# Mass Assignment Tests

{% hint style="danger" %}
**At a Glance**: 🛡️ **Mass Assignment Vulnerability** occurs when attackers manipulate or inject unexpected data into an API request, allowing them to modify data they shouldn’t have access to. This security issue arises when APIs accept and process more data fields than intended, often due to improper validation or filtering of input, leading to unauthorized data manipulation.
{% endhint %}

***

## What are the common mistakes made by developers?

This vulnerability typically arises when an API allows a client to submit multiple parameters in a single request, and those parameters can be used to update or create database records without validating that the request includes only the expected parameters. The attacker can exploit this by submitting additional parameters to the request, which are not validated by the API, allowing them to modify or create data in unintended ways.

One of the most well-known cases occurred in 2012, when a vulnerability was discovered in the Ruby on Rails web application framework, which allowed attackers to exploit mass assignment vulnerabilities in Rails-based applications.

The vulnerability was caused by the default behavior of Rails' mass assignment feature, which allowed developers to easily assign multiple attributes to a model object at once.

## How can I fix Mass Assignment issues?

Validate all input data, only accept the data that is necessary for the request, and ensure that the data is consistent with the intended operation, do not use one liners to blindly load all the parameters to an object. APIs can also use data binding techniques to map only the data that is explicitly allowed to be updated to the corresponding database fields, while ignoring the rest of the data in the request

## Test cases in this category:    

This test case manipulates object properties from requests which the user should not have access to:

<table><thead><tr><th>Test case</th><th width="226.33333333333331">OWASP</th><th>CWE</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>[MA001]</strong> Mass assignment by manipulation of hidden attributes</td><td><a href="https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md">API6 OWASP API Top 10</a></td><td><a href="https://cwe.mitre.org/data/definitions/915.html">CWE-915</a></td><td></td></tr></tbody></table>

This test case manipulates boolean flags from requests that should not have access to these flags:

<table><thead><tr><th>Test case</th><th width="226.33333333333331">OWASP</th><th>CWE</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>[MA002]</strong> Mass assignment by flag overloading</td><td><a href="https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md">API6 OWASP API Top 10</a></td><td><a href="https://cwe.mitre.org/data/definitions/915.html">CWE-915</a></td><td></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pynt.io/documentation/api-security-testing/pynt-security-tests-coverage/mass-assignment-tests.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.