Mass Assignment Attacks

  • Overwrite object's properties (e.g. isAdmin:True during account registration).

  • Target POST requests that accept user input (trying converting GET to POST as well).

  • Find interesting parameters in API documentation and then add those within the requests.

  • The registration process is usually a good starting point to check for this.

We can also use Param Miner to fuzz for potential request parameters.

We can try changing the HTTP verbs of a request as well.

The price parameter can also be changed to a negative value which works as a refund.

Last updated