Mass Assignment

Mass Assignment (aka auto-binding) is a vulnerability where an application automatically assigns user-supplied data to model attributes without proper validation or restrictions.

This can lead to unauthorized modification of sensitive attributes or fields, such as changing user roles or settings, due to the application accepting and processing more input than intended.

Explicitly define and whitelist allowed attributes for mass assignment, use strong parameter filtering, and validate user inputs to ensure only permitted fields are modified

• Registration requests are a good candidate for mass assignment flaws (Figure 1 & 2).

• Check documentation if available (Figure 1, 2, & 3).

• POST requests that accept user input (convert GET requests to POST) (Figure 4 & 5).

• Potential parameters can be identified via fuzzing, code review, JWTs, leaky API endpoints, front-end code review, etc.

The below example is based on TCM's Practical API Hacking course.

Figure 1: Finding 'hidden' parameters in the documentation.

Figure 2: Adding the privileges parameter to the registration request.

Figure 3: The root cause of the above mass assignment vulnerability.

The below example is based on the crAPI application.

Figure 4: Tampering with the HTTP verbs.

Figure 5: Exploiting a mass assignment vulnerability.