| name | sc-mass-assignment |
| description | Mass assignment and over-posting detection — unfiltered request body binding to data models |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Mass Assignment / Over-Posting
Purpose
Detects mass assignment vulnerabilities where HTTP request body fields are bound directly to data models without field filtering, allowing attackers to set fields they should not have access to (e.g., isAdmin, role, price, verified). Covers framework-specific patterns across all major web frameworks.
Activation
Called by sc-orchestrator during Phase 2 when web frameworks with model binding are detected.
Phase 1: Discovery
Keyword Patterns to Search
"req.body", "request.body", "request.POST", "request.data",
"@RequestBody", "[FromBody]", "$request->all()",
"Model.create(", "Model.update(", "Object.assign(",
"fillable", "guarded", "attr_accessible",
"ModelForm", "Serializer", "DTO"
Vulnerability Patterns
Node.js/Express:
app.post('/users', async (req, res) => {
const user = await User.create(req.body);
});
app.post('/users', async (req, res) => {
const user = await User.create({
name: req.body.name,
email: req.body.email
});
});
Django:
class UserForm(ModelForm):
class Meta:
model = User
fields = '__all__'
class UserForm(ModelForm):
class Meta:
model = User
fields = ['name', 'email', 'bio']
Laravel:
class User extends Model {
}
$user = User::create($request->all());
class User extends Model {
protected $fillable = ['name', 'email'];
}
Spring Boot:
@PostMapping("/users")
public User createUser(@ModelAttribute User user) {
return userRepository.save(user);
}
@PostMapping("/users")
public User createUser(@RequestBody CreateUserDTO dto) {
User user = new User();
user.setName(dto.getName());
user.setEmail(dto.getEmail());
return userRepository.save(user);
}
ASP.NET:
[HttpPost]
public IActionResult Create([FromBody] User user) {
_context.Users.Add(user);
}
[HttpPost]
public IActionResult Create([Bind("Name,Email")] User user) {
_context.Users.Add(user);
}
Severity Classification
- Critical: Mass assignment allowing role escalation to admin
- High: Setting price, verified status, or permissions via mass assignment
- Medium: Setting non-critical but unintended fields (profile fields of other users)
- Low: Mass assignment in admin-only endpoints or internal tools
Output Format
Finding: MASS-{NNN}
- Title: Mass Assignment in {endpoint/model}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes)
- Description: Request body is bound to {model} without field filtering at {endpoint}.
- Impact: Privilege escalation, data manipulation, unauthorized field modification.
- Remediation: Use allowlist of permitted fields, DTOs, or framework-specific protection ($fillable, fields=[], [Bind]).
- References: https://cwe.mitre.org/data/definitions/915.html
Common False Positives
- DTO/ViewModel patterns — request bound to DTO that only has safe fields
- Admin endpoints — admin users may legitimately set all fields
- $fillable properly set — Laravel model with restrictive $fillable array
- Zod/Joi validation — schema validation stripping unknown fields before model creation