, a developer does not have to write code which fields are entered within a form. This is used to save code. However, an attacker can use this to change other fields from the database/object.

How does mass assignment work?

Suppose an application has an object or table with the following fields:

name = "John" isAdmin = False

The application has a form to change the name. When this is sent, the client sends the following request:

POST /profile HTTP/1.1 Host: example.com

field[name]=John

Now we modify the request to the following:

field[isAdmin]=True

If the application is vulnerable, it will modify the isAdmin field instead of the name field.

In practice

Mass-assignment vulnerabilities are often difficult to find manually, because the attacker needs to know how the data model of the application works. In the above example, the attacker just needs to know that the “isAdmin” property exists. Yet such vulnerabilities do occur, often with major consequences. A well-known example is the vulnerability on GitHub, which allows the attacker to take over random repositories via over posting . The best way to detect such vulnerabilities is to use a Static Code Analyzer, such as Fortify. In the case of Fortify, the tool will give a finding called “Mass assignment secure binder”.

How to prevent?

The solution is not immediately obvious, since each framework has its own implementation of binding. However, it is often possible to indicate which properties may and may not be modified. A more generic solution is to check which fields come in before binding. During a pentest we check for mass-assignment attacks. Wondering if your application is vulnerable? Please contact with us.

• Network Security Check
• Website Security Check
• Phishing Campaign
• Mystery Guest
• Why CyberAnt
• Knowledge base

Marconiweg 1 3899 BR Zeewolde

[email protected] +31 (0)85 047 1590

Deze site maakt gebruik van cookies. Door verder te surfen op de site gaat u akkoord met ons gebruik van cookies.

Cookie and Privacy Settings

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

• Personal Finance
• Today's Paper
• T20 World Cup
• Partner Content
• Entertainment
• Social Viral
• Pro Kabaddi League

Confirmed: T20 World Cup 2024 to be Rahul Dravid's last assignment as coach

Ahead of the india vs ireland match, dravid told the media persons that t20 world cup 2024 would be his last assignment as a coach..

Ajit Agarkar, Rahul Dravid. Photo: Sportzpics for BCCI

Listen to This Article

India vs south africa full schedule, squads, match timings, live streaming, t20 world cup 2024: what will be india playing 11 with four spinners, 1st test: stokes 'devastated'; english offie heads home over visa issue, india vs england 3rd test playing 11: india makes four changes in its xi, air india express: 85 flights cancelled; air india to support on 20 routes, pace or spin-friendly: new york pitch report ahead of ind-ire t20 wc match, t20 world cup 2024 afg vs uga highlights: afghanistan thrash uganda by 125 runs, sl vs sa: nortje 4/7 best figures for a proteas bowler in t20 world cup, sri lanka to the netherlands: top 15 lowest totals in t20 world cup history, doordarshan's free dish platform to telecast t20 cricket world cup matches.

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Jun 04 2024 | 10:14 AM IST

Explore News

• Suzlon Energy Share Price Adani Enterprises Share Price Adani Power Share Price IRFC Share Price Tata Motors Share Price Tata Steel Share Price Yes Bank Share Price Infosys Share Price SBI Share Price Tata Power Share Price
• Latest News Company News Market News India News Politics News Cricket News Personal Finance Technology News World News Industry News Education News Opinion Shows Economy News Lifestyle News Health News
• Today's Paper About Us T&C Privacy Policy Cookie Policy Disclaimer Investor Communication GST registration number List Compliance Contact Us Advertise with Us Sitemap Subscribe Careers BS Apps
• ICC T20 World Cup 2024 Budget 2024 Lok Sabha Election 2024 Bharatiya Janata Party (BJP)

Statistics and Actuarial Science

Information for new graduate students in actuarial science, data science and statistics at the university of iowa..

Welcome New Graduate Students!

Information for NEW graduate students in Actuarial Science, Data Science and Statistics at the University of Iowa. 

Last Updated, May 31, 2024.                                   Additional  updates will be sent this summer!

Important Information for International Students

The Office of International Students and Scholars does an incredible job helping you settle into Iowa City and the University of Iowa.  They have webinars to help with:  

1. Getting Started and Making Travel Arrangements

2. Achieving Success: On-campus Involvement and Cultural Adjustment (undergraduate students)

3. Graduate Student Professionalization and Support

4. Understanding Orientation Expectations, Responsibilities, and Placement Tests (graduate students)

5. On-campus Housing Assignments and Move-in Tips (undergraduate students)

6. Student Employment

7. Money Matters - University Billing

Do you need to take the SPEC (Spoken Proficiency of English for the Classroom)?

