Mass Assignment Attacks

• Overwrite object's properties (e.g. isAdmin:True during account registration).

• Target POST requests that accept user input (trying converting GET to POST as well).

• Find interesting parameters in API documentation and then add those within the requests.

• The registration process is usually a good starting point to check for this.

We can also use Param Miner to fuzz for potential request parameters.

We can try changing the HTTP verbs of a request as well.

The price parameter can also be changed to a negative value which works as a refund.