Mass Assignment

Mass Assignment (also called auto-binding or object injection) is a vulnerability where an application automatically binds HTTP request parameters to object properties without proper filtering. Attackers can set internal properties they shouldn't have access to.

How It Works

Many frameworks automatically map request parameters to model attributes. If developers don't explicitly whitelist allowed parameters, attackers can inject additional fields to modify sensitive properties like roles, prices, or ownership.

Example

// Normal registration request
POST /register
{"username": "user", "email": "user@example.com", "password": "secret"}

// Attack: Include unauthorized field
POST /register
{"username": "user", "email": "user@example.com", "password": "secret",
 "is_admin": true}

// If User model has is_admin attribute and no protection:
// Attacker becomes admin!

Vulnerable Framework Patterns

// Ruby on Rails (without strong parameters)
User.new(params[:user])

// Node.js with Mongoose
User.create(req.body)

// PHP Laravel (without $fillable)
User::create($request->all())

Prevention

• Rails: Use Strong Parameters - params.require(:user).permit(:name, :email)
• Laravel: Define $fillable or $guarded on models
• General: Explicitly whitelist allowed fields
• Use DTOs (Data Transfer Objects) for input binding
• Never trust client-supplied data for sensitive fields

PentesterLab Exercises

• Mass Assignment Exercises

See Also

• Rails Mass Assignment
• Vertical Privilege Escalation