# Mass Assignment

A vulnerability where applications automatically bind HTTP request parameters to internal object properties without proper filtering, allowing attackers to modify sensitive fields like roles, prices, or account status.

MEDIUM SEVERITY PRIVILEGE ESCALATION PARAMETER TAMPERING

# What is Mass Assignment?

Authorization Bypass

Mass Assignment allows attackers to modify object properties they shouldn't access by simply adding extra parameters to requests. It's a common vulnerability in modern frameworks that automatically map request data to models.

In Simple Terms:

Imagine filling out a form at the DMV for a driver's license. The form has fields for your name, address, and photo. But what if you could add an extra checkbox: "Make me a police officer: ☑️"

Mass Assignment is when the system blindly accepts ANY field you add to the form, even fields that should be admin-only or system-internal.

# Common Attacks

# 1. Privilege Escalation

Vulnerable Code:

@app.route('/register', methods=['POST'])
def register():
    user = User()
    # VULNERABLE: Assigns ALL request data
    for key, value in request.json.items():
        setattr(user, key, value)
    
    db.session.add(user)
    db.session.commit()

Attack:

{
  "username": "attacker",
  "email": "attacker@evil.com",
  "password": "password123",
  "is_admin": true,
  "role": "admin"
}

Result: Attacker creates admin account!

# 2. Price Manipulation

Vulnerable Code:

app.post('/checkout', async (req, res) => {
  const order = new Order(req.body);
  await order.save();
});

Attack:

{
  "product_id": 123,
  "quantity": 1,
  "price": 0.01,
  "discount": 99.99
}

Result: $1000 product purchased for $0.01!

# Prevention

# 1. Whitelist Allowed Fields

ALLOWED_FIELDS = ['username', 'email', 'password']

@app.route('/register', methods=['POST'])
def register():
    user = User()
    for key in ALLOWED_FIELDS:
        if key in request.json:
            setattr(user, key, request.json[key])
    
    db.session.add(user)
    db.session.commit()

# 2. Use Form Objects

class UserRegistrationDTO {
  constructor(data) {
    this.username = data.username;
    this.email = data.email;
    this.password = data.password;
    // Only explicitly defined fields
  }
}

app.post('/register', async (req, res) => {
  const userData = new UserRegistrationDTO(req.body);
  const user = await User.create(userData);
});

# Security Checklist

Never bind request data directly to models
Use explicit whitelists for allowed fields
Use DTO/Form objects
Mark sensitive fields as non-assignable
Validate field types and values
Test with extra parameters
Use framework protection (strong_parameters in Rails)

Last Updated: November 2025