All students for whom English is not a first language (as self-reported on their admissions application) and who have first-time appointments as graduate teaching assistants (TAs) are required to go through a testing process to assess their effectiveness in speaking English before they are assigned assistantship responsibilities. Beginning in Fall 2024, there will be a new test to assess communication in English in a classroom context called SPEC (Spoken Proficiency of English in the Classroom).  This is replacing ESPA and ELPT.  Details will be coming soon.

Any graduate student who is included in the following categories needs to have their oral English proficiency tested by the TAPE Program:

• Students whose first language is not English (i.e., learned another language first) as self-reported on their admissions application, and
• Have been appointed as a Teaching Assistant

Exemptions (may change):

• Students with an official valid (within the last two years) iBT Listening score of 25 and an iBT Speaking score of 26.
• Undergraduate degrees and/or     
• Continuous attendance of English-language schools since the age of 12 (or younger)
• Students who served as teaching assistants at other institutions of higher learning in which the language of instruction is English, if they were listed as the instructor of record for a course or led a discussion section in English for at least one year, with a year defined as either two academic semesters or three academic quarters.
• Requests for exceptions regarding the SPEC  can be submitted for evaluation to a committee consisting of the Director of ESL Programs, the Associate Dean for Administrative Affairs in the Graduate College, and a representative from University Human Resources.

Requests for exemption and exceptions must come from the department by the deadline, not the student.   Deadlines to register students for the SPEC are:

• March 1  

NOT Exemptions:

• Students who come from a country where English is one of the official languages.
• Students who are U.S. permanent residents or U.S. citizens whose first language is not English.

Testing Procedures & Results

 To be announced soon!

Graduate/Professional International Students Important Dates

July 12, 2024:  Earliest date you may enter the U.S. in F-1 or J-1 status. August 11, 2024:  Latest date by which you should arrive in Iowa City August 12 - 16, 2024: International Student Orientation August 26, 2024:  Classes begin.

Housing Information for All Students

The department has a housing webpage, please let us know if you have any questions or concerns. If you are looking for a roommate, please let us know and we can update this web page!

Looking for housing options ?

All US citizens that are financially supported (TA, RA) need to be here on August 21.

All students will register for classes the week before classes start.  International students must complete the required Orientation Program before  they can register for classes.    

____________________

Fall Classes Advising will be August 19-23

All NEW UI students must meet with their advisor prior to registration.  There is no worry about getting into any of the classes we teach.  

• IF you are an Actuarial Science MS or PhD student you will need to meet with Professor Shyamalkumar.  Email him after August 12 at [email protected] to set a time to meet to discuss what classes to take, it may be on Zoom or in his office (233 Schaeffer Hall).
• IF you are a Data Science MS, Statistics MS, or PhD student you will need to meet with Professor Boxiang Wang.  Email him after August 12 at [email protected]  to set a time to meet to discuss what classes to take, it may be on Zoom or in his office (261 Schaeffer Hall).

New Graduate College Welcome and Orientation, August 21

The Graduate College Fall 2024 Graduate Student Orientation event will take place on Wednesday, August 21, 2024.  A registration form will be sent to your UI email sometime this early summer from the Graduate College. All new doctoral and master’s students are invited to attend.  

New Teaching Assistant Orientation, August 22- required for all new supported students

Sponsored by the Center for Teaching

This event will introduce participants to the role of teaching assistant at the University of Iowa and prepare them for the first week of classes and beyond. 

Participants will discuss evidence-based teaching strategies for lesson planning, inclusive teaching, and more with Center for Teaching staff. Participants will also choose two workshops of interest to them out of several options; these will be facilitated synchronously by experienced TAs.  This is a virtual event for 9-noon.

• Sign up before August 21!

New Student Department Orientation, August 23 at 9 a.m., Room to be determined.

• All New Student Orientation —Group Introductions and General Policy Procedures.

New Supported Graduate Assistants Orientation, August 23 at 1 p.m., Room to be determined.

