Mass Assignment Attacks
Overwrite object's properties (e.g.
isAdmin:True
during account registration).Target
POST
requests that accept user input (trying convertingGET
toPOST
as well).Find interesting parameters in API documentation and then add those within the requests.
The registration process is usually a good starting point to check for this.

We can also use Param Miner
to fuzz for potential request parameters.

We can try changing the HTTP verbs of a request as well.

The price
parameter can also be changed to a negative value which works as a refund.

Last updated