Intro

Mass assignment vulnerability is a security issue that occurs when an attacker is able to manipulate or inject unexpected data into an API request that allows them to modify data that they should not be able to modify.

What are the common mistakes done by developers ?

This vulnerability typically arises when an API allows a client to submit multiple parameters in a single request, and those parameters can be used to update or create database records without validating that the request includes only the expected parameters. The attacker can exploit this by submitting additional parameters to the request, which are not validated by the API, allowing them to modify or create data in unintended ways.

One of the most well-known cases occurred in 2012, when a vulnerability was discovered in the Ruby on Rails web application framework, which allowed attackers to exploit mass assignment vulnerabilities in Rails-based applications.

The vulnerability was caused by the default behavior of Rails' mass assignment feature, which allowed developers to easily assign multiple attributes to a model object at once.

How can I fix Mass Assignment issues ?

Validate all input data, only accept the data that is necessary for the request, and ensure that the data is consistent with the intended operation, do not use one liners to blindly load all the parameters to an object. APIs can also use data binding techniques to map only the data that is explicitly allowed to be updated to the corresponding database fields, while ignoring the rest of the data in the request

Test cases in this category:

This test case manipulates object properties from requests which the user should not have access to:

This test case manipulates boolean flags from requests that should not have access to these flags: