Introduction to API Testing — Mass Assignment vulnerabilities

Mass assignment, also known as auto-binding, occurs when request parameters are automatically bound to internal object fields by software frameworks. This unintended consequence may lead to the application supporting parameters that were never intended to be processed by the developer.To identify hidden parameters created by mass assignment, manually examine the objects returned by the API. Consider an example where a PATCH request allows users to update their username and email PATCH /api/users/{
"username": "wiener",
"email": "wiener@example.com",
}A concurrent GET /api/users/123 request returns the following JSON.{
"id": 123,
"name": "John Doe",
"email": "john@example.com",
"isAdmin": "false"
}id and isAdmin are not intended to be disclosed.To test whether we can modify id and isAdmin, we can try changing their values and see how the application responses.We can also try sending PATCH request with an invalid value. This may give us a hint on the application’s logic.Now that we’ve identified the parameter, we can try isAdmin to another user to see if we can gain unintended admin privileges.To confirm the success of exploiting the vulnerability, browse the application with the updated user privileges. If the user is granted admin privileges, it indicates a mass assignment vulnerability that could lead to unauthorized access.Mass assignment vulnerabilities pose a significant threat to web applications, allowing users to manipulate parameters beyond their intended scope. By understanding how to identify hidden parameters and systematically testing for these vulnerabilities, developers and security professionals can fortify their applications against potential exploitation.Please clap if you like this post. And don’t forget to follow me for me Cybersecurity content.