• Our Director of Graduate Studies will have a department review of expectations and your specific roles in our department. Teaching and grading assignments will be explained, as well as preparation, teaching tips, problems and questions, quizzes and exams, weekly meetings, grading, appropriate office use and the Sexual Harassment Prevention Education

Mailbox in 241 Schaeffer Hall 

All graduate students will have a mailbox in our main office.  The faculty do as well.  Please check your mailbox at least once a week!

Office Desk Assignment

Nearly all supported students will have a desk in one of our offices.  The assignment priority (in this order) includes Ph.D. and Fellowship candidates, research assistants, half-time teaching assistants, quarter-time teaching assistants and lastly graders.  Having a desk is a privilege and should be used only for university business.  Office assignments will be given to students on, August 23.  Keys are checked out ONLY after that time.  Please remember to keep the rooms clean and take out all trash to the large bins in the main hallways.

Set-up your University of Iowa Email

All University of Iowa students are required to activate their assigned uiowa.edu email address, as all official communication from university offices are now sent via email, rather than hard copy. This address usually follows the pattern [email protected]   (However, often a number is also attached.) 

To activate the account:

• Log on to  MyUI
• Click on My UIowa / My Email / Request Email Account
• Complete the specified steps.

Students who prefer to maintain only their work or home email addresses can do so by routing the uiowa.edu email to a work or home account. To do so, follow these steps:

• Click on My UIowa / My Email / Update Email Routing Address

Important Notes:

• If your uiowa.edu email address is routed to a different account, you will  not  need to change your address in ICON, as your messages will already forward to your routed address.
• Log on to MYUI.
• Click on My UIowa / My Email / Email Account Filter bulk mail.
• Make sure that none of the categories are checked.

Required Graduate Assistants Teaching Courses:

• ONLINE CLASS Requirement: Sexual Harassment Prevention Edu.  Use your HawkID and password to log into Employee Self Service. Click the Personal tab, next (under Learning and Development) click on Sexual Harassment Prevention Edu., follow instructions.
• ONLINE CLASS Requirement:  Federal Educational Rights and Privacy Act (FERPA), Use your HawkID and password to log into Employee Self Service. Click the Personal tab, next (under Learning and Development) next click on Available Online Icon Courses, next FERPA Training, then click on View Details twice and the last click will be to Enroll in this ICON Course Session.
• A six-hour orientation program will be required of all students who are certified at level A or B and are teaching for the first time.  This orientation helps new teaching assistants understand the culture of the U.S. classroom and treats topics such as student expectations, teacher-student relationships, and understanding and answering student questions. Discussion focuses on suggestions for maximizing comprehensibility in spoken English. This course meets twice for 3 hours early in the semester. Both meetings are held in the evening.

Administrative Department Staff:

Professor aixin tan (until july 1, 2024).

Director of Graduate Studies, Statistics and Data Science Graduate Advisor: [email protected]   (319) 335-0821.

Professor Boxiang Wang (beginning July 1, 2024)

Director of Graduate Studies, Statistics and Data Science Graduate Advisor: [email protected] (319) 335-2294.

Professor N.D. Shyamalkumar

Actuarial Science Graduate Advisor:  [email protected]    (319) 335-1980

Margie Ebert

Academic Services Coordinator ,  [email protected]  (319) 335-2082

Heather Roth

Administrative Services Coordinator  [email protected]   (319) 335-0712

Tammy Siegel

Department Administrator ,  [email protected] , (319) 335-0706

NCAA baseball super regionals: Who has punched their ticket to next round of tournament?

After 64 teams started the 2024 NCAA Division I baseball tournament, only 16 will remain.

The regional round is wrapping up and tickets to the super regional round are being punched Sunday and Monday, making teams one step closer to reaching the goal of the Men's College World Series in Omaha. Only one team will emerge from each of the 16 four-team regionals, setting up eight best-of-three series next weekend.

Here is who has made the super regional round, and what to know for the next set of games that will determine who will make it to the College World Series.

2024 college baseball super regional teams

• No. 1 Tennessee (won Knoxville regional)
• No. 2 Kentucky (won Lexington regional)
• No. 3 Texas A&M (won Bryan-College Station regional)
• No. 4 North Carolina (won Chapel Hill regional)
• No. 6 Clemson (won Clemson regional)
• No. 8 Florida State (won Tallahassee regional)
• No. 9 Georgia (won Athens regional)
• No. 10 NC State (won Raleigh regional)
• No. 13 Virginia (won Charlottesville regional)
• No. 15 Oregon State (won Corvallis regional)
• Kansas State (won Fayetteville regional)
• West Virginia (won Tucson regional)
• Oregon (won Santa Barbara regional)
• Evansville (won Greenville regional)
• Florida (won Stillwater regional)
• UConn (won Norman regional)

2024 college baseball super regional matchups

• No. 1 Tennessee vs. Evansville (Tennessee hosts)
• No. 2 Kentucky vs. No. 15 Oregon State (Kentucky hosts)
• No. 3 Texas A&M vs. Oregon (Texas A&M hosts)
• No. 4 North Carolina vs. West Virginia ( North Carolina hosts)
• No. 6 Clemson vs. Florida (Clemson hosts)
• No. 8 Florida State vs. UConn (Florida State hosts)
• No. 9 Georgia vs. No. 10 NC State (Georgia hosts)
• No. 13 Virginia vs. Kansas State (Virginia hosts)

When is 2024 college baseball super regionals?

The complete dates and times for the super regional matchups haven't been announced yet. But the best-of-three series will be from June 7-9 or June 8-10.

When does 2024 Men's College World Series start?

The 2024 Men's College World Series will begin June 14. The finals will be a best-of-three series that will be played from June 22-24.

Jif, Mars to test UMass professor’s chocolate, peanut butter cleaning solution

• Updated: May. 31, 2024, 2:36 p.m. |
• Published: May. 31, 2024, 2:36 p.m.

Lynne McLandsborough, who won the 2024 Mahoney Life Sciences Award. Photo by University of Massachusetts University of Massachusetts

• Irene Rotondo | [email protected]

If you’ve ever tried to clean peanut butter or chocolate off a whisk in the sink, you can probably imagine how much harder it is for the commercial candy companies that crank out more treats in a day than most of us will ever eat.

But one UMass Amherst expert may have found the answer.

Lynne McLandsborough was named winner of the 2024 Mahoney Life Sciences Prize and its $25,000 award for her patent-pending solution, UMass Amherst announced May 31. The professor also serves interim for roles as associate vice chancellor for research and engagement and as director of the Center for Agriculture, Food and the Environment.

“It was a fun project,” McLandsborough said of her chocolate and peanut butter sanitization solution, which she published her research paper on in April 2023 in the journal Microbiology Spectrum .

“I was really surprised and excited... I think our research is innovative and there’s a need in the industry,” the scientist said.

McLandsborough is already in talks with Mars , the world’s largest chocolate manufacturer, and with the owner of Jif peanut butter, J.M. Smucker, to test her method in their pilot plant facilities, the university said in its statement on her award.

The sticky sanitization issues stem from the fact that water and oil do not mix, that and the low-moisture foods’ high fat content makes it cling to machinery.

• Read more: Over 600 employees facing layoffs by Massachusetts’ largest biotech company

Current commercial cleaning processes include a “dry” clean followed by a hot oil. The oil removes the residue but does not kill bacteria like Salmonella, which is a “persistent problem” when it comes to low-moisture food production, McLandsborough said.

Companies also use flammable products and need machines to cool down, resulting in “days of downtime” and less-frequent routine cleaning in low-moisture food processing facilities, she said.

The UMass Amherst scientist’s findings promise to both reduce the risk of food-borne bacterial illness and make the whole process much more efficient for large-scale companies.

She and her team worked on a formula of oil and acid to make a sanitizer that killed bacteria, and discovered a “few drops of water” were the missing ingredient for its kill rate to be at the standard 99.999% — enough to eviscerate Salmonella.

• Read more: Mashpee man artificially inflated Getty Images stock price for personal gain, feds say

McLandsborough said the concept is extremely basic in the science world, known as osmotic pressure, and that “it’s simple, but it works.”

The Mahoney Life Sciences Prize was established in 2018 by the Mahoney brothers, Richard, Robert and William. All three received chemistry degrees from UMass Amherst and have been alumni advisers to the school and mentors to students.

“Dr. McLandsborough’s research exemplifies this mission and has the potential to revolutionize food safety nationally and globally,” said Richard Mahoney. “We are thrilled to champion the innovative research led by UMass researchers. It is crucial to bridge scientific discoveries with industrial applications to address pressing challenges and improve lives.”

The annual competition looks for scientists in the school’s College of Natural Sciences “who are engaged in high-impact life sciences research that addresses a significant challenge and advances collaboration between researchers and industry,” according to the school. A panel of external experts evaluates each candidate.

If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.