How a Mass Assignment Vulnerability Impacts Modern Systems

【API Mass Assignment】Definition and Examples

Nov 25, 2022

6 min read

Sudip Sengupta

In this article:

API security is a key consideration for modern software enterprises since hackers can abuse API vulnerabilities for various exploits. Out of various critical API security risks, the API Mass Assignment vulnerability (OWASP API 6:2019) ensues when the application binds client-provided information to its data models without proper filtering based on a whitelist. Attackers leverage this flaw to modify object properties they should not by guessing internal object properties, accessing product documentation, or providing additional object properties in request bodies.

This article discusses the impacts of API mass assignment vulnerability on modern application delivery, common examples, and possible prevention measures.

What is a Mass Assignment Vulnerability?

OWASP attributes the API mass assignment vulnerability as an input validation flaw that allows hackers to perform advanced attacks by manipulating payload data. The threat arises when the API endpoints save a request body as it is instead of extracting request parameters one by one. Malicious users typically exploit the flaw to initialize or overwrite server-side parameters that the developers never intend to expose.

A common development practice is to create a copy of the incoming request and save it in a database, as it seems appropriate for internal object sharing. However, the approach leads to a risky configuration since attackers can decipher the properties

Read more

Explore the site

More from the blog

Latest News