원클릭으로
sc-mass-assignment
Mass assignment and over-posting detection — unfiltered request body binding to data models
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Mass assignment and over-posting detection — unfiltered request body binding to data models
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-mass-assignment |
| description | Mass assignment and over-posting detection — unfiltered request body binding to data models |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects mass assignment vulnerabilities where HTTP request body fields are bound directly to data models without field filtering, allowing attackers to set fields they should not have access to (e.g., isAdmin, role, price, verified). Covers framework-specific patterns across all major web frameworks.
Called by sc-orchestrator during Phase 2 when web frameworks with model binding are detected.
"req.body", "request.body", "request.POST", "request.data",
"@RequestBody", "[FromBody]", "$request->all()",
"Model.create(", "Model.update(", "Object.assign(",
"fillable", "guarded", "attr_accessible",
"ModelForm", "Serializer", "DTO"
Node.js/Express:
// VULNERABLE: Spread all body fields into create
app.post('/users', async (req, res) => {
const user = await User.create(req.body);
// If body = { name: "hacker", email: "...", role: "admin" }
// Attacker becomes admin!
});
// SAFE: Pick only allowed fields
app.post('/users', async (req, res) => {
const user = await User.create({
name: req.body.name,
email: req.body.email
});
});
Django:
# VULNERABLE: ModelForm without fields restriction
class UserForm(ModelForm):
class Meta:
model = User
fields = '__all__' # Includes is_staff, is_superuser!
# SAFE: Explicit field list
class UserForm(ModelForm):
class Meta:
model = User
fields = ['name', 'email', 'bio']
Laravel:
// VULNERABLE: No $fillable or $guarded
class User extends Model {
// All fields are mass-assignable!
}
$user = User::create($request->all());
// SAFE: Define fillable fields
class User extends Model {
protected $fillable = ['name', 'email'];
}
Spring Boot:
// VULNERABLE: Binding all request params to model
@PostMapping("/users")
public User createUser(@ModelAttribute User user) {
return userRepository.save(user);
}
// SAFE: Use DTO
@PostMapping("/users")
public User createUser(@RequestBody CreateUserDTO dto) {
User user = new User();
user.setName(dto.getName());
user.setEmail(dto.getEmail());
return userRepository.save(user);
}
ASP.NET:
// VULNERABLE: Binding all properties
[HttpPost]
public IActionResult Create([FromBody] User user) {
_context.Users.Add(user);
}
// SAFE: Use [Bind] attribute or DTO
[HttpPost]
public IActionResult Create([Bind("Name,Email")] User user) {
_context.Users.Add(user);
}