# Mass Assignment Attacks

* Overwrite object's properties (e.g. `isAdmin:True` during account registration).
* Target `POST` requests that accept user input (trying converting `GET` to `POST` as well).
* Find interesting parameters in API documentation and then add those within the requests.
* The registration process is usually a good starting point to check for this.

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FOnfC40Q4vc5BWfLmYwTv%2Fapisec_mass_ass_registration.png?alt=media&#x26;token=d11205a3-f09b-4682-b63c-4a5ad6e13da1" alt=""><figcaption></figcaption></figure>

We can also use `Param Miner` to fuzz for potential request parameters.

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FfktXoBexkVo7bv4vYMmC%2Fapisec_mass_ass_param_miner.png?alt=media&#x26;token=cd048669-b95a-4c22-9447-104e3c8b2925" alt=""><figcaption></figcaption></figure>

We can try changing the HTTP verbs of a request as well.

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FfG3PaxEYqKI2KoX0I4n2%2Fapisec_mass_ass_http_methods.png?alt=media&#x26;token=e4caecdf-5d99-4b78-9ac3-31a35e5ee8e2" alt=""><figcaption></figcaption></figure>

The `price` parameter can also be changed to a negative value which works as a refund.

<figure><img src="https://3960676229-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmjLkek16kB60c2WFd5lf%2Fuploads%2FQxDGB7z1HHVWSOEPlIvG%2Fapisec_mass_ass_refund.png?alt=media&#x26;token=2865102e-97d5-425b-b57a-e0247c8d8a52" alt=""><figcaption></figcaption></figure>