Mass Assignment vulnerability
Notes from Hacking API by Corey J. Ball
What?
When we can add additional parameters to requests that are not intended, but are handled by the server. This can be use to modify server-side variables and data and edit objects.
Where to look for?
Every requests that require user input.
Edit profile
User management
Client management
Account registration
Account registration
Try to add a value such as admin:true
when registering an account. See if you can create an admin account or elevate your account to a privileged role. Compare how a low vs a high privilege user is created. How does the API provider identify that an account has an administrative role? Can you manipulate the entries and data to make yourself administrator?
Unauthorized access
Add yourself to another group and see if you can access resources from the other group/organization.
Identify Mass Assignment variables and requests
Try to identify mass assignment variable by fuzzing unknown parameters. Try to guess, based on a wordlist, what parameters might be handle by the web server.
In the example below, the testers include multiple possible fields in an attempt to elevate the registering user to an admin role.
Arjun tool
The tool Arjun can be used to identify existing parameters by fuzzing the requests sent to the server with a huge parameters list. Arjun supports GET/POST/JSON/XML methods.See the documentation for more detail.
To identify hidden parameters can give a malicious user another vector of attack. Check for parameters that might be handled by the server. Some of them might not be apparent when using the web application as intended.
Testing methods
Use Burp suite Intruder to send request to the server using different methods. Observe how the API responds.
Last updated