Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • What is Mass Assignment?
  • Testing Account Registration for Mass Assignment
  • Fuzzing For Mass Assignment With Param Miner
  • Other Mass Assignment Vectors
  1. Pentesting
  2. WEP-Pen
  3. API-Pen

Mass Assignment

PreviousImproper Assets ManagementNextSSRF

Last updated 1 month ago

What is Mass Assignment?

Applications these days often rely an objects (For example user, product, …) and these objects have properties (for example product.stock). As a user, we have the authorization to edit and view specific properties of the objects but we might also be limited and not able to edit or view some specific properties (For example user can view product.stock but user should not be able to edit product.stock). These properties are then matched to parameters on the front-end and if these conversion happen automatically, they might convert parameters to properties the attacker should not be able to access (For example, the user should never be able to edit product.title but the front-end might convert a parameter “title” to product.title if the user sends a PUT request).

Here are some more examples of properties the user should not be able to edit:

  • Account.AccountType or Account.discountsEnable. These are properties that relate to permissions.

  • Account.wallet This property should never be editable be the attacker

  • product.title These are internal properties the user should never be able to edit

A common example is when an attacker adds parameters to a user registration request, such as setting isadmin: true, to escalate their account privileges.

How to Find Mass Assignment Vulnerabilities

  1. Explore API Documentation: Check the documentation for parameters related to user roles, permissions, and critical functionalities. Adding these parameters to requests might reveal vulnerabilities.

  2. Observe Naming Conventions: Use the API as designed to understand parameter naming conventions, as this insight can guide potential parameters for attacks on other endpoints.

  3. Fuzz for Blind Attacks: If there is no documentation, fuzz parameters by capturing requests and brute-forcing values. Starting with account registration is a good approach, as it often contains exploitable user input.

Testing Account Registration for Mass Assignment

Let's intercept the account registration request for crAPI.

  1. Create a New Account: Use the application to register a new account while intercepting the request.

  2. Submit the form to create an account and make sure the request was intercepted with Burp Suite.

  3. Send the Intercepted Request to Repeater: Once intercepted, send the request to Burp Suite's Repeater to modify and test different payloads.

  4. Modify JSON Payload: Alter the JSON payload by adding parameters like "isadmin": true, "admin": 1, or similar variations. Send each modified request and observe the API's responses for unique indicators of privilege escalation or success.

  5. Analyze API Responses: If the API responds with no changes or indications of status alteration, the target may not be vulnerable. However, if variations in response occur, it suggests potential vulnerability.

  6. Use Intruder for Variants: If you want to explore combinations of parameters systematically, send the request to Burp Suite's Intruder, set payload positions around the admin-related parameters, and run a “Cluster Bomb” attack.

Fuzzing For Mass Assignment With Param Miner

  • Install Param Miner: Ensure you have the Param Miner extension in Burp Suite.

  • Right-click on a request to mine parameters using Param Miner.

  • Configure Param Miner options and click OK.

  • Review Detected Parameters: After running, check the Output tab for any new parameters that can be tested.

  • Reinsert Parameters for Fuzzing: Insert these parameters back into the original request to see if they trigger any responses that could indicate a vulnerability.

Other Mass Assignment Vectors

  • Unauthorized Access to Organizations: If the application allows users to be part of organizational groups, you can test for unauthorized access to those groups. This can often be done by modifying request parameters to include organizational identifiers.

    • Example: By adding an "org" parameter to a request and experimenting with different values, you might be able to access groups that a user is not supposed to see or interact with. This is particularly relevant in applications that manage organizational hierarchies or user groups.

  • Access Control Over Object Properties: Beyond organizational access, look for other sensitive properties within user objects that should be protected. This can include user roles, permissions, or configuration flags.

    • Testing Method: If you find an endpoint that modifies user settings, try adding parameters related to roles or permissions (like role, permissions, or access_level).

  • Modification of Related Objects: Identify relationships between objects in the API. For instance, if a user can modify their profile, check if that request can also include changes to associated objects, such as linked accounts, payment methods, or preferences.

Hunting for Mass Assignment

  1. Analyze the Target API Collection:

    • Review the API documentation or captured traffic to identify endpoints that:

      • Accept user input.

      • Allow modification of objects.

  2. Create a New Collection for Testing:

    • Set up a separate collection specifically for mass assignment testing to prevent unintentional modifications to the original API collection.

    • Duplicate Requests: Take interesting or relevant requests and duplicate them in your new collection.

  1. Understand Each Request's Purpose:

  • Understand the functionality of each request in the API collection.

  1. Test Various Endpoints:

  • Explore endpoints used for updating accounts, group information, user profiles, company profiles, etc.

  • Modify requests to test for potential mass assignment vulnerabilities by adding unexpected parameters.

  1. Analyze API Responses:

  • Observe the API’s responses to modified requests to determine if any indicate privilege escalation or unauthorized access.